Detections

Name	Data Source	Technique	Type	Analytic Story	Date
HTTP Scripting Tool User Agent	Nginx Access	T1071.001	Anomaly	Suspicious User Agents, HTTP Request Smuggling	2026-06-15
PTC Windchill Gateway Command Execution	Windchill Log4j	T1005 T1059 T1190	Anomaly	PTC Windchill Exploitation	2026-06-14
PTC Windchill GW READY OK Probe	Windchill Log4j	T1059 T1190	Anomaly	PTC Windchill Exploitation	2026-06-14
Splunk Secure Application Alerts for Runtime Security		N/A	Anomaly	Critical Alerts	2026-06-12
Windows Suspicious Process File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1543	TTP	RoguePlanet, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, Water Gamayun, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, Prestige Ransomware, Earth Alux, Warzone RAT, DarkCrystal RAT, PlugX, StealC Stealer, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, Malicious Inno Setup Loader, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, Interlock Rat, XWorm, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, Phemedrone Stealer, SesameOp	2026-06-11
Executables Or Script Creation In Temp Path	Sysmon EventID 11	T1036	Anomaly	RoguePlanet, Crypto Stealer, Brute Ratel C4, PromptLock, XMRig, AsyncRAT, Hermetic Wiper, MoonPeak, Amadey, Snake Keylogger, Derusbi, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, PromptFlux, Warzone RAT, DarkCrystal RAT, PlugX, NjRAT, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, WinDealer RAT, Interlock Rat, Salat Stealer, Meduza Stealer, Qakbot, AgentTesla, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, XML Runner Loader, Remcos, APT37 Rustonotto and FadeStealer, Volt Typhoon, BlackByte Ransomware, AcidPour, Azorult, Swift Slicer, Data Destruction, Double Zero Destructor, Handala Wiper, SesameOp	2026-06-11
Windows Wermgr Alternate Data Stream in Temp Dir	Sysmon EventID 15	T1564.004	Anomaly	RoguePlanet	2026-06-11
Regsvr32 Silent and Install Param Dll Loading	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	Anomaly	Living Off The Land, Remcos, AsyncRAT, Hermetic Wiper, Suspicious Regsvr32 Activity, Data Destruction	2026-06-09
Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication	Cisco SD-WAN Auth Log	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-06-09
Cisco SD-WAN Multiple SSH key Authentication from Same Source	Cisco SD-WAN Auth Log	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-06-09
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors	Cisco Secure Access Proxy	T1595	Anomaly	Cisco Secure Access Analytics	2026-06-09
Cisco SA - Access to Anonymizer Services	Cisco Secure Access DNS	T1090.003	Anomaly	Cisco Secure Access Analytics	2026-06-09
Regsvr32 with Known Silent Switch Cmdline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	Anomaly	Living Off The Land, Remcos, AsyncRAT, Qakbot, Suspicious Regsvr32 Activity, IcedID	2026-06-09
PowerShell 4104 Hunting	Powershell Script Block Logging 4104	T1059.001	Hunting	Braodo Stealer, Water Gamayun, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, Cactus Ransomware, Medusa Ransomware, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, MuddyWater, China-Nexus Threat Activity, XWorm, Flax Typhoon, Salat Stealer, 0bj3ctivity Stealer, CISA AA23-347A, Lumma Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, SystemBC, APT37 Rustonotto and FadeStealer, Cleo File Transfer Software, Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, CISA AA24-241A, Interlock Ransomware, Data Destruction	2026-06-08
Powershell Processing Stream Of Data	Powershell Script Block Logging 4104	T1059.001	TTP	Medusa Ransomware, XWorm, Braodo Stealer, AsyncRAT, Salat Stealer, Hermetic Wiper, MoonPeak, PXA Stealer, MuddyWater, Data Destruction, Hellcat Ransomware, IcedID, Malicious PowerShell	2026-06-08
Powershell Using memory As Backing Store	Powershell Script Block Logging 4104	T1059.001	TTP	Medusa Ransomware, Salat Stealer, MoonPeak, Hermetic Wiper, Data Destruction, IcedID, Malicious PowerShell	2026-06-08
Windows Obfuscated Files or Information via RAR SFX	Sysmon EventID 11	T1027.013	Anomaly	GhostRedirector IIS Module and Rungan Backdoor, Crypto Stealer, APT37 Rustonotto and FadeStealer, Salat Stealer	2026-06-08
Windows Process Execution From ProgramData	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005	Hunting	APT37 Rustonotto and FadeStealer, Axios Supply Chain Post Compromise, XWorm, Salat Stealer, StealC Stealer, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, China-Nexus Threat Activity, SnappyBee	2026-06-08
Non Firefox Process Access Firefox Profile Dir	Windows Event Log Security 4663	T1555.003	Anomaly	Snake Keylogger, RedLine Stealer, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, FIN7, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, AgentTesla, CISA AA23-347A, Remcos, 3CX Supply Chain Attack, Azorult, Quasar RAT, Phemedrone Stealer	2026-06-08
Powershell Disable Security Monitoring	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Revil Ransomware, Ransomware, Salat Stealer, CISA AA24-241A, BlankGrabber Stealer	2026-06-08
Add or Set Windows Defender Exclusion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	ValleyRAT, Remcos, Compromised Windows Host, CISA AA22-320A, Crypto Stealer, XWorm, Windows Defense Evasion Tactics, Salat Stealer, AgentTesla, Data Destruction, WhisperGate, NetSupport RMM Tool Abuse	2026-06-08
Firewall Allowed Program Enable	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686	Anomaly	Medusa Ransomware, BlackByte Ransomware, PlugX, NjRAT, Windows Defense Evasion Tactics, Salat Stealer, Azorult	2026-06-08
Disable Defender Submit Samples Consent Feature	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Salat Stealer, Azorult, CISA AA23-347A, BlankGrabber Stealer, IcedID	2026-06-08
Windows Process Execution in Temp Dir	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1543	Anomaly	RoguePlanet, Gh0st RAT, Remcos, Lokibot, Axios Supply Chain Post Compromise, PromptLock, Ransomware, XWorm, NjRAT, Salat Stealer, AgentTesla, Qakbot, PathWiper, Ryuk Ransomware, Trickbot, SesameOp	2026-06-08
Windows Defender Exclusion Registry Entry	Sysmon EventID 13	T1685	TTP	ValleyRAT, Remcos, Warzone RAT, XWorm, Windows Defense Evasion Tactics, Salat Stealer, Qakbot, Azorult, NetSupport RMM Tool Abuse	2026-06-08
Windows Event Log Cleared	Windows Event Log Security 1102, Windows Event Log System 104	T1685.005	TTP	Compromised Windows Host, Ransomware, Salat Stealer, ShrinkLocker, CISA AA22-264A, Windows Log Manipulation, Clop Ransomware	2026-06-08
Registry Keys Used For Persistence	Sysmon EventID 13	T1547.001	TTP	Sneaky Active Directory Persistence Tricks, Gh0st RAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, BlackSuit Ransomware, Ransomware, DHS Report TA18-074A, Braodo Stealer, AsyncRAT, Suspicious Windows Registry Activities, Castle RAT, MoonPeak, Amadey, Snake Keylogger, Derusbi, NetSupport RMM Tool Abuse, IcedID, RedLine Stealer, Warzone RAT, Cactus Ransomware, Suspicious MSHTA Activity, DarkCrystal RAT, NjRAT, Salt Typhoon, Chaos Ransomware, DarkGate Malware, Windows Persistence Techniques, MuddyWater, China-Nexus Threat Activity, SnappyBee, ValleyRAT, Lokibot, Windows Registry Abuse, WinDealer RAT, XWorm, Salat Stealer, 0bj3ctivity Stealer, Qakbot, CISA AA23-347A, Axios Supply Chain Post Compromise, SystemBC, Remcos, APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Emotet Malware DHS Report TA18-201A	2026-06-08
Powershell Windows Defender Exclusion Commands	Powershell Script Block Logging 4104	T1685	TTP	Remcos, CISA AA22-320A, Warzone RAT, Windows Defense Evasion Tactics, Salat Stealer, AgentTesla, BlankGrabber Stealer, Data Destruction, WhisperGate, NetSupport RMM Tool Abuse	2026-06-08
Disable Defender AntiVirus Registry	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Cactus Ransomware, Black Basta Ransomware, Salat Stealer, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, IcedID	2026-06-08
Non Chrome Process Accessing Chrome Default Dir	Windows Event Log Security 4663	T1555.003	Anomaly	Snake Keylogger, RedLine Stealer, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, FIN7, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, AgentTesla, CISA AA23-347A, Remcos, 3CX Supply Chain Attack, Quasar RAT, Phemedrone Stealer	2026-06-08
Windows Impair Defense Disable Web Evaluation	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Salat Stealer	2026-06-08
Windows Disable or Stop Browser Process	Sysmon EventID 1	T1685	TTP	Castle RAT, Braodo Stealer, Salat Stealer, BlankGrabber Stealer, Hellcat Ransomware, Scattered Lapsus$ Hunters	2026-06-08
Windows Credentials from Password Stores Chrome LocalState Access	Windows Event Log Security 4663	T1012	Anomaly	Braodo Stealer, MoonPeak, Amadey, Snake Keylogger, RedLine Stealer, Earth Alux, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, Meduza Stealer, PXA Stealer, Quasar RAT, Phemedrone Stealer	2026-06-08
Disable Windows Behavior Monitoring	Sysmon EventID 13	T1685	TTP	Revil Ransomware, Windows Registry Abuse, Ransomware, Black Basta Ransomware, Cactus Ransomware, Windows Defense Evasion Tactics, Salat Stealer, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Azorult, Storm-0501 Ransomware, BlankGrabber Stealer, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, RedLine Stealer	2026-06-08
Windows Credentials from Password Stores Chrome Login Data Access	Windows Event Log Security 4663	T1012	Anomaly	Braodo Stealer, MoonPeak, Amadey, Snake Keylogger, RedLine Stealer, Earth Alux, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, Meduza Stealer, PXA Stealer, Quasar RAT, Phemedrone Stealer	2026-06-08
Windows Access Token Manipulation SeDebugPrivilege	Windows Event Log Security 4703	T1134.002	Anomaly	Gh0st RAT, Brute Ratel C4, AsyncRAT, GhostRedirector IIS Module and Rungan Backdoor, Derusbi, PlugX, Salt Typhoon, DarkGate Malware, PathWiper, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, ValleyRAT, Lokibot, WinDealer RAT, Salat Stealer, Meduza Stealer, CISA AA23-347A, Tuoni	2026-06-08
Windows Firewall Rule Added	Windows Event Log Security 4946	T1686	Anomaly	Medusa Ransomware, NetSupport RMM Tool Abuse, Salat Stealer, ShrinkLocker	2026-06-08
Disable Windows SmartScreen Protection	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Salat Stealer	2026-06-08
Powershell Fileless Script Contains Base64 Encoded Content	Powershell Script Block Logging 4104	T1027 T1059.001	TTP	AsyncRAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Medusa Ransomware, Winter Vivern, NjRAT, MuddyWater, VIP Keylogger, XWorm, Salat Stealer, 0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, APT37 Rustonotto and FadeStealer, Data Destruction	2026-06-08
Windows Credential Access From Browser Password Store	Windows Event Log Security 4663	T1012	Anomaly	Malicious Inno Setup Loader, Earth Alux, Scattered Spider, VIP Keylogger, Braodo Stealer, Salat Stealer, StealC Stealer, 0bj3ctivity Stealer, Meduza Stealer, MoonPeak, Salt Typhoon, PXA Stealer, Quasar RAT, Snake Keylogger, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee	2026-06-08
Windows Alternate DataStream - Process Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1564.004	TTP	Compromised Windows Host, Windows Defense Evasion Tactics	2026-06-04
Linux Proxy Socks Curl	Sysmon for Linux EventID 1	T1090 T1095	TTP	Linux Living Off The Land, Ingress Tool Transfer	2026-06-04
PowerShell - Connect To Internet With Hidden Window	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	Hunting	Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, HAFNIUM Group, Hermetic Wiper, AgentTesla, Data Destruction, Log4Shell CVE-2021-44228, Malicious PowerShell	2026-06-04
M365 Copilot Impersonation Jailbreak Attack	M365 Exported eDiscovery Prompts	T1685	TTP	Suspicious Microsoft 365 Copilot Activities	2026-06-04
Windows AD add Self to Group	Windows Event Log Security 4728	T1098	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware	2026-06-01
Windows FFmpeg Audio and Video Device Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1125	Anomaly	Salat Stealer	2026-05-20
Windows FFmpeg DirectShow Video Capture	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1125	Anomaly	Salat Stealer	2026-05-20
Cisco IOS XE Guestshell Activation and Destroy	Cisco IOS Logs	T1059 T1611	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Remote Access Probe Burst	Cisco IOS Logs	T1018 T1021.004 T1046	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Request Platform Package Describe Shell Pattern	Cisco IOS Logs	T1059 T1190	TTP	Salt Typhoon	2026-05-20
Cisco IOS XE Reconnaissance Command Activity	Cisco IOS Logs	T1016 T1082 T1590	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Tunnel Interface Configuration	Cisco IOS Logs	T1090 T1572	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE VTY Access Class Tampering	Cisco IOS Logs	T1021 T1562	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal	Cisco IOS Logs	T1070.001 T1562	Anomaly	Salt Typhoon	2026-05-20
Cisco IOS XE WebUI Programmatic Configuration	Cisco IOS Logs	T1078 T1190	Anomaly	Salt Typhoon	2026-05-19
Cisco IOS XE WebUI Login From IOSd Local Port	Cisco IOS Logs	T1078 T1190	TTP	Salt Typhoon	2026-05-19
Windows Cloud Files Filter Loaded by Uncommon Process	Sysmon EventID 7	T1543.003	Anomaly	BlueHammer, RedSun	2026-05-18
Splunk User Enumeration Attempt	Splunk	T1078	TTP	Splunk Vulnerabilities	2026-05-14
Splunk Sensitive Information Disclosure in DEBUG Logging Channels	Splunk	T1552	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Information Disclosure on Account Login	Splunk	T1087	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Code Injection via custom dashboard leading to RCE		T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk RCE PDFgen Render	Splunk	T1210	TTP	Splunk Vulnerabilities	2026-05-14
Splunk RCE Through Arbitrary File Write to Windows System Root	Splunk	T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk App for Lookup File Editing RCE via User XSLT		T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk XSS Privilege Escalation via Custom Urls in Dashboard	Splunk	T1189	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Authentication Token Exposure in Debug Log		T1654	TTP	Splunk Vulnerabilities	2026-05-14
Splunk Path Traversal In Splunk App For Lookup File Edit	Splunk	T1083	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk Enterprise KV Store Incorrect Authorization	Splunk	T1548	Hunting	Splunk Vulnerabilities	2026-05-14
Splunk RCE via User XSLT		T1210	Hunting	Splunk Vulnerabilities	2026-05-14
Windows PowerShell Add Module to Global Assembly Cache	Powershell Script Block Logging 4104	T1505.004	TTP	IIS Components	2026-05-13
Windows Group Discovery Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002	Hunting	Prestige Ransomware, Windows Post-Exploitation, Cleo File Transfer Software, Medusa Ransomware, Volt Typhoon, Active Directory Discovery, Rhysida Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques, Azorult, Graceful Wipe Out Attack, Microsoft WSUS CVE-2025-59287, IcedID	2026-05-13
CMLUA Or CMSTPLUA UAC Bypass	Sysmon EventID 7	T1218.003	TTP	DarkSide Ransomware, ValleyRAT, Ransomware, LockBit Ransomware	2026-05-13
Windows PowerShell Invoke-Sqlcmd Execution	Powershell Script Block Logging 4104	T1059.001 T1059.003	Hunting	GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse	2026-05-13
Windows Potato Privilege Escalation Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Windows Privilege Escalation	2026-05-13
Steal or Forge Authentication Certificates Behavior Identified		T1649	Correlation	Windows Certificate Services	2026-05-13
Windows InstallUtil URL in Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1218.004	TTP	Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil	2026-05-13
Windows New Service Security Descriptor Set Via Sc.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
PaperCut NG Suspicious Behavior Debug Log		T1133 T1190	Hunting	PaperCut MF NG Vulnerability	2026-05-13
Windows Excel Spawning Microsoft Project Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003	Anomaly	PathWiper	2026-05-13
Deleting Shadow Copies	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Prestige Ransomware, Compromised Windows Host, Ransomware, Black Basta Ransomware, Cactus Ransomware, Medusa Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VanHelsing Ransomware, CISA AA22-264A, Windows Log Manipulation, Chaos Ransomware, DarkGate Malware, LockBit Ransomware, Clop Ransomware, Termite Ransomware, Void Manticore, SamSam Ransomware	2026-05-13
Java Writing JSP File	Sysmon for Linux EventID 1, Sysmon for Linux EventID 11	T1133 T1190	TTP	SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability	2026-05-13
Windows Rasautou DLL Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055.001 T1218	TTP	Compromised Windows Host, Windows Defense Evasion Tactics, Hellcat Ransomware	2026-05-13
Linux Auditd Service Restarted	Linux Auditd Proctitle	T1053.006	Anomaly	Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir	2026-05-13
Windows Credentials from Password Stores Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	TTP	NetSupport RMM Tool Abuse, Compromised Windows Host, DarkGate Malware	2026-05-13
Windows Impair Defense Set Win Defender Smart Screen Level To Warn	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Linux Auditd File Permission Modification Via Chmod	Linux Auditd Proctitle	T1222.002	Anomaly	Linux Persistence Techniques, XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host	2026-05-13
USN Journal Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	Windows Log Manipulation, Ransomware	2026-05-13
Mshta spawning Rundll32 OR Regsvr32 Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Living Off The Land, IcedID, APT37 Rustonotto and FadeStealer, Trickbot	2026-05-13
Logon Script Event Trigger Execution	Sysmon EventID 13	T1037.001	TTP	VIP Keylogger, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation	2026-05-13
Execution of File with Multiple Extensions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003	TTP	Masquerading - Rename System Utilities, AsyncRAT, DarkGate Malware, Windows File Extension and Association Abuse	2026-05-13
MSBuild Suspicious Spawned By Script Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127.001	TTP	Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows Anomalous Registry Value Length in Environment Key	Sysmon EventID 13	T1112	Anomaly	VIP Keylogger	2026-05-13
Windows Password Policy Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	Hunting	Active Directory Discovery	2026-05-13
Windows Potential Cloudflared Network Connection	Sysmon EventID 3	T1572	Hunting	Reverse Network Proxy	2026-05-13
Linux Auditd Find Credentials From Password Stores	Linux Auditd Execve	T1555.005	TTP	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Scattered Lapsus$ Hunters, Compromised Linux Host	2026-05-13
Windows WMI Process And Service List	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Linux Auditd Add User Account	Linux Auditd Proctitle	T1136.001	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Unload Module Via Modprobe	Linux Auditd Execve	T1547.006	TTP	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Reg exe Manipulating Windows Services Registry Keys	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.011	TTP	Windows Service Abuse, Living Off The Land, Windows Persistence Techniques	2026-05-13
Windows Gather Victim Identity SAM Info	Sysmon EventID 7	T1589.001	Hunting	Brute Ratel C4	2026-05-13
Windows Local Administrator Credential Stuffing	Windows Event Log Security 4624, Windows Event Log Security 4625	T1110.004	TTP	Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement	2026-05-13
Suspicious Copy on System32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003	Anomaly	Compromised Windows Host, Volt Typhoon, AsyncRAT, Water Gamayun, Unusual Processes, Qakbot, IcedID, Sandworm Tools	2026-05-13
Spike in File Writes	Sysmon EventID 11	N/A	Anomaly	Ryuk Ransomware, Rhysida Ransomware, Ransomware, SamSam Ransomware	2026-05-13
Windows PowerShell WMI Win32 ScheduledJob	Powershell Script Block Logging 4104	T1059.001	TTP	Active Directory Lateral Movement	2026-05-13
Detect RTLO In Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.002	TTP	Spearphishing Attachments	2026-05-13
Detect RTLO In File Name	Sysmon EventID 11	T1036.002	TTP	Spearphishing Attachments	2026-05-13
Linux Preload Hijack Library Calls	Sysmon for Linux EventID 1	T1574.006	TTP	Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity	2026-05-13
Windows Administrative Shares Accessed On Multiple Hosts	Windows Event Log Security 5145, Windows Event Log Security 5140	T1135	TTP	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Windows Impair Defense Disable Controlled Folder Access	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer	2026-05-13
Windows MSIExec DLLRegisterServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Water Gamayun, Windows System Binary Proxy Execution MSIExec	2026-05-13
Windows ESX Admins Group Creation Security Event	Windows Event Log Security 4727, Windows Event Log Security 4730, Windows Event Log Security 4737	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Windows TeamCity Payload Execution from Temp Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1190 T1505.003	TTP	JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE	2026-05-13
Linux Obfuscated Files or Information Base64 Decode	Sysmon for Linux EventID 1	T1027	Anomaly	Linux Living Off The Land	2026-05-13
Linux Sudo OR Su Execution	Sysmon for Linux EventID 1	T1548.003	Hunting	Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation	2026-05-13
Windows Screen Capture in TEMP folder	Sysmon EventID 11	T1113	TTP	Crypto Stealer, APT37 Rustonotto and FadeStealer, VIP Keylogger, Braodo Stealer, StealC Stealer, Hellcat Ransomware	2026-05-13
Windows Rundll32 with Non-Standard File Extension	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Anomaly	Living Off The Land, Gh0st RAT, Suspicious Rundll32 Activity	2026-05-13
Windows AD Privileged Object Access Activity	Windows Event Log Security 4662	T1087.002	TTP	BlackSuit Ransomware, Active Directory Discovery	2026-05-13
Windows Defender ASR or Threat Configuration Tamper	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Windows Defense Evasion Tactics	2026-05-13
Linux Auditd Base64 Decode Files	Linux Auditd Execve	T1140	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux RPM Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
PowerShell Invoke WmiExec Usage	Powershell Script Block Logging 4104	T1047	TTP	Scattered Lapsus$ Hunters, Suspicious WMI Use	2026-05-13
Crowdstrike Medium Severity Alert		T1110	Anomaly	Compromised Windows Host	2026-05-13
Windows Level RMM PowerShell Script Installer	Powershell Script Block Logging 4104	T1219	Anomaly	Remote Monitoring and Management Software	2026-05-13
Detect Empire with PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1059.001	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware	2026-05-13
ICACLS Grant Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Crypto Stealer, Ransomware, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse	2026-05-13
Windows Crowdstrike RTR Script Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.001	Anomaly	Suspicious MSHTA Activity, Living Off The Land, Cobalt Strike, Malicious PowerShell	2026-05-13
Powershell Load Module in Meterpreter	Powershell Script Block Logging 4104	T1059.001	TTP	MetaSploit	2026-05-13
Windows Chromium Process Launched with Logging Disabled	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Browser Hijacking	2026-05-13
Disable Windows App Hotkeys	Sysmon EventID 13	T1112 T1685	TTP	XMRig, Windows Registry Abuse	2026-05-13
GetWmiObject Ds Group with PowerShell Script Block	Powershell Script Block Logging 4104	T1069.002	TTP	Active Directory Discovery	2026-05-13
Windows Explorer.exe Spawning PowerShell or Cmd	Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1204.002	Hunting	ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day	2026-05-13
Suspicious Rundll32 StartW	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Cobalt Strike, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot	2026-05-13
Windows Binary Execution from an Archive	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1204.002	Anomaly	Spearphishing Attachments	2026-05-13
Linux Visudo Utility Execution	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows PowerView Kerberos Service Ticket Request	Powershell Script Block Logging 4104	T1558.003	TTP	Active Directory Kerberos Attacks, Rhysida Ransomware	2026-05-13
Clop Ransomware Known Service Name	Windows Event Log System 7045	T1543	TTP	Compromised Windows Host, Clop Ransomware	2026-05-13
System User Discovery With Whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Lotus Blossom Chrysalis Backdoor, LAMEHUG, PHP-CGI RCE Attack on Japanese Organizations, Winter Vivern, Active Directory Discovery, Rhysida Ransomware, Qakbot, CISA AA23-347A	2026-05-13
Windows Odbcconf Load Response File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	TTP	Living Off The Land	2026-05-13
Windows Impair Defense Disable Win Defender Signature Retirement	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
Windows Audit Policy Auditing Option Disabled via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	TTP	Windows Audit Policy Tampering	2026-05-13
Windows AD Suspicious Attribute Modification	Windows Event Log Security 5136	T1222.001 T1550	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Spoolsv Writing a DLL - Sysmon	Sysmon EventID 11	T1547.012	TTP	PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
Execute Javascript With Jscript COM CLSID	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.005	TTP	Ransomware	2026-05-13
Linux Possible Access Or Modification Of sshd Config File	Sysmon for Linux EventID 1	T1098.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Define Win Defender Threat Action	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows IOBit Unlocker Extension DLL Registration via Regsvr32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Compromised Windows Host	2026-05-13
Windows Modify Registry Do Not Connect To Win Update	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Windows DnsAdmins New Member Added	Windows Event Log Security 4732	T1098	TTP	Active Directory Privilege Escalation	2026-05-13
Windows Drivers Loaded by Signature	Sysmon EventID 6	T1014 T1068	Hunting	Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A	2026-05-13
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download	Cisco Network Visibility Module Flow Data	T1218.005	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Disabling SystemRestore In Registry	Sysmon EventID 13	T1490	TTP	NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Proxy Execution of .NET Utilities via Scripts	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	Anomaly	VIP Keylogger	2026-05-13
Windows Remote Access Software RMS Registry	Sysmon EventID 13	T1219	TTP	Azorult	2026-05-13
Windows Large Number of Computer Service Tickets Requested	Windows Event Log Security 4769	T1078 T1135	Anomaly	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Suspicious msbuild path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1127.001	TTP	Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows ConsoleHost History File Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.003	Anomaly	Medusa Ransomware	2026-05-13
Linux DD File Overwrite	Sysmon for Linux EventID 1	T1485	TTP	Data Destruction, Industroyer2	2026-05-13
Remote Process Instantiation via WMI and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Compromised Windows Host, Active Directory Lateral Movement	2026-05-13
Windows Kerberos Coercion via DNS	Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 4662	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic	2026-05-13
Detect Regsvr32 Application Control Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Living Off The Land, Compromised Windows Host, Cobalt Strike, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Suspicious Regsvr32 Activity, Graceful Wipe Out Attack	2026-05-13
Windows Entra User Management Via Azure CLI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1078.004 T1098 T1136	Anomaly	Azure Active Directory Persistence	2026-05-13
Windows DNS Query Request To TinyUrl	Sysmon EventID 22	T1105	Anomaly	Malicious Inno Setup Loader	2026-05-13
Wscript Or Cscript Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055 T1134.004 T1543	Anomaly	Remcos, VIP Keylogger, XWorm, NjRAT, 0bj3ctivity Stealer, Unusual Processes, ShrinkLocker, MuddyWater, Data Destruction, WhisperGate, FIN7, Axios Supply Chain Post Compromise	2026-05-13
Windows Outlook Dialogs Disabled from Unusual Process	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, NotDoor Malware	2026-05-13
Common Ransomware Notes	Sysmon EventID 11	T1485	Hunting	Medusa Ransomware, Ransomware, Ryuk Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, Storm-0501 Ransomware, Termite Ransomware, SamSam Ransomware	2026-05-13
Windows Hosts File Access	Windows Event Log Security 4663	T1012	Anomaly	Gh0st RAT, BlankGrabber Stealer	2026-05-13
Windows Exfiltration Over C2 Via Invoke RestMethod	Powershell Script Block Logging 4104	T1041	TTP	APT37 Rustonotto and FadeStealer, Winter Vivern, Water Gamayun, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287	2026-05-13
Print Spooler Adding A Printer Driver	Windows Event Log Printservice 316	T1547.012	TTP	PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Rundll32 Control RunDLL Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Hunting	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity	2026-05-13
Windows Process Injection into Commonly Abused Processes	Sysmon EventID 10	T1055.002	Anomaly	SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer, Earth Alux, BishopFox Sliver Adversary Emulation Framework	2026-05-13
Recon Using WMI Class	Powershell Script Block Logging 4104	T1059.001 T1592	Anomaly	Malicious Inno Setup Loader, Scattered Spider, Industroyer2, VIP Keylogger, AsyncRAT, Hermetic Wiper, MoonPeak, Qakbot, Quasar RAT, BlankGrabber Stealer, Data Destruction, LockBit Ransomware, Axios Supply Chain Post Compromise, Malicious PowerShell	2026-05-13
Domain Controller Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2026-05-13
Windows Domain Account Discovery Via Get-NetComputer	Powershell Script Block Logging 4104	T1087.002	Anomaly	CISA AA23-347A	2026-05-13
Windows Remote Assistance Spawning Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Compromised Windows Host, Unusual Processes	2026-05-13
Windows AD SID History Attribute Modified	Windows Event Log Security 5136	T1134.005	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Wmic Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Windows Steal or Forge Kerberos Tickets Klist	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1558	Hunting	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows SIP WinVerifyTrust Failed Trust Validation	Windows Event Log CAPI2 81	T1553.003	Anomaly	Subvert Trust Controls SIP and Trust Provider Hijacking	2026-05-13
Windows Modify Registry WuServer	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
Windows RDP Bitmap Cache File Creation	Sysmon EventID 11	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Chromium process Launched with Disable Popup Blocking	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Browser Hijacking	2026-05-13
Windows WSUS Spawning Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190 T1505.003	TTP	Microsoft WSUS CVE-2025-59287	2026-05-13
Windows Service Created with Suspicious Service Name	Windows Event Log System 7045	T1569.002	Anomaly	Gh0st RAT, Brute Ratel C4, Snake Malware, Flax Typhoon, PlugX, Qakbot, CISA AA23-347A, Clop Ransomware, Tuoni, Active Directory Lateral Movement	2026-05-13
Windows Credentials from Web Browsers Saved in TEMP Folder	Sysmon EventID 11	T1555.003	TTP	Braodo Stealer, Scattered Lapsus$ Hunters	2026-05-13
Windows Process With NamedPipe CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Windows Defense Evasion Tactics	2026-05-13
Malicious Powershell Executed As A Service	Windows Event Log System 7045	T1569.002	TTP	Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell	2026-05-13
CMD Echo Pipe - Escalation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003 T1543.003	TTP	BlackByte Ransomware, Compromised Windows Host, Cobalt Strike, Graceful Wipe Out Attack	2026-05-13
User Discovery With Env Vars PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2026-05-13
Linux PHP Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Cisco Isovalent - Non Allowlisted Image Use	Cisco Isovalent Process Exec	T1204.003	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Windows BitLockerToGo with Network Activity	Sysmon EventID 22	T1218	Hunting	Lumma Stealer, Hellcat Ransomware	2026-05-13
Disable Defender BlockAtFirstSeen Feature	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Azorult, IcedID	2026-05-13
Linux Account Manipulation Of SSH Config and Keys	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	AcidRain, Hellcat Ransomware	2026-05-13
Windows Proxy Via Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090.001	Anomaly	Volt Typhoon	2026-05-13
Windows SqlWriter SQLDumper DLL Sideload	Sysmon EventID 7	T1574.001	TTP	APT29 Diplomatic Deceptions with WINELOADER	2026-05-13
Windows GrimResource - MMC Process Accessing APDS DLL	Windows Event Log Security 4663	T1059.007 T1218.014	TTP	Compromised Windows Host	2026-05-13
MacOS - Re-opened Applications	Sysmon EventID 1	N/A	TTP	ColdRoot MacOS RAT	2026-05-13
Suspicious Scheduled Task from Public Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	Anomaly	Crypto Stealer, Ransomware, MoonPeak, Ryuk Ransomware, NetSupport RMM Tool Abuse, Scheduled Tasks, Medusa Ransomware, DarkCrystal RAT, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, Lokibot, XWorm, CISA AA23-347A, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Azorult, Quasar RAT	2026-05-13
MOVEit Empty Key Fingerprint Authentication Attempt		T1190	Hunting	MOVEit Transfer Authentication Bypass, Hellcat Ransomware	2026-05-13
Processes Tapping Keyboard Events	Osquery Results	N/A	TTP	APT37 Rustonotto and FadeStealer, ColdRoot MacOS RAT	2026-05-13
Powershell Execute COM Object	Powershell Script Block Logging 4104	T1059.001 T1546.015	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware	2026-05-13
Linux Auditd Possible Access To Credential Files	Linux Auditd Proctitle	T1003.008	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host	2026-05-13
Unload Sysmon Filter Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	CISA AA23-347A, Disabling Security Tools	2026-05-13
WSReset UAC Bypass	Sysmon EventID 12, Sysmon EventID 13	T1548.002	TTP	MoonPeak, Living Off The Land, Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows RMM Tool Execution	Sysmon EventID 1	T1219	Anomaly	NetSupport RMM Tool Abuse, Suspicious User Agents, Remote Monitoring and Management Software	2026-05-13
Elevated Group Discovery with PowerView	Powershell Script Block Logging 4104	T1069.002	Hunting	Active Directory Discovery	2026-05-13
Linux Doas Tool Execution	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Auto Admin Logon Registry Entry	Sysmon EventID 13	T1552.002	TTP	Windows Registry Abuse, BlackMatter Ransomware	2026-05-13
DSQuery Domain Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Compromised Windows Host, Domain Trust Discovery, Active Directory Discovery	2026-05-13
Windows Remote Management Execute Shell	Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	Anomaly	Crypto Stealer	2026-05-13
Windows Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Hunting	Gh0st RAT, Prestige Ransomware, Scattered Lapsus$ Hunters, Graceful Wipe Out Attack	2026-05-13
System User Discovery With Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Medusa Ransomware, Active Directory Discovery	2026-05-13
Spoolsv Suspicious Process Access	Sysmon EventID 10	T1068	TTP	PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
MS Exchange Mailbox Replication service writing Active Server Pages	Sysmon EventID 1, Sysmon EventID 11	T1133 T1190 T1505.003	TTP	BlackByte Ransomware, ProxyShell, Ransomware	2026-05-13
Curl Execution with Percent Encoded URL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	T1027 T1105	Anomaly	Living Off The Land, Compromised Windows Host, Ingress Tool Transfer	2026-05-13
Windows Command and Scripting Interpreter Path Traversal Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics	2026-05-13
Detect Rundll32 Inline HTA Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer, NOBELIUM Group	2026-05-13
Mailsniper Invoke functions	Powershell Script Block Logging 4104	T1114.001	TTP	Data Exfiltration	2026-05-13
Windows Modify Registry DisAllow Windows App	Sysmon EventID 13	T1112	TTP	Azorult	2026-05-13
Windows Net System Service Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1007	Hunting	Gh0st RAT, LAMEHUG	2026-05-13
SecretDumps Offline NTDS Dumping Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Compromised Windows Host, Credential Dumping, Rhysida Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack	2026-05-13
Impacket Lateral Movement Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002 T1021.003 T1047 T1543.003	TTP	Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement	2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script	Powershell Script Block Logging 4104	T1021.007 T1069.003 T1078 T1098 T1136.003	Anomaly	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
GetWmiObject DS User with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows Unusual Intelliform Storage Registry Access	Windows Event Log Security 4663	T1552.001	Anomaly	Lokibot, Quasar RAT	2026-05-13
Windows Excessive Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	XMRig, BlackByte Ransomware, Ransomware	2026-05-13
Windows Sensitive Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Anomaly	BlackSuit Ransomware, Volt Typhoon, Active Directory Discovery, Rhysida Ransomware, Microsoft WSUS CVE-2025-59287, IcedID	2026-05-13
Windows Office Product Spawned Child Process For Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, NjRAT, PlugX	2026-05-13
Powershell Enable SMB1Protocol Feature	Powershell Script Block Logging 4104	T1027.005	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware	2026-05-13
GetLocalUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Active Directory Discovery	2026-05-13
Suspicious microsoft workflow compiler usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127	TTP	Living Off The Land, Trusted Developer Utilities Proxy Execution	2026-05-13
Windows DLL Module Loaded in Temp Dir	Sysmon EventID 7	T1105	Hunting	Interlock Rat, Lokibot, SolarWinds WHD RCE Post Exploitation	2026-05-13
Windows Modify Registry EnableLinkedConnections	Sysmon EventID 13	T1112	TTP	BlackByte Ransomware	2026-05-13
Windows MSIX Package Interaction	Windows Event Log AppXPackaging 171	T1204.002	Hunting	MSIX Package Abuse	2026-05-13
Linux Auditd Preload Hijack Library Calls	Linux Auditd Execve	T1574.006	TTP	Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host	2026-05-13
Windows Unsigned MS DLL Side-Loading	Sysmon EventID 7	T1547 T1574.001	Anomaly	Earth Alux, XWorm, APT29 Diplomatic Deceptions with WINELOADER, Salt Typhoon, Derusbi, China-Nexus Threat Activity	2026-05-13
Kerberos Pre-Authentication Flag Disabled with PowerShell	Powershell Script Block Logging 4104	T1558.004	TTP	Active Directory Kerberos Attacks	2026-05-13
Linux Possible Append Command To Profile Config File	Sysmon for Linux EventID 1	T1546.004	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
MacOS Network Share Discovery	Osquery Results	T1135	Anomaly	MacOS Post-Exploitation	2026-05-13
Windows Impair Defense Override SmartScreen Prompt	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Impair Defense Overide Win Defender Phishing Filter	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Cisco Isovalent - Cron Job Creation	Cisco Isovalent Process Exec	T1053.003 T1053.007	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Child Processes of Spoolsv exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Hermetic Wiper, Windows Privilege Escalation, Data Destruction	2026-05-13
Windows System Script Proxy Execution Syncappvpublishingserver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1216 T1218	TTP	Living Off The Land	2026-05-13
Disabled Kerberos Pre-Authentication Discovery With PowerView	Powershell Script Block Logging 4104	T1558.004	TTP	Active Directory Kerberos Attacks, Interlock Ransomware	2026-05-13
Remote Process Instantiation via WinRM and Winrs	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Trickbot Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1055	TTP	Trickbot, Hellcat Ransomware	2026-05-13
Linux Busybox Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows New Custom Security Descriptor Set On EventLog Channel	Sysmon EventID 13	T1685.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware	2026-05-13
Windows System Network Config Discovery Display DNS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016	Anomaly	Water Gamayun, Prestige Ransomware, Windows Post-Exploitation, Medusa Ransomware	2026-05-13
Windows File and Directory Permissions Enable Inheritance	Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Hunting	NetSupport RMM Tool Abuse, Crypto Stealer	2026-05-13
Windows Impair Defense Delete Win Defender Context Menu	Sysmon EventID 13	T1685	Hunting	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Default RDP File Creation By Non MSTSC Process	Sysmon EventID 1, Sysmon EventID 11	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows AD Short Lived Domain Account ServicePrincipalName	Windows Event Log Security 5136	T1098	TTP	Interlock Ransomware, Sneaky Active Directory Persistence Tricks	2026-05-13
Detect New Local Admin account	Windows Event Log Security 4720, Windows Event Log Security 4732	T1136.001	TTP	CISA AA22-257A, DHS Report TA18-074A, HAFNIUM Group, CISA AA24-241A, Scattered Lapsus$ Hunters	2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	Hunting	Active Directory Discovery	2026-05-13
Windows Odbcconf Load DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	TTP	Living Off The Land	2026-05-13
Advanced IP or Port Scanner Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1046 T1135	Anomaly	Windows Defense Evasion Tactics	2026-05-13
Linux Auditd At Application Execution	Linux Auditd Syscall	T1053.002	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Security Account Manager Stopped	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	TTP	Compromised Windows Host, Scattered Lapsus$ Hunters, Ryuk Ransomware	2026-05-13
Windows Impair Defenses Disable HVCI	Sysmon EventID 13	T1685	TTP	BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Cisco NVM - Susp Script From Archive Triggering Network Activity	Cisco Network Visibility Module Flow Data	T1059.005 T1204.002	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows Scheduled Task with Highest Privileges	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Compromised Windows Host, XWorm, AsyncRAT, Castle RAT, SolarWinds WHD RCE Post Exploitation, Quasar RAT, CISA AA23-347A, NetSupport RMM Tool Abuse, RedLine Stealer	2026-05-13
Windows InProcServer32 New Outlook Form	Sysmon EventID 13	T1112 T1566	Anomaly	Outlook RCE CVE-2024-21378	2026-05-13
Detect Regasm Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host, Handala Wiper, DarkGate Malware, Snake Keylogger, Void Manticore	2026-05-13
Short Lived Scheduled Task	Windows Event Log Security 4699, Windows Event Log Security 4698	T1053.005	TTP	Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, CISA AA23-347A, Active Directory Lateral Movement	2026-05-13
Windows AD Cross Domain SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	T1134.005	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Disabling Firewall with Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	BlackByte Ransomware, Windows Defense Evasion Tactics	2026-05-13
Windows TOR Client Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090.003	Anomaly	Compromised Windows Host, Windows Post-Exploitation, Command And Control, Data Protection, Data Exfiltration	2026-05-13
GetNetTcpconnection with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Active Directory Discovery	2026-05-13
Windows Audit Policy Cleared via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	TTP	Windows Audit Policy Tampering	2026-05-13
Linux Cpulimit Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Compatibility Telemetry Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005 T1546	TTP	Windows Persistence Techniques	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	T1030	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host	2026-05-13
Enable RDP In Other Port Number	Sysmon EventID 13	T1021	TTP	Windows RDP Artifacts and Defense Evasion, Windows Registry Abuse, Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Linux Service File Created In Systemd Directory	Sysmon for Linux EventID 11	T1053.006	Anomaly	Scheduled Tasks, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, China-Nexus Threat Activity, Gomir	2026-05-13
Windows AutoIt3 Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Crypto Stealer, Void Manticore, Handala Wiper, DarkGate Malware	2026-05-13
Windows Diskshadow Proxy Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	TTP	Living Off The Land	2026-05-13
Windows PowerShell FakeCAPTCHA Clipboard Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1059.001 T1059.003 T1204.001	TTP	Fake CAPTCHA Campaigns, Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters	2026-05-13
Linux Auditd Sysmon Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Office Product Spawned Rundll32 With No DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Prestige Ransomware, Compromised Windows Host, Crypto Stealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Graceful Wipe Out Attack	2026-05-13
Domain Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Hunting	Active Directory Discovery	2026-05-13
Windows Admon Default Group Policy Object Modified	Windows Active Directory Admon	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Schtasks scheduling job on remote system	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Living Off The Land, Scheduled Tasks, Prestige Ransomware, Compromised Windows Host, Quasar RAT, NOBELIUM Group, Phemedrone Stealer, RedLine Stealer, Active Directory Lateral Movement	2026-05-13
Windows PowerShell Export Certificate	Powershell Script Block Logging 4104	T1552.004 T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows MSIExec Spawn WinDBG	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Compromised Windows Host, DarkGate Malware	2026-05-13
Windows Modify Registry Disable WinDefender Notifications	Sysmon EventID 13	T1112	TTP	SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, RedLine Stealer	2026-05-13
Cisco Isovalent - Shell Execution	Cisco Isovalent Process Exec	T1543	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Windows Suspicious VMWare Tools Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	China-Nexus Threat Activity, ESXi Post Compromise	2026-05-13
Windows AppX Deployment Full Trust Package Installation	Windows Event Log AppXDeployment-Server 400	T1204.002 T1553.005	Hunting	MSIX Package Abuse	2026-05-13
Outbound Network Connection from Java Using Default Ports	Sysmon EventID 1, Sysmon EventID 3	T1133 T1190	TTP	Log4Shell CVE-2021-44228	2026-05-13
Windows Powershell RemoteSigned File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	Anomaly	Amadey	2026-05-13
Detect Rare Executables	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	Anomaly	Crypto Stealer, Unusual Processes, Rhysida Ransomware, Salt Typhoon, China-Nexus Threat Activity, SnappyBee	2026-05-13
Potential password in username	Linux Secure	T1078.003 T1552.001	Hunting	Insider Threat, Credential Dumping	2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port	Cisco Network Visibility Module Flow Data	T1571	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
MacOS AMOS Stealer - Virtual Machine Check Activity	Osquery Results	T1059.002	Anomaly	AMOS Stealer, Hellcat Ransomware	2026-05-13
Linux Service Started Or Enabled	Sysmon for Linux EventID 1	T1053.006	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Gomir	2026-05-13
SLUI Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics	2026-05-13
Linux Docker Root Directory Mount	Sysmon for Linux EventID 1	T1611	TTP	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Hardware Addition Swapoff	Linux Auditd Execve	T1200	Anomaly	Scattered Lapsus$ Hunters, AwfulShred, Data Destruction, Compromised Linux Host	2026-05-13
Windows Impair Defense Delete Win Defender Profile Registry	Sysmon EventID 13	T1685	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows AD Object Owner Updated	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Services Escalate Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548	TTP	Compromised Windows Host, Cobalt Strike, BlackByte Ransomware, CISA AA23-347A, Graceful Wipe Out Attack	2026-05-13
Linux Auditd Shred Overwrite Command	Linux Auditd Proctitle	T1485	TTP	AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction, Compromised Linux Host	2026-05-13
Creation of Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Credential Dumping, Compromised Windows Host, Volt Typhoon	2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Linux Auditd Cwd, Linux Auditd Path	T1053.003	Hunting	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Office Product Spawned Control	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Spearphishing Attachments	2026-05-13
Windows Wmic CPU Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Windows OneDrive Share Mounted via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
Windows Registry Entries Exported Via Reg	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1012	Hunting	Prestige Ransomware, Windows Post-Exploitation, CISA AA23-347A	2026-05-13
Detect Remote Access Software Usage Registry	Sysmon EventID 13	T1219	Anomaly	Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
Linux Edit Cron Table Parameter	Sysmon for Linux EventID 1	T1053.003	Hunting	Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Non Discord App Access Discord LevelDB	Windows Event Log Security 4663	T1012	Anomaly	Snake Keylogger, PXA Stealer, StealC Stealer, BlankGrabber Stealer	2026-05-13
Windows AppCertDLL Modification Via Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.009	Anomaly	Windows Privilege Escalation, Windows Persistence Techniques	2026-05-13
Kerberos Service Ticket Request Using RC4 Encryption	Windows Event Log Security 4769	T1558.001	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
Print Spooler Failed to Load a Plug-in	Windows Event Log Printservice 4909, Windows Event Log Printservice 808	T1547.012	TTP	PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
Windows Chrome Auto-Update Disabled via Registry	Sysmon EventID 13	T1185	Anomaly	Browser Hijacking	2026-05-13
WMI Permanent Event Subscription		T1047	TTP	Suspicious WMI Use	2026-05-13
Disable Defender Enhanced Notification	Sysmon EventID 13	T1685	TTP	IcedID, Azorult, CISA AA23-347A, Windows Registry Abuse	2026-05-13
GetWmiObject User Account with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Winter Vivern, Water Gamayun, Active Directory Discovery	2026-05-13
PowerShell Get LocalGroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Windows Multiple NTLM Null Domain Authentications	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	TTP	Active Directory Password Spraying	2026-05-13
GetCurrent User with PowerShell Script Block	Powershell Script Block Logging 4104	T1033	Hunting	Active Directory Discovery	2026-05-13
Modify ACL permission To Files Or Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	XMRig, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows PowerShell ScheduleTask	Powershell Script Block Logging 4104	T1053.005 T1059.001	Anomaly	Scheduled Tasks, Scattered Spider	2026-05-13
Windows Global Object Access Audit List Cleared Via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	TTP	Windows Audit Policy Tampering	2026-05-13
Dump LSASS via procdump	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	Compromised Windows Host, CISA AA22-257A, Credential Dumping, HAFNIUM Group, Seashell Blizzard, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows Modify Registry to Add or Modify Firewall Rule	Sysmon EventID 14, Sysmon EventID 13	T1112	Anomaly	NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A	2026-05-13
BITSAdmin Download File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105 T1197	TTP	DarkSide Ransomware, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, Ingress Tool Transfer, Flax Typhoon, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, BITS Jobs	2026-05-13
Windows Account Discovery With NetUser PreauthNotRequire	Powershell Script Block Logging 4104	T1087	Hunting	CISA AA23-347A	2026-05-13
Windows SSH Proxy Command	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.001 T1105 T1572	Anomaly	Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware	2026-05-13
Windows Modify Registry DisableSecuritySettings	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, DarkGate Malware	2026-05-13
Windows System File on Disk	Sysmon EventID 11	T1068	Hunting	Windows Drivers, Crypto Stealer, CISA AA22-264A	2026-05-13
Detect SharpHound File Modifications	Sysmon EventID 11	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	BlackSuit Ransomware, Windows Discovery Techniques, Ransomware	2026-05-13
Disable Show Hidden Files	Sysmon EventID 13	T1112 T1564.001 T1685	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult	2026-05-13
Windows Rundll32 Apply User Settings Changes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Anomaly	Rhysida Ransomware	2026-05-13
Possible Browser Pass View Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555.003	Hunting	Remcos	2026-05-13
Network Traffic to Active Directory Web Services Protocol	Sysmon EventID 3	T1069.001 T1069.002 T1087.001 T1087.002 T1482	Hunting	Windows Discovery Techniques	2026-05-13
Windows AD Domain Root ACL Deletion	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Vulnerable Driver Loaded	Sysmon EventID 6	T1543.003	Hunting	Windows Drivers, BlackByte Ransomware, Void Manticore	2026-05-13
Modification Of Wallpaper	Sysmon EventID 13	T1491	TTP	Revil Ransomware, Brute Ratel C4, Windows Registry Abuse, Ransomware, Black Basta Ransomware, Rhysida Ransomware, LockBit Ransomware, BlackMatter Ransomware, ZOVWiper	2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load	Sysmon EventID 7	T1021.003	TTP	Compromised Windows Host, Scattered Lapsus$ Hunters, Active Directory Lateral Movement	2026-05-13
Windows System Time Discovery W32tm Delay	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1124	Anomaly	DarkCrystal RAT	2026-05-13
Linux Add User Account	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1136.001	Hunting	Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity	2026-05-13
Domain Controller Discovery with Nltest	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	BlackSuit Ransomware, Medusa Ransomware, Active Directory Discovery, Rhysida Ransomware, CISA AA23-347A, NetSupport RMM Tool Abuse	2026-05-13
Linux Telnet Authentication Bypass	Sysmon for Linux EventID 1	T1548	TTP	Telnetd CVE-2026-24061	2026-05-13
Windows HTTP Network Communication From MSIExec	Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data	T1218.007	Anomaly	APT37 Rustonotto and FadeStealer, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, SolarWinds WHD RCE Post Exploitation, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec	2026-05-13
Cisco NVM - Suspicious Network Connection to IP Lookup Service API	Cisco Network Visibility Module Flow Data	T1016 T1590.005	Anomaly	Castle RAT, Cisco Network Visibility Module Analytics, BlankGrabber Stealer	2026-05-13
Linux Doas Conf File Creation	Sysmon for Linux EventID 11	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Filtering Platform Policy Added to Block EDR Process	Sysmon EventID 13	T1685	TTP	Security Solution Tampering, Disabling Security Tools	2026-05-13
Windows Office Product Loading VBE7 DLL	Sysmon EventID 7	T1566.001	Anomaly	Remcos, Spearphishing Attachments, DarkCrystal RAT, PlugX, NjRAT, AgentTesla, Qakbot, Azorult, MuddyWater, IcedID, Trickbot	2026-05-13
Windows PsTools Recon Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018 T1046 T1082	Anomaly	Compromised Windows Host	2026-05-13
Linux Auditd Doas Conf File Creation	Linux Auditd Cwd, Linux Auditd Path	T1548.003	TTP	Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Data Destruction Recursive Exec Files Deletion	Sysmon EventID 23, Sysmon EventID 26	T1485	TTP	Disk Wiper, Handala Wiper, Swift Slicer, Data Destruction, Void Manticore	2026-05-13
Windows Service Creation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	TTP	Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement	2026-05-13
Linux OpenVPN Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows PowerView SPN Discovery	Powershell Script Block Logging 4104	T1558.003	TTP	Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks, Interlock Ransomware	2026-05-13
Windows AD Domain Controller Promotion	Windows Event Log Security 4742	T1207	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Sdclt UAC Bypass	Sysmon EventID 12, Sysmon EventID 13	T1548.002	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Devtunnels Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090	Anomaly	Reverse Network Proxy	2026-05-13
Linux Deletion Of Cron Jobs	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	AcidRain, Data Destruction, AcidPour	2026-05-13
Windows RunMRU Command Execution	Sysmon EventID 13	T1202	Anomaly	Fake CAPTCHA Campaigns, Lumma Stealer	2026-05-13
Windows Office Product Loading Taskschd DLL	Sysmon EventID 7	T1566.001	Anomaly	Spearphishing Attachments	2026-05-13
GetCurrent User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Active Directory Discovery	2026-05-13
Powershell Get LocalGroup Discovery with Script Block Logging	Powershell Script Block Logging 4104	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Svchost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement	2026-05-13
Windows Terminating Lsass Process	Sysmon EventID 10	T1685	Anomaly	Double Zero Destructor, Scattered Lapsus$ Hunters, Data Destruction	2026-05-13
Windows Impair Defense Disable Win Defender App Guard	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
MacOS Hidden Files and Directories	Osquery Results	T1564.001	Anomaly	MacOS Persistence Techniques	2026-05-13
Windows COM Hijacking InprocServer32 Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.015	TTP	Living Off The Land, Compromised Windows Host	2026-05-13
Windows Impair Defense Disable Win Defender Report Infection	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows SQL Server Startup Procedure	Windows Event Log Application 17135	T1505.001	Anomaly	SQL Server Abuse, Hellcat Ransomware	2026-05-13
Windows Chrome Enable Extension Loading via Command-Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1185	Anomaly	Browser Hijacking	2026-05-13
LOLBAS With Network Traffic	Sysmon EventID 3	T1105 T1218 T1567	TTP	Malicious Inno Setup Loader, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, NetSupport RMM Tool Abuse	2026-05-13
Windows Account Discovery for Sam Account Name	Powershell Script Block Logging 4104	T1087	Anomaly	CISA AA23-347A	2026-05-13
Linux Possible Append Command To At Allow Config File	Sysmon for Linux EventID 1	T1053.002	Anomaly	Linux Persistence Techniques, Scheduled Tasks, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Disable Realtime Signature Delivery	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Hiding Files And Directories With Attrib exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	TTP	Malicious Inno Setup Loader, Crypto Stealer, Compromised Windows Host, VIP Keylogger, Windows Defense Evasion Tactics, Azorult, Windows Persistence Techniques	2026-05-13
Windows Command and Scripting Interpreter Hunting Path Traversal	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Hunting	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics	2026-05-13
Hide User Account From Sign-In Screen	Sysmon EventID 13	T1685	TTP	XMRig, Windows Registry Abuse, Warzone RAT, Azorult	2026-05-13
Windows Modify Registry Disable Restricted Admin	Sysmon EventID 13	T1112	TTP	GhostRedirector IIS Module and Rungan Backdoor, CISA AA23-347A, Medusa Ransomware	2026-05-13
Windows Audit Policy Restored via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Information Discovery Fsutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows User Disabled Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	XMRig	2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation	2026-05-13
Windows Modify Registry ValleyRat PWN Reg Entry	Sysmon EventID 13	T1112	TTP	ValleyRAT	2026-05-13
Detect mshta inline hta execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, XWorm, Gozi Malware, BlankGrabber Stealer	2026-05-13
Windows Unusual Count Of Users Remotely Failed To Auth From Host	Windows Event Log Security 4625	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Suspicious React or Next.js Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.001 T1059.003 T1190	TTP	React2Shell	2026-05-13
Windows Query Registry Browser List Application	Windows Event Log Security 4663	T1012	Anomaly	Salt Typhoon, China-Nexus Threat Activity, SnappyBee, RedLine Stealer	2026-05-13
Excessive number of service control start as disabled	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Windows Defense Evasion Tactics	2026-05-13
Linux Auditd Whoami User Discovery	Linux Auditd Syscall	T1033	Anomaly	Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Detect Exchange Web Shell	Sysmon EventID 11	T1133 T1190 T1505.003	TTP	Compromised Windows Host, CISA AA22-257A, BlackByte Ransomware, HAFNIUM Group, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, ProxyNotShell, ProxyShell	2026-05-13
Linux Node Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Mimikatz Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003	TTP	Compromised Windows Host, CISA AA22-320A, Scattered Spider, Volt Typhoon, Flax Typhoon, Credential Dumping, CISA AA23-347A, Sandworm Tools	2026-05-13
Enumerate Users Local Group Using Telegram	Windows Event Log Security 4798	T1087	TTP	XMRig, Compromised Windows Host, Water Gamayun	2026-05-13
Windows Audit Policy Excluded Category via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Driver Inventory		T1068	Hunting	Windows Drivers	2026-05-13
Suspicious Process Executed From Container File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.008 T1204.002	TTP	APT37 Rustonotto and FadeStealer, Remcos, Water Gamayun, Unusual Processes, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger	2026-05-13
Clop Common Exec Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Compromised Windows Host, Clop Ransomware	2026-05-13
WinEvent Scheduled Task Created to Spawn Shell	Windows Event Log Security 4698	T1053.005	TTP	Scheduled Tasks, Compromised Windows Host, Windows Error Reporting Service Elevation of Privilege Vulnerability, Medusa Ransomware, Ransomware, CISA AA22-257A, Castle RAT, Winter Vivern, 0bj3ctivity Stealer, Salt Typhoon, Ryuk Ransomware, Windows Persistence Techniques, China-Nexus Threat Activity, SystemBC	2026-05-13
PowerShell Start-BitsTransfer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197	TTP	Gozi Malware, BITS Jobs	2026-05-13
AdsiSearcher Account Discovery	Powershell Script Block Logging 4104	T1087.002	TTP	Industroyer2, Active Directory Discovery, CISA AA23-347A, Data Destruction, Scattered Lapsus$ Hunters	2026-05-13
Excessive Usage of NSLOOKUP App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	Anomaly	Data Exfiltration, Dynamic DNS, Command And Control, Suspicious DNS Traffic	2026-05-13
Windows Scheduled Task Created Via XML	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	Anomaly	Malicious Inno Setup Loader, Scheduled Tasks, Lokibot, Winter Vivern, MoonPeak, CISA AA23-347A	2026-05-13
Windows Cabinet File Extraction Via Expand	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Suspicious Child Process Spawned From WebServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.003	Anomaly	SysAid On-Prem Software CVE-2023-47246 Vulnerability, Compromised Windows Host, WS FTP Server Critical Vulnerabilities, Medusa Ransomware, Citrix ShareFile RCE CVE-2023-24489, CISA AA22-257A, BlackByte Ransomware, Flax Typhoon, Microsoft SharePoint Vulnerabilities, HAFNIUM Group, GhostRedirector IIS Module and Rungan Backdoor, CISA AA22-264A, Microsoft WSUS CVE-2025-59287, ProxyNotShell, ProxyShell	2026-05-13
Cisco Isovalent - Access To Cloud Metadata Service	Cisco Isovalent Process Connect	T1552.005	Anomaly	VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity	2026-05-13
Windows NirSoft Tool Bundle File Created	Sysmon EventID 11	T1588.002	Anomaly	WhisperGate, Data Destruction, Unusual Processes	2026-05-13
Windows Potential Cloudflared Tunnel Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1572	Anomaly	Reverse Network Proxy	2026-05-13
Network Share Discovery Via Dir Command	Windows Event Log Security 5140	T1135	Hunting	IcedID	2026-05-13
Set Default PowerShell Execution Policy To Unrestricted or Bypass	Sysmon EventID 13	T1059.001	TTP	Credential Dumping, HAFNIUM Group, Hermetic Wiper, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Data Destruction, Malicious PowerShell, SystemBC	2026-05-13
Notepad with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BishopFox Sliver Adversary Emulation Framework	2026-05-13
Detect Password Spray Attack Behavior On User	Windows Event Log Security 4624, Windows Event Log Security 4625	T1110.003	TTP	Crypto Stealer, Compromised User Account	2026-05-13
Active Directory Privilege Escalation Identified		T1484	Correlation	Active Directory Privilege Escalation	2026-05-13
Single Letter Process On Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002	TTP	DHS Report TA18-074A, Compromised Windows Host	2026-05-13
Linux Setuid Using Chmod Utility	Sysmon for Linux EventID 1	T1548.001	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Steal Authentication Certificates Export Certificate	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2026-05-13
Linux Composer Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Increase in User Modification Activity	Windows Event Log Security 4720	T1098 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Sdelete Application Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004 T1485	TTP	Masquerading - Rename System Utilities, Void Manticore, Scattered Spider	2026-05-13
Windows Downdate Registry Activity	Sysmon EventID 14, Sysmon EventID 12, Sysmon EventID 13	T1112 T1689	Anomaly	Windows Persistence Techniques	2026-05-13
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser	Powershell Script Block Logging 4104	T1558.004	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Interlock Ransomware	2026-05-13
Windows Disable Change Password Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Defense Evasion Tactics, Ransomware	2026-05-13
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM	Windows Event Log Security 4776	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows AD Self DACL Assignment	Windows Event Log Security 5136	T1098 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
NLTest Domain Trust Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Cleo File Transfer Software, Medusa Ransomware, Active Directory Discovery, Rhysida Ransomware, Qakbot, Storm-0501 Ransomware, Ryuk Ransomware, IcedID, Domain Trust Discovery	2026-05-13
Windows Executable in Loaded Modules	Sysmon EventID 7	T1129	TTP	Lokibot, NjRAT	2026-05-13
Windows Level RMM Watchdog Task Created	Windows Event Log Security 4698	T1053 T1219	Anomaly	Remote Monitoring and Management Software	2026-05-13
Linux Auditd Edit Cron Table Parameter	Linux Auditd Syscall	T1053.003	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Excessive Usage Of Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	Prestige Ransomware, Windows Post-Exploitation, Ransomware, XMRig, Rhysida Ransomware, Azorult, Graceful Wipe Out Attack	2026-05-13
Linux Service Restarted	Sysmon for Linux EventID 1	T1053.006	Anomaly	Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir	2026-05-13
ConnectWise ScreenConnect Path Traversal Windows SACL	Windows Event Log Security 4663	T1190	TTP	Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard	2026-05-13
Linux Auditd Kernel Module Enumeration	Linux Auditd Syscall	T1014 T1082	Anomaly	Linux Rootkit, XorDDos, Compromised Linux Host	2026-05-13
Cisco NVM - Curl Execution With Insecure Flags	Cisco Network Visibility Module Flow Data	T1197	Anomaly	PromptLock, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287	2026-05-13
Windows Odbcconf Hunting	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.008	Hunting	Living Off The Land	2026-05-13
Windows Mail Protocol In Non-Common Process Path	Sysmon EventID 3	T1071.003	Anomaly	AgentTesla	2026-05-13
Network Connection Discovery With Arp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Prestige Ransomware, Windows Post-Exploitation, Volt Typhoon, Active Directory Discovery, Interlock Ransomware, Qakbot, IcedID	2026-05-13
Windows Computer Account Created by Computer Account	Windows Event Log Security 4741	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2026-05-13
Elevated Group Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	TTP	Active Directory Discovery	2026-05-13
Windows Cobalt Strike PowerShell Loader	Powershell Script Block Logging 4104	T1059.001 T1608	TTP	Cobalt Strike	2026-05-13
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos	Windows Event Log Security 4768	T1110.003	TTP	Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon	2026-05-13
Windows System User Discovery Via Quser	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer	2026-05-13
Windows File Without Extension In Critical Folder	Sysmon EventID 11	T1485	TTP	Hermetic Wiper, Data Destruction	2026-05-13
Windows Command Shell DCRat ForkBomb Payload	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.003	TTP	DarkCrystal RAT, Compromised Windows Host	2026-05-13
Creation of lsass Dump with Taskmgr	Sysmon EventID 11	T1003.001	TTP	Cactus Ransomware, CISA AA22-257A, Credential Dumping, Seashell Blizzard, Scattered Lapsus$ Hunters	2026-05-13
NET Profiler UAC bypass	Sysmon EventID 13	T1548.002	TTP	Windows Defense Evasion Tactics	2026-05-13
Excessive Attempt To Disable Services	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	XMRig, Azorult	2026-05-13
Disable UAC Remote Restriction	Sysmon EventID 13	T1548.002	TTP	Windows Defense Evasion Tactics, CISA AA23-347A, Suspicious Windows Registry Activities, Windows Registry Abuse	2026-05-13
Windows Shell Process from CrushFTP	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1059.003 T1190 T1505	TTP	CrushFTP Vulnerabilities	2026-05-13
Windows Scheduled Task DLL Module Loaded	Sysmon EventID 7	T1053	TTP	ValleyRAT	2026-05-13
Windows Default Group Policy Object Modified with GPME	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Detect Renamed WinRAR	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Salt Typhoon, China-Nexus Threat Activity, Collection and Staging, CISA AA22-277A	2026-05-13
Windows AD Dangerous User ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Get ADUserResultantPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Windows Impair Defense Disable Win Defender Scan On Update	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Excessive File Deletion In WinDefender Folder	Sysmon EventID 23, Sysmon EventID 26	T1485	TTP	WhisperGate, BlackByte Ransomware, Data Destruction	2026-05-13
WMIC XSL Execution via URL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1220	TTP	Compromised Windows Host, Suspicious WMI Use, Cisco Network Visibility Module Analytics	2026-05-13
Windows AD DSRM Account Changes	Sysmon EventID 13	T1098	TTP	Sneaky Active Directory Persistence Tricks, Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Persistence Techniques	2026-05-13
Access LSASS Memory for Dump Creation	Sysmon EventID 10	T1003.001	TTP	Lokibot, Cactus Ransomware, Credential Dumping, CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
Detect Outlook exe writing a zip file	Sysmon EventID 1, Sysmon EventID 11	T1566.001	Anomaly	Remcos, APT37 Rustonotto and FadeStealer, Spearphishing Attachments, Meduza Stealer, PXA Stealer, Amadey	2026-05-13
Windows Disable Windows Event Logging Disable HTTP Logging	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.004 T1685.001	Anomaly	Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A, IIS Components	2026-05-13
Windows RDPClient Connection Sequence Events	Windows Event Log Microsoft Windows TerminalServices RDPClient 1024	T1133	Anomaly	Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments	2026-05-13
Linux Install Kernel Module Using Modprobe Utility	Sysmon for Linux EventID 1	T1547.006	Anomaly	Linux Rootkit, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, China-Nexus Threat Activity	2026-05-13
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr	Windows Event Log Security 4698	T1053	TTP	ValleyRAT, Water Gamayun	2026-05-13
Windows Multiple Invalid Users Failed To Authenticate Using NTLM	Windows Event Log Security 4776	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Modify Registry Regedit Silent Reg Import	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	Anomaly	Azorult	2026-05-13
Windows Credentials from Password Stores Chrome Extension Access	Windows Event Log Security 4663	T1012	Anomaly	Malicious Inno Setup Loader, Braodo Stealer, StealC Stealer, 0bj3ctivity Stealer, Meduza Stealer, MoonPeak, Amadey, DarkGate Malware, CISA AA23-347A, BlankGrabber Stealer, Phemedrone Stealer, RedLine Stealer	2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script	Powershell Script Block Logging 4104	T1071.001 T1078 T1212 T1482	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Windows Modify Registry With MD5 Reg Key Name	Sysmon EventID 13	T1112	TTP	NjRAT	2026-05-13
7zip CommandLine To SMB Share Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Ransomware	2026-05-13
Windows Process Execution From RDP Share	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1059 T1105	Anomaly	Hidden Cobra Malware	2026-05-13
Linux SSH Remote Services Script Execute	Sysmon for Linux EventID 1	T1021.004	TTP	VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware	2026-05-13
Linux Decode Base64 to Shell	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1027 T1059.004	TTP	Linux Living Off The Land, Cisco Isovalent Suspicious Activity	2026-05-13
Ping Sleep Batch Command	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1497.003	Anomaly	Gh0st RAT, Warzone RAT, BlackByte Ransomware, Meduza Stealer, Quasar RAT, Data Destruction, WhisperGate, Void Manticore	2026-05-13
Windows Known Abused DLL Created	Sysmon EventID 11	T1574.001	Anomaly	Living Off The Land, Windows Defense Evasion Tactics	2026-05-13
Malicious PowerShell Process - Encoded Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027	Hunting	Crypto Stealer, CISA AA22-320A, Scattered Spider, Volt Typhoon, Microsoft SharePoint Vulnerabilities, DarkCrystal RAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Qakbot, SolarWinds WHD RCE Post Exploitation, Microsoft WSUS CVE-2025-59287, NOBELIUM Group, Data Destruction, WhisperGate, Lumma Stealer, Sandworm Tools, Malicious PowerShell	2026-05-13
Recursive Delete of Directory In Batch CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004	TTP	APT37 Rustonotto and FadeStealer, Ransomware	2026-05-13
Windows Event Triggered Image File Execution Options Injection	Windows Event Log Application 3000	T1546.012	Hunting	Windows Persistence Techniques	2026-05-13
Excessive Usage Of Taskkill	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Crypto Stealer, XMRig, NjRAT, AgentTesla, CISA AA22-264A, Azorult, BlankGrabber Stealer, CISA AA22-277A	2026-05-13
Windows Credentials in Registry Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.002	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows AD Domain Replication ACL Addition	Windows Event Log Security 5136	T1484	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows Scheduled Task with Suspicious Command	Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702	T1053.005	TTP	Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Ryuk Ransomware, Windows Persistence Techniques	2026-05-13
UAC Bypass MMC Load Unsigned Dll	Sysmon EventID 7	T1218.014 T1548.002	TTP	Windows Defense Evasion Tactics	2026-05-13
Windows Increase in Group or Object Modification Activity	Windows Event Log Security 4663	T1098 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Linux Ingress Tool Transfer Hunting	Sysmon for Linux EventID 1	T1105	Hunting	NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land, Axios Supply Chain Post Compromise	2026-05-13
Linux Auditd Find Ssh Private Keys	Linux Auditd Execve	T1552.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host	2026-05-13
Windows Firewall Rule Deletion	Windows Event Log Security 4948	T1686	Anomaly	Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker	2026-05-13
Linux Auditd Disable Or Modify System Firewall	Linux Auditd Service Stop	T1686	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Doas Tool Execution	Linux Auditd Syscall	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Kerberos Local Successful Logon	Windows Event Log Security 4624	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp, Scattered Lapsus$ Hunters, Compromised Windows Host	2026-05-13
Windows Replication Through Removable Media	Sysmon EventID 11	T1091	TTP	APT37 Rustonotto and FadeStealer, PlugX, NjRAT, Salt Typhoon, Chaos Ransomware, Derusbi, China-Nexus Threat Activity	2026-05-13
Process Creating LNK file in Suspicious Location	Sysmon EventID 11	T1566.002	Anomaly	APT37 Rustonotto and FadeStealer, Spearphishing Attachments, Gozi Malware, Qakbot, Amadey, BlankGrabber Stealer, IcedID	2026-05-13
Linux Csvtool Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Cisco Secure Endpoint Unblock File Via Sfc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Windows Vulnerable 3CX Software	Sysmon EventID 1	T1195.002	TTP	3CX Supply Chain Attack	2026-05-13
Rubeus Kerberos Ticket Exports Through Winlogon Access	Sysmon EventID 10	T1550.003	TTP	BlackSuit Ransomware, Active Directory Kerberos Attacks, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper	2026-05-13
Web Servers Executing Suspicious Processes	Sysmon EventID 1	T1082	TTP	Apache Struts Vulnerability	2026-05-13
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Windows Defender ASR Audit Events	Windows Event Log Defender 1134, Windows Event Log Defender 1132, Windows Event Log Defender 1122, Windows Event Log Defender 1126, Windows Event Log Defender 1125	T1059 T1566.001 T1566.002	Anomaly	Windows Attack Surface Reduction	2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1218 T1553.005	TTP	MSIX Package Abuse	2026-05-13
Linux NOPASSWD Entry In Sudoers File	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation	2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault		T1068	TTP	Baron Samedit CVE-2021-3156	2026-05-13
Windows Service Create SliverC2	Windows Event Log System 7045	T1569.002	TTP	Compromised Windows Host, Hellcat Ransomware, BishopFox Sliver Adversary Emulation Framework	2026-05-13
Windows Event For Service Disabled	Windows Event Log System 7040	T1685	Hunting	Windows Defense Evasion Tactics, RedLine Stealer	2026-05-13
System Info Gathering Using Dxdiag Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1592	Hunting	Remcos	2026-05-13
Drop IcedID License dat	Sysmon EventID 11	T1204.002	Hunting	IcedID	2026-05-13
Eventvwr UAC Bypass	Sysmon EventID 13	T1548.002	TTP	Living Off The Land, ValleyRAT, Windows Registry Abuse, Windows Defense Evasion Tactics, IcedID	2026-05-13
Windows Suspicious File in EFI Volume	Sysmon EventID 11	T1490 T1542.001	TTP	Windows BootKits, BlackLotus Campaign, Sandworm Tools	2026-05-13
Windows SIP Provider Inventory		T1553.003	Hunting	Subvert Trust Controls SIP and Trust Provider Hijacking	2026-05-13
WMI Temporary Event Subscription		T1047	TTP	Suspicious WMI Use	2026-05-13
Windows Registry Payload Injection	Sysmon EventID 13	T1027.011	TTP	Unusual Processes	2026-05-13
Windows NetSupport RMM DLL Loaded By Uncommon Process	Sysmon EventID 7	T1036	Anomaly	NetSupport RMM Tool Abuse	2026-05-13
Windows Process Writing File to World Writable Path	Sysmon EventID 11	T1218.005	Hunting	APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper	2026-05-13
Windows Impair Defense Disable PUA Protection	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
Linux Auditd File Permissions Modification Via Chattr	Linux Auditd Execve	T1222.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows DLL Side-Loading In Calc	Sysmon EventID 7	T1574.001	TTP	Qakbot, Earth Alux	2026-05-13
Windows AD GPO Deleted	Windows Event Log Security 5136	T1484.001 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Default Rdp File Unhidden	Sysmon EventID 1	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Linux File Creation In Init Boot Directory	Sysmon for Linux EventID 11	T1037.004	Anomaly	Backdoor Pingpong, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, China-Nexus Threat Activity	2026-05-13
Wermgr Process Spawned CMD Or Powershell Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Qakbot, Trickbot	2026-05-13
Linux Deletion Of Services	Sysmon for Linux EventID 11	T1070.004 T1485	TTP	AcidRain, AwfulShred, Data Destruction, AcidPour	2026-05-13
Windows Curl Upload to Remote Destination	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1105	TTP	Compromised Windows Host, PromptLock, NPM Supply Chain Compromise, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, Axios Supply Chain Post Compromise	2026-05-13
Windows Shell or Script Execution From IIS Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1190 T1505.004	Anomaly	ProxyNotShell, ProxyShell	2026-05-13
Linux Persistence and Privilege Escalation Risk Behavior		T1548	Correlation	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Print Processor Registry Autostart	Sysmon EventID 13	T1547.012	TTP	Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Persistence Techniques	2026-05-13
CrowdStrike Falcon Stream Alerts	CrowdStrike Falcon Stream Alert	N/A	Anomaly	Critical Alerts	2026-05-13
Linux Octave Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Disable Internet Explorer Addons	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1176.001	Anomaly	Malicious Inno Setup Loader	2026-05-13
Disable ETW Through Registry	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, CISA AA23-347A, Ransomware	2026-05-13
Windows Modify Registry No Auto Update	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, RedLine Stealer	2026-05-13
Windows XLL File Creation Outside of Typical Location	Sysmon EventID 11	T1059 T1129	Anomaly	Spearphishing Attachments	2026-05-13
Network Connection Discovery With Netstat	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Prestige Ransomware, Windows Post-Exploitation, Medusa Ransomware, Volt Typhoon, PlugX, Active Directory Discovery, Qakbot, CISA AA23-347A, CISA AA22-277A	2026-05-13
Windows Office Product Dropped Cab or Inf File	Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	T1566.001	TTP	APT37 Rustonotto and FadeStealer, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Spearphishing Attachments	2026-05-13
Detect Password Spray Attack Behavior From Source	Windows Event Log Security 4624, Windows Event Log Security 4625	T1110.003	TTP	Compromised User Account	2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser	Cisco Network Visibility Module Flow Data	T1059 T1105	TTP	Cisco Network Visibility Module Analytics, BlankGrabber Stealer	2026-05-13
Detect Regsvcs Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host	2026-05-13
Winhlp32 Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Remcos, Compromised Windows Host	2026-05-13
Get DomainPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	TTP	Active Directory Discovery	2026-05-13
Crowdstrike Admin With Duplicate Password		T1110	TTP	Compromised Windows Host	2026-05-13
SearchProtocolHost with no Command Line with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	Compromised Windows Host, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware	2026-05-13
Windows Local LLM Framework Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543	Hunting	Suspicious Local LLM Frameworks	2026-05-13
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574	Anomaly	Windows Persistence Techniques	2026-05-13
Windows Defender ASR Registry Modification	Windows Event Log Defender 5007	T1112	Hunting	Windows Attack Surface Reduction	2026-05-13
Windows Chrome Extension Allowed Registry Modification	Sysmon EventID 13	T1185	Anomaly	Browser Hijacking	2026-05-13
Windows Developer-Signed MSIX Package Installation	Windows Event Log AppXDeployment-Server 855	T1204.002 T1553.005	Anomaly	MSIX Package Abuse	2026-05-13
Get-DomainTrust with PowerShell Script Block	Powershell Script Block Logging 4104	T1482	TTP	Active Directory Discovery	2026-05-13
Linux Deletion of SSL Certificate	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	AcidRain, AcidPour	2026-05-13
Windows Get-AdComputer Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Kerberos Attacks, Medusa Ransomware	2026-05-13
Windows SnappyBee Create Test Registry	Sysmon EventID 13	T1112	TTP	Salt Typhoon, China-Nexus Threat Activity, SnappyBee	2026-05-13
Kerberos Pre-Authentication Flag Disabled in UserAccountControl	Windows Event Log Security 4738	T1558.004	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware	2026-05-13
Windows LSA Secrets NoLMhash Registry	Sysmon EventID 13	T1003.004	TTP	CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
MacOS LOLbin	Osquery Results	T1059.004	TTP	Living Off The Land, Axios Supply Chain Post Compromise, Hellcat Ransomware	2026-05-13
Suspicious Kerberos Service Ticket Request	Windows Event Log Security 4769	T1078.002	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2026-05-13
Get ADUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002	Hunting	CISA AA23-347A, Active Directory Discovery	2026-05-13
Linux Emacs Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Auditd Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Suspicious Regsvr32 Register Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Living Off The Land, Qakbot, Salt Typhoon, Suspicious Regsvr32 Activity, Derusbi, IcedID, China-Nexus Threat Activity	2026-05-13
Windows New InProcServer32 Added	Sysmon EventID 13	T1112	Hunting	Outlook RCE CVE-2024-21378, Hellcat Ransomware	2026-05-13
Windows Credentials from Password Stores Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	Anomaly	NetSupport RMM Tool Abuse, Prestige Ransomware, Windows Post-Exploitation, DarkGate Malware	2026-05-13
Windows AD Dangerous Group ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows UAC Bypass Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	Living Off The Land, Castle RAT, Windows Defense Evasion Tactics	2026-05-13
Detect Path Interception By Creation Of program exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.009	TTP	Scattered Lapsus$ Hunters, Windows Persistence Techniques	2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	Hunting	Active Directory Discovery	2026-05-13
Windows Execute Arbitrary Commands with MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host	2026-05-13
Detect Credential Dumping through LSASS access	Sysmon EventID 10	T1003.001	TTP	Lokibot, BlackSuit Ransomware, Credential Dumping, Detect Zerologon Attack, CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
Linux Auditd Setuid Using Setcap Utility	Linux Auditd Execve	T1548.001	TTP	Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows RDP Server Registry Entry Created	Sysmon EventID 13	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Remote Create Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	Anomaly	BlackSuit Ransomware, CISA AA23-347A, Active Directory Lateral Movement	2026-05-13
Windows Guest Account Enabled Via Net.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1078.001	Anomaly	Windows Persistence Techniques	2026-05-13
File Download or Read to Pipe Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	T1105	TTP	Compromised Windows Host, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228	2026-05-13
Windows Known Abused DLL Loaded Suspiciously	Sysmon EventID 7	T1574.001	TTP	Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics	2026-05-13
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos	Windows Event Log Security 4768	T1110.003	Anomaly	Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon	2026-05-13
Windows LAPS Password Gathering Via PowerShell Script	Powershell Script Block Logging 4104	T1003 T1552	Anomaly	Credential Dumping, Active Directory Privilege Escalation	2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Sysmon EventID 10	T1134.001	Anomaly	Brute Ratel C4, PathWiper	2026-05-13
Linux Make Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Database File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows PowerView AD Access Control List Enumeration	Powershell Script Block Logging 4104	T1069 T1078.002	TTP	Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery	2026-05-13
Windows RDP Client Launched with Admin Session	Sysmon EventID 1	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002 T1021.003 T1047 T1543.003	TTP	Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement	2026-05-13
Windows Findstr GPP Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.006	TTP	Active Directory Privilege Escalation	2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery		T1068	TTP	Baron Samedit CVE-2021-3156	2026-05-13
Windows AD Same Domain SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	T1134.005	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques	2026-05-13
Recon AVProduct Through Pwh or WMI	Powershell Script Block Logging 4104	T1592	TTP	Prestige Ransomware, Windows Post-Exploitation, Ransomware, XWorm, Hermetic Wiper, MoonPeak, Qakbot, Quasar RAT, Data Destruction, Malicious PowerShell	2026-05-13
Windows Privileged Group Modification	Windows Event Log Security 4744, Windows Event Log Security 4790, Windows Event Log Security 4731, Windows Event Log Security 4727, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4749, Windows Event Log Security 4756, Windows Event Log Security 4783	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters	2026-05-13
Process Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Suspicious WMI Use	2026-05-13
Windows System User Privilege Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	CISA AA23-347A	2026-05-13
Windows SubInAcl Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows File Share Discovery With Powerview	Powershell Script Block Logging 4104	T1135	TTP	Active Directory Privilege Escalation, Active Directory Discovery	2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File	Linux Auditd Cwd, Linux Auditd Path	T1098.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Change File Association Command To Notepad	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.001	TTP	Prestige Ransomware, Compromised Windows Host	2026-05-13
PetitPotam Suspicious Kerberos TGT Request	Windows Event Log Security 4768	T1003	TTP	PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks	2026-05-13
Windows MSExchange Management Mailbox Cmdlet Usage		T1059.001	Anomaly	ProxyNotShell, BlackByte Ransomware, Scattered Spider, ProxyShell	2026-05-13
Windows Linked Policies In ADSI Discovery	Powershell Script Block Logging 4104	T1087.002	Anomaly	Industroyer2, Data Destruction, Active Directory Discovery	2026-05-13
Windows Impair Defense Disable Win Defender Compute File Hashes	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Impair Defense Change Win Defender Quick Scan Interval	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Multiple Accounts Deleted	Windows Event Log Security 4726	T1078 T1098	TTP	Azure Active Directory Persistence	2026-05-13
Rubeus Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550.003 T1558.003 T1558.004	TTP	BlackSuit Ransomware, Active Directory Privilege Escalation, Active Directory Kerberos Attacks, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper	2026-05-13
Disabling Defender Services	Sysmon EventID 13	T1685	TTP	IcedID, Windows Registry Abuse, RedLine Stealer	2026-05-13
Windows Time Based Evasion	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1497.003	TTP	NjRAT, BlankGrabber Stealer	2026-05-13
MacOS plutil	Osquery Results	T1647	TTP	Living Off The Land	2026-05-13
Windows System Binary Proxy Execution Compiled HTML File Decompile	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity	2026-05-13
Windows PowerSploit GPP Discovery	Powershell Script Block Logging 4104	T1552.006	TTP	Active Directory Privilege Escalation	2026-05-13
Cisco NVM - Suspicious Network Connection From Process With No Args	Cisco Network Visibility Module Flow Data	T1055 T1218	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows Service Deletion In Registry	Sysmon EventID 13	T1489	Anomaly	Crypto Stealer, Brute Ratel C4, PlugX	2026-05-13
Windows Input Capture Using Credential UI Dll	Sysmon EventID 7	T1056.002	Hunting	APT37 Rustonotto and FadeStealer, Brute Ratel C4	2026-05-13
Get-ForestTrust with PowerShell Script Block	Powershell Script Block Logging 4104	T1059.001 T1482	TTP	Active Directory Discovery	2026-05-13
Windows Wmic Systeminfo Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	Lotus Blossom Chrysalis Backdoor, LAMEHUG, BlankGrabber Stealer	2026-05-13
Linux Find Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Chromium Process with Disabled Extensions	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Browser Hijacking	2026-05-13
Windows System Discovery Using ldap Nslookup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Anomaly	Qakbot	2026-05-13
Windows Modify Registry ProxyServer	Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2026-05-13
Linux Disable Services	Sysmon for Linux EventID 1	T1489	TTP	AwfulShred, Data Destruction, Industroyer2	2026-05-13
Windows IIS Components Add New Module	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.004	Anomaly	GhostRedirector IIS Module and Rungan Backdoor, IIS Components	2026-05-13
Unusually Long Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	N/A	Anomaly	Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Unusual Processes, Suspicious Command-Line Executions	2026-05-13
Windows .Key File Creation in Root Directory	Sysmon EventID 11	T1486	Anomaly	Ransomware	2026-05-13
Create or delete windows shares using net exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.005	TTP	Prestige Ransomware, Windows Post-Exploitation, Hidden Cobra Malware, DarkGate Malware, CISA AA22-277A	2026-05-13
Windows Registry Delete Task SD	Sysmon EventID 12	T1053.005 T1685	Anomaly	Scheduled Tasks, Windows Registry Abuse, Windows Persistence Techniques	2026-05-13
Excessive number of taskhost processes	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	Meterpreter	2026-05-13
Conti Common Exec parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Compromised Windows Host, Ransomware, Hellcat Ransomware	2026-05-13
Windows Bluetooth Service Installed From Uncommon Location	Windows Event Log System 7045	T1036 T1543.003	Anomaly	Lotus Blossom Chrysalis Backdoor	2026-05-13
Get-DomainTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery	2026-05-13
Disable Registry Tool	Sysmon EventID 13	T1112 T1685	TTP	NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002 T1021.003 T1047 T1543.003	TTP	Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement	2026-05-13
Windows Outlook LoadMacroProviderOnBoot Persistence	Sysmon EventID 13	T1112 T1137	TTP	Windows Registry Abuse, NotDoor Malware	2026-05-13
Linux Shred Overwrite Command	Sysmon for Linux EventID 1	T1485	TTP	AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction	2026-05-13
Windows Impair Defense Disable Win Defender Network Protection	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer, Scattered Lapsus$ Hunters	2026-05-13
Detect Copy of ShadowCopy with Script Block Logging	Powershell Script Block Logging 4104	T1003.002	TTP	Credential Dumping, VanHelsing Ransomware	2026-05-13
Process Deleting Its Process File Path	Sysmon EventID 1	T1070	TTP	WhisperGate, Data Destruction, Clop Ransomware, Remcos	2026-05-13
Schtasks used for forcing a reboot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Ransomware, Windows Persistence Techniques	2026-05-13
Windows Exfiltration Over C2 Via Powershell UploadString	Powershell Script Block Logging 4104	T1041	TTP	Winter Vivern, APT37 Rustonotto and FadeStealer	2026-05-13
Windows PowerShell Script Block With Malicious String	Powershell Script Block Logging 4104	T1059.001	TTP	Malicious PowerShell	2026-05-13
Crowdstrike Admin Weak Password Policy		T1110	TTP	Compromised Windows Host	2026-05-13
Windows Outlook Macro Security Modified	Sysmon EventID 13	T1008 T1137	TTP	Windows Registry Abuse, NotDoor Malware	2026-05-13
Windows Routing and Remote Access Service Registry Key Change	Sysmon EventID 13	T1112	Anomaly	Gh0st RAT	2026-05-13
Windows Compatibility Telemetry Tampering Through Registry	Sysmon EventID 13	T1053.005 T1546	TTP	Windows Persistence Techniques	2026-05-13
Windows Steal Authentication Certificates Export PfxCertificate	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Remote Services Allow Rdp In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Azorult	2026-05-13
Rundll32 Create Remote Thread To A Process	Sysmon EventID 8	T1055	TTP	Living Off The Land, IcedID	2026-05-13
Windows Find Domain Organizational Units with GetDomainOU	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication	Windows Event Log Security 4768, Windows Event Log Security 4887	T1550 T1649	TTP	Windows Certificate Services, Compromised Windows Host	2026-05-13
Windows Anonymous Pipe Activity	Sysmon EventID 17, Sysmon EventID 18	T1559	Hunting	Interlock Rat, Castle RAT, Salt Typhoon, China-Nexus Threat Activity, SnappyBee	2026-05-13
Linux Auditd Change File Owner To Root	Linux Auditd Proctitle	T1222.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Unusual NTLM Authentication Users By Destination	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Windows Find Interesting ACL with FindInterestingDomainAcl	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows Cached Domain Credentials Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.005	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Linux Auditd Sudo Or Su Execution	Linux Auditd Proctitle	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Exchange PowerShell Abuse via SSRF		T1133 T1190	TTP	ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard	2026-05-13
Windows Unusual Count Of Users Failed To Authenticate From Process	Windows Event Log Security 4625	T1110.003	Anomaly	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2026-05-13
Detect Prohibited Applications Spawning cmd exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Hunting	Suspicious MSHTA Activity, Suspicious Zoom Child Processes, NOBELIUM Group, Suspicious Command-Line Executions	2026-05-13
Windows Ldifde Directory Object Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002 T1105	TTP	Volt Typhoon	2026-05-13
Remote Process Instantiation via DCOM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003	TTP	Compromised Windows Host, Active Directory Lateral Movement	2026-05-13
Windows Process Executed From Removable Media	Sysmon EventID 1, Sysmon EventID 13	T1025 T1091 T1200	Anomaly	Data Protection, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Phishing Recent ISO Exec Registry	Sysmon EventID 13	T1566.001	Hunting	Remcos, Brute Ratel C4, Warzone RAT, Gozi Malware, Qakbot, AgentTesla, Azorult, IcedID	2026-05-13
MacOS LoginHook Persistence	Osquery Results	T1037.002	TTP	MacOS Post-Exploitation	2026-05-13
Disabling FolderOptions Windows Feature	Sysmon EventID 13	T1685	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Rundll32 Load DLL in Temp Dir	Sysmon EventID 1	T1218.011	Anomaly	Interlock Rat	2026-05-13
Linux Impair Defenses Process Kill	Sysmon for Linux EventID 1	T1685	Hunting	Scattered Lapsus$ Hunters, AwfulShred, Data Destruction	2026-05-13
Remote System Discovery with Adsisearcher	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Linux Change File Owner To Root	Sysmon for Linux EventID 1	T1222.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux pkexec Privilege Escalation	Sysmon for Linux EventID 1	T1068	TTP	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Network Connection From Program In Suspect Location	Sysmon EventID 3	T1011	Anomaly	Compromised Windows Host	2026-05-13
Windows Powershell Import Applocker Policy	Powershell Script Block Logging 4104	T1059.001 T1685	TTP	Azorult	2026-05-13
Detect mshta renamed	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	Hunting	Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Service Create Kernel Mode Driver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068 T1543.003	TTP	Windows Drivers, CISA AA22-320A	2026-05-13
Windows Remote Image Load	Sysmon EventID 7	T1059 T1068 T1129 T1203	Anomaly	BlackByte Ransomware, Ransomware, LockBit Ransomware	2026-05-13
Windows SQL Server Configuration Option Hunt	Windows Event Log Application 15457	T1505.001	Hunting	SQL Server Abuse	2026-05-13
Remote System Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2026-05-13
Windows Suspicious Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	TTP	DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter	2026-05-13
Remote System Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility	Linux Auditd Syscall	T1547.006	Anomaly	Linux Rootkit, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Mmc LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003 T1218.014	TTP	Living Off The Land, XML Runner Loader, Water Gamayun, Active Directory Lateral Movement	2026-05-13
Potential Telegram API Request Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1041 T1102.002	Anomaly	XMRig, Water Gamayun, 0bj3ctivity Stealer, BlankGrabber Stealer, Hellcat Ransomware	2026-05-13
Wbemprox COM Object Execution	Sysmon EventID 7	T1218.003	TTP	Revil Ransomware, Ransomware, LockBit Ransomware	2026-05-13
Linux Common Process For Elevation Control	Sysmon for Linux EventID 1	T1548.001	Hunting	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise	2026-05-13
Windows Indirect Command Execution Via pcalua	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1202	TTP	Living Off The Land	2026-05-13
Detect Computer Changed with Anonymous Account	Windows Event Log Security 4742	T1210	Hunting	Detect Zerologon Attack	2026-05-13
Windows SharePoint Spinstall0 Webshell File Creation	Sysmon EventID 11	T1190 T1505.003	TTP	Microsoft SharePoint Vulnerabilities	2026-05-13
Disable Schedule Task	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Living Off The Land, IcedID	2026-05-13
Linux Auditd Copy Fail Privilege Escalation	Linux Auditd Syscall	T1068	TTP	Linux Privilege Escalation	2026-05-13
Linux Indicator Removal Service File Deletion	Sysmon for Linux EventID 1	T1070.004	Anomaly	AwfulShred, Data Destruction	2026-05-13
GetWmiObject Ds Group with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Anomaly	Active Directory Discovery	2026-05-13
RunDLL Loading DLL By Ordinal	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, IcedID, Suspicious Rundll32 Activity, Unusual Processes	2026-05-13
Windows Credential Dumping LSASS Memory Createdump	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	Credential Dumping, Compromised Windows Host, Scattered Lapsus$ Hunters	2026-05-13
Windows Powershell Cryptography Namespace	Powershell Script Block Logging 4104	T1059.001	Anomaly	XWorm, AsyncRAT, VIP Keylogger	2026-05-13
Suspicious WAV file in Appdata Folder	Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	T1113	TTP	Remcos	2026-05-13
Randomly Generated Scheduled Task Name	Windows Event Log Security 4698	T1053.005	Hunting	CISA AA22-257A, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement	2026-05-13
Linux Sudoers Tmp File Creation	Sysmon for Linux EventID 11	T1548.003	Anomaly	Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation	2026-05-13
WinRAR Spawning Shell Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831	2026-05-13
Windows Query Registry UnInstall Program List	Windows Event Log Security 4663	T1012	Anomaly	StealC Stealer, RedLine Stealer, Meduza Stealer	2026-05-13
Suspicious writes to windows Recycle Bin	Sysmon EventID 1, Sysmon EventID 11	T1036	TTP	PlugX, Collection and Staging	2026-05-13
Delete ShadowCopy With PowerShell	Powershell Script Block Logging 4104	T1490	TTP	DarkSide Ransomware, Revil Ransomware, Cactus Ransomware, Ransomware, VanHelsing Ransomware, DarkGate Malware	2026-05-13
Linux Adding Crontab Using List Parameter	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, Industroyer2, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Gomir	2026-05-13
Windows Modify Registry Qakbot Binary Data Registry	Sysmon EventID 1, Sysmon EventID 13	T1112	Anomaly	Qakbot	2026-05-13
Windows Get-Variable.EXE Execution from WindowsApps Folder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.008	Anomaly	Windows Persistence Techniques	2026-05-13
PowerShell WebRequest Using Memory Stream	Powershell Script Block Logging 4104	T1027.011 T1059.001 T1105	TTP	MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware	2026-05-13
Windows Scheduled Task Created in a Group Policy Object	Windows Event Log Security 5145	T1053.005 T1484.001	TTP	Living Off The Land, Scheduled Tasks, Windows Persistence Techniques	2026-05-13
Windows Mshta Execution In Registry	Sysmon EventID 13	T1218.005	TTP	Suspicious Windows Registry Activities, Windows Persistence Techniques	2026-05-13
Windows Apache Benchmark Binary	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	MetaSploit	2026-05-13
Windows Registry Entries Restored Via Reg	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1012	Hunting	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows WinRAR Launched Outside Default Installation Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	BlankGrabber Stealer	2026-05-13
Windows AdFind Exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	BlackSuit Ransomware, Graceful Wipe Out Attack, NOBELIUM Group, IcedID, Domain Trust Discovery	2026-05-13
Ntdsutil Export NTDS	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Living Off The Land, Prestige Ransomware, Volt Typhoon, Credential Dumping, HAFNIUM Group, Rhysida Ransomware, NetSupport RMM Tool Abuse	2026-05-13
Download Files Using Telegram	Sysmon EventID 15	T1105	TTP	Crypto Stealer, XMRig, Water Gamayun, 0bj3ctivity Stealer, Snake Keylogger, Phemedrone Stealer	2026-05-13
LLM Model File Creation	Sysmon EventID 11	T1543	Hunting	Suspicious Local LLM Frameworks	2026-05-13
Windows Get Local Admin with FindLocalAdminAccess	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Linux Suspicious React or Next.js Child Process	Sysmon for Linux EventID 1	T1059.004 T1190	TTP	React2Shell	2026-05-13
Windows Process Injection into Notepad	Sysmon EventID 10	T1055.002	Anomaly	APT37 Rustonotto and FadeStealer, Earth Alux, BishopFox Sliver Adversary Emulation Framework	2026-05-13
Disabling ControlPanel	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Modify Registry AuthenticationLevelOverride	Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2026-05-13
Windows Network Connection Discovery Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Hunting	Prestige Ransomware, Azorult, Windows Post-Exploitation, Active Directory Discovery	2026-05-13
Windows Files and Dirs Access Rights Modification Via Icacls	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Powershell Fileless Process Injection via GetProcAddress	Powershell Script Block Logging 4104	T1055 T1059.001	TTP	Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware	2026-05-13
Schtasks Run Task On Demand	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053	Anomaly	Scheduled Tasks, Medusa Ransomware, Industroyer2, CISA AA22-257A, XMRig, Qakbot, Data Destruction	2026-05-13
Linux Deletion Of Init Daemon Script	Sysmon for Linux EventID 11	T1070.004 T1485	TTP	AcidRain, Data Destruction, AcidPour	2026-05-13
Windows Unsigned DLL Side-Loading In Same Process Path	Sysmon EventID 7	T1574.001	TTP	Malicious Inno Setup Loader, Lokibot, NailaoLocker Ransomware, XWorm, PlugX, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Derusbi, China-Nexus Threat Activity, SnappyBee	2026-05-13
Shim Database File Creation	Sysmon EventID 11	T1546.011	TTP	Windows Persistence Techniques	2026-05-13
Windows Security And Backup Services Stop	Windows Event Log System 7036	T1490	TTP	Compromised Windows Host, Ransomware, Scattered Lapsus$ Hunters, LockBit Ransomware, Hellcat Ransomware, BlackMatter Ransomware, Termite Ransomware	2026-05-13
Windows Mark Of The Web Bypass	Sysmon EventID 23	T1553.005	TTP	Quasar RAT, Warzone RAT	2026-05-13
Windows Potential AppDomainManager Hijack Artifacts Creation	Sysmon EventID 11	T1574.014	Anomaly	SesameOp	2026-05-13
Linux Puppet Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Setuid Using Chmod Utility	Linux Auditd Proctitle	T1548.001	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Domain Group Discovery With Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Linux Possible Access To Sudoers File	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation	2026-05-13
GetDomainController with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Active Directory Discovery	2026-05-13
Windows Service Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	TTP	CISA AA23-347A, Active Directory Lateral Movement	2026-05-13
Domain Account Discovery with Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	TTP	Interlock Ransomware, Active Directory Discovery	2026-05-13
Windows Unsecured Outlook Credentials Access In Registry	Windows Event Log Security 4663	T1552	Anomaly	Lokibot, VIP Keylogger, 0bj3ctivity Stealer, StealC Stealer, Meduza Stealer, Snake Keylogger	2026-05-13
Suspicious Rundll32 no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Cobalt Strike, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, Hellcat Ransomware, PrintNightmare CVE-2021-34527	2026-05-13
Windows RDP Login Session Was Established	Windows Event Log Security 4624	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters	2026-05-13
Detect Regsvcs with Network Connection	Sysmon EventID 3	T1218.009	TTP	Suspicious Regsvcs Regasm Activity, Living Off The Land, Hellcat Ransomware	2026-05-13
Allow Inbound Traffic By Firewall Rule Registry	Sysmon EventID 13	T1021.001	TTP	Windows Registry Abuse, Medusa Ransomware, PlugX, NjRAT, Azorult, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Windows Disable Memory Crash Dump	Sysmon EventID 13	T1485	TTP	Hermetic Wiper, Data Destruction, Windows Registry Abuse, Ransomware	2026-05-13
Time Provider Persistence Registry	Sysmon EventID 13	T1547.003	TTP	Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation	2026-05-13
Domain Group Discovery with Adsisearcher	Powershell Script Block Logging 4104	T1069.002	TTP	Scattered Lapsus$ Hunters, Active Directory Discovery	2026-05-13
Windows Svchost.exe Parent Process Anomaly	Sysmon EventID 1, Windows Event Log Security 4688	T1036.009	Anomaly	China-Nexus Threat Activity, SnappyBee	2026-05-13
User Discovery With Env Vars PowerShell Script Block	Powershell Script Block Logging 4104	T1033	Hunting	Active Directory Discovery	2026-05-13
Windows DLL Side-Loading Process Child Of Calc	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	Anomaly	Qakbot, Earth Alux	2026-05-13
Windows Regsvr32 Renamed Binary	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.010	TTP	Qakbot, Compromised Windows Host	2026-05-13
PowerShell Enable PowerShell Remoting	Powershell Script Block Logging 4104	T1059.001	Anomaly	Malicious PowerShell	2026-05-13
Enable WDigest UseLogonCredential Registry	Sysmon EventID 13	T1003 T1112	TTP	Credential Dumping, Windows Registry Abuse, CISA AA22-320A	2026-05-13
Detect Renamed 7-Zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Malicious Inno Setup Loader, Collection and Staging	2026-05-13
Jscript Execution Using Cscript App	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.007	TTP	Remcos, FIN7	2026-05-13
Windows Gdrive Binary Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567	TTP	China-Nexus Threat Activity	2026-05-13
GetDomainComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	TTP	Active Directory Discovery	2026-05-13
Windows System Reboot CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Hunting	XWorm, DarkCrystal RAT, NjRAT, MoonPeak, Quasar RAT, DarkGate Malware, MuddyWater, Scattered Lapsus$ Hunters	2026-05-13
Spoolsv Writing a DLL	Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	T1547.012	TTP	Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
Windows Enable PowerShell Web Access	Powershell Script Block Logging 4104	T1059.001	TTP	Malicious PowerShell, CISA AA24-241A	2026-05-13
WMI Recon Running Process Or Services	Powershell Script Block Logging 4104	T1592	Anomaly	Hermetic Wiper, Data Destruction, Malicious PowerShell	2026-05-13
Suspicious Rundll32 PluginInit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	IcedID	2026-05-13
Log4Shell CVE-2021-44228 Exploitation		T1059 T1105 T1133 T1190	Correlation	Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
Linux Auditd Preload Hijack Via Preload File	Linux Auditd Cwd, Linux Auditd Path	T1574.006	TTP	Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Registry Dotnet ETW Disabled Via ENV Variable	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Impair Defense Deny Security Software With Applocker	Sysmon EventID 13	T1685	TTP	Azorult, Scattered Lapsus$ Hunters	2026-05-13
Windows Sensitive Registry Hive Dump Via CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002	TTP	DarkSide Ransomware, Compromised Windows Host, Windows Registry Abuse, Industroyer2, CISA AA22-257A, Volt Typhoon, Credential Dumping, Seashell Blizzard, CISA AA23-347A, Data Destruction	2026-05-13
Windows Enable Win32 ScheduledJob via Registry	Sysmon EventID 13	T1053.005	Anomaly	Scheduled Tasks, Active Directory Lateral Movement	2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Qakbot	2026-05-13
Windows Disable LogOff Button Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Ransomware	2026-05-13
Windows WinLogon with Public Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1542.003	Hunting	BlackLotus Campaign	2026-05-13
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos	Windows Event Log Security 4768	T1110.003	TTP	Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon	2026-05-13
Windows Special Privileged Logon On Multiple Hosts	Windows Event Log Security 4672	T1021.002 T1087 T1135	TTP	Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Windows File Download Via CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1105	TTP	DarkSide Ransomware, Living Off The Land, Compromised Windows Host, Ingress Tool Transfer, Forest Blizzard, Flax Typhoon, Cisco Network Visibility Module Analytics, CISA AA22-277A, ProxyNotShell	2026-05-13
Windows SQLCMD Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Hunting	GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse	2026-05-13
Windows Time Based Evasion via Choice Exec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497.003	Anomaly	0bj3ctivity Stealer, Snake Keylogger, VIP Keylogger	2026-05-13
WBAdmin Delete System Backups	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Prestige Ransomware, Ransomware, Ryuk Ransomware, Chaos Ransomware, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
CertUtil With Decode Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1140	TTP	Living Off The Land, Forest Blizzard, Deobfuscate-Decode Files or Information, APT29 Diplomatic Deceptions with WINELOADER, GhostRedirector IIS Module and Rungan Backdoor, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows AD Hidden OU Creation	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Disable Lock Workstation Feature Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware	2026-05-13
Linux Possible Cronjob Modification With Editor	Sysmon for Linux EventID 1	T1053.003	Hunting	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation	2026-05-13
Windows New Default File Association Value Set	Sysmon EventID 13	T1546.001	Hunting	Prestige Ransomware, Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation	2026-05-13
Windows PowerShell Export PfxCertificate	Powershell Script Block Logging 4104	T1552.004 T1649	Anomaly	Windows Certificate Services, Water Gamayun, Scattered Lapsus$ Hunters	2026-05-13
Linux Auditd Unix Shell Configuration Modification	Linux Auditd Cwd, Linux Auditd Path	T1546.004	TTP	Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Detect HTML Help URL in Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1218.001	TTP	Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Cisco Network Visibility Module Analytics, Suspicious Compiled HTML Activity	2026-05-13
Windows Scheduled Task with Suspicious Name	Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702	T1053.005	TTP	Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Castle RAT, 0bj3ctivity Stealer, Ryuk Ransomware, Windows Persistence Techniques	2026-05-13
Linux System Network Discovery	Osquery Results, Sysmon for Linux EventID 1	T1016	Anomaly	VoidLink Cloud-Native Linux Malware, Network Discovery, Data Destruction, Industroyer2	2026-05-13
Suspicious GPUpdate no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BlackByte Ransomware, Hellcat Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2026-05-13
Windows AD Privileged Account SID History Addition	Windows Event Log Security 4738, Windows Event Log Security 4742	T1134.005	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows SpeechRuntime Suspicious Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.003	TTP	Compromised Windows Host, Active Directory Lateral Movement	2026-05-13
Crowdstrike Multiple LOW Severity Alerts		T1110	Anomaly	Compromised Windows Host	2026-05-13
Uninstall App Using MsiExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Ransomware	2026-05-13
Windows Curl Download to Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1105	TTP	APT37 Rustonotto and FadeStealer, Compromised Windows Host, Black Basta Ransomware, Ingress Tool Transfer, NPM Supply Chain Compromise, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, Cisco Network Visibility Module Analytics, IcedID, China-Nexus Threat Activity	2026-05-13
Windows Impair Defense Change Win Defender Throttle Rate	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
ServicePrincipalNames Discovery with SetSPN	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1558.003	TTP	Active Directory Kerberos Attacks, Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Discovery	2026-05-13
Windows Impair Defense Disable Defender Protocol Recognition	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
XMRIG Driver Loaded	Sysmon EventID 6	T1543.003	TTP	XMRig, Crypto Stealer, CISA AA22-320A	2026-05-13
Windows Wmic DiskDrive Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection	Cisco Network Visibility Module Flow Data	T1036 T1055	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows AD Replication Request Initiated by User Account	Windows Event Log Security 4624, Windows Event Log Security 4662	T1003.006	TTP	Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host	2026-05-13
Web or Application Server Spawning a Shell	Sysmon EventID 1, Sysmon for Linux EventID 1	T1133 T1190	TTP	WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, Log4Shell CVE-2021-44228, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, HAFNIUM Group, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Microsoft SharePoint Vulnerabilities, CISA AA22-257A, Flax Typhoon, CISA AA22-264A, ProxyNotShell, ProxyShell, Cleo File Transfer Software, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Data Destruction	2026-05-13
Windows Outlook WebView Registry Modification	Sysmon EventID 13	T1112	Anomaly	Suspicious Windows Registry Activities	2026-05-13
Windows AD ServicePrincipalName Added To Domain Account	Windows Event Log Security 5136	T1098	TTP	Interlock Ransomware, Sneaky Active Directory Persistence Tricks	2026-05-13
Linux Docker Shell Execution	Sysmon for Linux EventID 1	T1059.013	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Impair Defense Disable Defender Firewall And Network	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters	2026-05-13
Windows Privilege Escalation Attempt Via MSI Rollback	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Windows Privilege Escalation	2026-05-13
MOVEit Certificate Store Access Failure		T1190	Hunting	MOVEit Transfer Authentication Bypass	2026-05-13
Windows Archive Collected Data via Powershell	Powershell Script Block Logging 4104	T1560	Anomaly	APT37 Rustonotto and FadeStealer, CISA AA23-347A	2026-05-13
Windows PowerView Constrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks	2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility	Linux Auditd Syscall	T1547.006	TTP	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Auditd Daemon Shutdown	Linux Auditd Daemon End	T1685.004	Anomaly	Compromised Linux Host	2026-05-13
Unusual Number of Kerberos Service Tickets Requested	Windows Event Log Security 4769	T1558.003	Anomaly	Active Directory Kerberos Attacks	2026-05-13
Windows Cmdline Tool Execution From Non-Shell Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.007	Anomaly	Gh0st RAT, Medusa Ransomware, Volt Typhoon, Gozi Malware, Water Gamayun, Rhysida Ransomware, Qakbot, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, DarkGate Malware, BlankGrabber Stealer, CISA AA22-277A, FIN7, Tuoni	2026-05-13
Windows Office Product Spawned Uncommon Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Trickbot, Remcos, Compromised Windows Host, APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Warzone RAT, DarkCrystal RAT, NjRAT, PlugX, AgentTesla, Azorult, Qakbot, CVE-2023-21716 Word RTF Heap Corruption, MuddyWater, IcedID, FIN7	2026-05-13
Windows Domain Admin Impersonation Indicator	Windows Event Log Security 4627	T1558	TTP	Active Directory Kerberos Attacks, Gozi Malware, Compromised Windows Host, Active Directory Privilege Escalation	2026-05-13
Disabling Remote User Account Control	Sysmon EventID 13	T1548.002	TTP	Remcos, Windows Registry Abuse, Windows Defense Evasion Tactics, Suspicious Windows Registry Activities, AgentTesla, Azorult	2026-05-13
System Information Discovery Detection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	TTP	Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, BlackSuit Ransomware, LAMEHUG, Medusa Ransomware, Gozi Malware, Interlock Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques, BlankGrabber Stealer, NetSupport RMM Tool Abuse	2026-05-13
GetDomainGroup with PowerShell Script Block	Powershell Script Block Logging 4104	T1069.002	TTP	Active Directory Discovery	2026-05-13
Windows PowerShell Invoke-RestMethod IP Information Collection	Powershell Script Block Logging 4104	T1016 T1059.001 T1082	Anomaly	Water Gamayun	2026-05-13
Windows EFI Bootloader File Modification	Sysmon EventID 11	T1542.003	TTP	Windows BootKits	2026-05-13
Windows Identify PowerShell Web Access IIS Pool	Windows Event Log Security 4648	T1190	Hunting	CISA AA24-241A	2026-05-13
Mimikatz PassTheTicket CommandLine Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550.003	TTP	CISA AA22-320A, Active Directory Kerberos Attacks, CISA AA23-347A, Scattered Lapsus$ Hunters, Sandworm Tools	2026-05-13
Unloading AMSI via Reflection	Powershell Script Block Logging 4104	T1059.001 T1685	TTP	Hermetic Wiper, Data Destruction, Malicious PowerShell	2026-05-13
ConnectWise ScreenConnect Path Traversal	Sysmon EventID 11	T1190	TTP	ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard	2026-05-13
Windows Chromium Browser Launched with Small Window Size	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	TTP	Browser Hijacking	2026-05-13
Windows Steal Authentication Certificates CryptoAPI	Windows Event Log CAPI2 70	T1649	Anomaly	Windows Certificate Services, Hellcat Ransomware	2026-05-13
Windows DISM Install PowerShell Web Access	Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	CISA AA24-241A	2026-05-13
Rundll32 Shimcache Flush	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	TTP	Living Off The Land, Compromised Windows Host, Unusual Processes	2026-05-13
First Time Seen Running Windows Service	Windows Event Log System 7036	T1569.002	Anomaly	Windows Service Abuse, Orangeworm Attack Group, NOBELIUM Group	2026-05-13
Kerberos User Enumeration	Windows Event Log Security 4768	T1589.002	Anomaly	Active Directory Kerberos Attacks	2026-05-13
Windows BootLoader Inventory		T1542.001	Hunting	Windows BootKits, BlackLotus Campaign	2026-05-13
Excessive Usage Of SC Service Utility	Sysmon EventID 1	T1569.002	Anomaly	Crypto Stealer, Azorult, Ransomware	2026-05-13
Rundll32 with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1218.011	TTP	PrintNightmare CVE-2021-34527, Compromised Windows Host, BlackSuit Ransomware, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Suspicious Rundll32 Activity	2026-05-13
Windows Cisco Secure Endpoint Related Service Stopped	Windows Event Log System 7036	T1490	Anomaly	Hellcat Ransomware, Security Solution Tampering, Scattered Lapsus$ Hunters	2026-05-13
Cisco NVM - Suspicious Network Connection Initiated via MsXsl	Cisco Network Visibility Module Flow Data	T1220	Anomaly	Cisco Network Visibility Module Analytics	2026-05-13
Windows AppX Deployment Package Installation Success	Windows Event Log AppXDeployment-Server 854	T1204.002	Anomaly	MSIX Package Abuse	2026-05-13
Windows New EventLog ChannelAccess Registry Value Set	Sysmon EventID 13	T1685.001	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware	2026-05-13
Windows LOLBAS Executed As Renamed File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1218.011	TTP	Masquerading - Rename System Utilities, Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics	2026-05-13
Windows Export Certificate	Windows Event Log CertificateServicesClient 1007	T1552.004 T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Snake Malware File Modification Crmlog	Sysmon EventID 11	T1027	TTP	Snake Malware	2026-05-13
Windows Modify Registry UpdateServiceUrlAlternate	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Windows WPDBusEnum Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	T1025 T1091 T1200	Anomaly	Data Protection, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Unusual Process Load Mozilla NSS-Mozglue Module	Sysmon EventID 7	T1218.003	Anomaly	Lokibot, VIP Keylogger, 0bj3ctivity Stealer, StealC Stealer, Quasar RAT	2026-05-13
DNS Exfiltration Using Nslookup App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048	TTP	Compromised Windows Host, Command And Control, Suspicious DNS Traffic, Data Exfiltration, Dynamic DNS	2026-05-13
Linux Auditd Data Destruction Command	Linux Auditd Proctitle	T1485	TTP	AwfulShred, Data Destruction, Compromised Linux Host	2026-05-13
Windows System Shutdown CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	XWorm, DarkCrystal RAT, NjRAT, MoonPeak, Quasar RAT, DarkGate Malware, Scattered Lapsus$ Hunters, MuddyWater, Sandworm Tools, ZOVWiper	2026-05-13
Windows Attempt To Stop Security Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Azorult, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Trickbot, Disabling Security Tools	2026-05-13
Detect HTML Help Using InfoTech Storage Handlers	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity	2026-05-13
Excessive distinct processes from Windows Temp	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Anomaly	Meterpreter	2026-05-13
Ransomware Notes bulk creation	Sysmon EventID 11	T1486	Anomaly	DarkSide Ransomware, Medusa Ransomware, Black Basta Ransomware, Cactus Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Termite Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, BlackMatter Ransomware	2026-05-13
Windows AD DCShadow Privileges ACL Addition	Windows Event Log Security 5136	T1207 T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows AD GPO Disabled	Windows Event Log Security 5136	T1484.001 T1685	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials	Windows Event Log Security 4648	T1110.003	TTP	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2026-05-13
Services LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003	TTP	Living Off The Land, Qakbot, CISA AA23-347A, Hellcat Ransomware, Active Directory Lateral Movement	2026-05-13
Windows AD Replication Request Initiated from Unsanctioned Location	Windows Event Log Security 4624, Windows Event Log Security 4662	T1003.006	TTP	Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host	2026-05-13
Windows AD Short Lived Domain Controller SPN Attribute	Windows Event Log Security 4624, Windows Event Log Security 5136	T1207	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows Defacement Modify Transcodedwallpaper File	Sysmon EventID 1, Sysmon EventID 11	T1491	Anomaly	Brute Ratel C4	2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility	Linux Auditd Syscall	T1547.006	Anomaly	Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity, Compromised Linux Host	2026-05-13
Linux AWK Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Njrat Fileless Storage via Registry	Sysmon EventID 13	T1027.011	TTP	NjRAT	2026-05-13
Windows Modify Registry Risk Behavior		T1112	Correlation	Windows Registry Abuse	2026-05-13
Linux File Created In Kernel Driver Directory	Sysmon for Linux EventID 11	T1547.006	Anomaly	Linux Persistence Techniques, Linux Rootkit, Linux Privilege Escalation	2026-05-13
Get DomainUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1087.002	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Windows Hidden Schedule Task Settings	Windows Event Log Security 4698	T1053	TTP	Malicious Inno Setup Loader, Scheduled Tasks, Compromised Windows Host, Cactus Ransomware, Industroyer2, CISA AA22-257A, Active Directory Discovery, Data Destruction, Hellcat Ransomware	2026-05-13
Windows Binary Proxy Execution Mavinject DLL Injection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.013	TTP	Living Off The Land	2026-05-13
Windows System LogOff Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1529	Anomaly	DarkCrystal RAT, XWorm, NjRAT, Scattered Lapsus$ Hunters	2026-05-13
Windows InstallUtil Uninstall Option	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.004	TTP	Living Off The Land, Compromised Windows Host, Signed Binary Proxy Execution InstallUtil	2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1542 T1688	Anomaly	Compromised Windows Host	2026-05-13
Detect Certify With PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1059.001 T1649	TTP	Windows Certificate Services, Malicious PowerShell	2026-05-13
Windows Non-System Account Targeting Lsass	Sysmon EventID 10	T1003.001	TTP	Lokibot, Credential Dumping, CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
Detect PsExec With accepteula Flag	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.002	TTP	DarkSide Ransomware, CISA AA22-320A, Medusa Ransomware, SamSam Ransomware, Cactus Ransomware, DHS Report TA18-074A, BlackByte Ransomware, Volt Typhoon, HAFNIUM Group, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, DarkGate Malware, Storm-0501 Ransomware, IcedID, Sandworm Tools, Active Directory Lateral Movement	2026-05-13
Windows TeamCity Plugin Installed	Sysmon EventID 11	T1059 T1190 T1505.003	Anomaly	JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE	2026-05-13
Linux Auditd System Network Configuration Discovery	Linux Auditd Syscall	T1016	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Crowdstrike High Identity Risk Severity		T1110	TTP	Compromised Windows Host	2026-05-13
Windows Indirect Command Execution Via forfiles	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1202	TTP	Living Off The Land, Windows Post-Exploitation	2026-05-13
Windows MSIExec Unregister DLLRegisterServer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Windows System Binary Proxy Execution MSIExec	2026-05-13
Windows Hunting System Account Targeting Lsass	Sysmon EventID 10	T1003.001	Hunting	Lokibot, Credential Dumping, CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
Revil Registry Entry	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Revil Ransomware, Windows Registry Abuse, Ransomware	2026-05-13
Suspicious DLLHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack	2026-05-13
GetAdGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	Hunting	Active Directory Discovery	2026-05-13
Detect Remote Access Software Usage File	Sysmon EventID 11	T1219	Anomaly	Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters	2026-05-13
Windows Eventlog Cleared Via Wevtutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.005	Anomaly	Ransomware, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, CISA AA23-347A, Clop Ransomware	2026-05-13
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI	Cisco Network Visibility Module Flow Data	T1059.005 T1218.005	Anomaly	Cisco Network Visibility Module Analytics, BlankGrabber Stealer	2026-05-13
Windows User Execution Malicious URL Shortcut File	Sysmon EventID 11	T1204.002	Anomaly	APT37 Rustonotto and FadeStealer, XWorm, NjRAT, Quasar RAT, Snake Keylogger, Chaos Ransomware	2026-05-13
Linux File Creation In Profile Directory	Sysmon for Linux EventID 11	T1546.004	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
Windows Modify Registry Utilize ProgIDs	Sysmon EventID 13	T1112	Anomaly	ValleyRAT	2026-05-13
Windows Sqlservr Spawning Shell	Sysmon EventID 1, Windows Event Log Security 4688	T1505.001	Hunting	SQL Server Abuse	2026-05-13
Windows Mustang Panda USB Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020 T1204.002 T1574.001	TTP	Compromised Windows Host	2026-05-13
Windows Event Logging Service Has Shutdown	Windows Event Log Security 1100	T1685.005	Hunting	Clop Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters, Ransomware	2026-05-13
Linux Auditd AI CLI Permission Override Activated	Linux Auditd Proctitle	T1480	Anomaly	QuietVault	2026-05-13
Windows File Transfer Protocol In Non-Common Process Path	Sysmon EventID 3	T1071.003	Anomaly	AgentTesla, Snake Keylogger, Hellcat Ransomware	2026-05-13
GetNetTcpconnection with PowerShell Script Block	Powershell Script Block Logging 4104	T1049	Hunting	Active Directory Discovery	2026-05-13
Linux Add Files In Known Crontab Directories	Sysmon for Linux EventID 11	T1053.003	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation	2026-05-13
Suspicious microsoft workflow compiler rename	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1127	Hunting	Living Off The Land, Cobalt Strike, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution, Masquerading - Rename System Utilities, Graceful Wipe Out Attack	2026-05-13
Windows Credentials from Password Stores Creation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555	TTP	NetSupport RMM Tool Abuse, Compromised Windows Host, DarkGate Malware	2026-05-13
Create Remote Thread In Shell Application	Sysmon EventID 8	T1055	TTP	Qakbot, IcedID, Warzone RAT	2026-05-13
Allow Network Discovery In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686.001	TTP	Revil Ransomware, Medusa Ransomware, Ransomware, BlackByte Ransomware, NjRAT, Hellcat Ransomware	2026-05-13
Windows Remote Services Allow Remote Assistance	Sysmon EventID 13	T1021.001	Anomaly	Azorult	2026-05-13
Windows Unusual NTLM Authentication Destinations By Source	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Disabling Task Manager	Sysmon EventID 13	T1685	TTP	NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Linux GNU Awk Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux Auditd Virtual Disk File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows NorthStar C2 Agent Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204.002 T1547.001 T1608	TTP	Compromised Windows Host	2026-05-13
Potential System Network Configuration Discovery Activity	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016	Anomaly	Unusual Processes	2026-05-13
Windows DLL Search Order Hijacking with iscsicpl	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	TTP	Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics	2026-05-13
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos	Windows Event Log Security 4768	T1110.003	Anomaly	Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon	2026-05-13
Windows MSIExec Remote Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1218.007	Anomaly	Water Gamayun, StealC Stealer, SolarWinds WHD RCE Post Exploitation, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec	2026-05-13
Windows ComputerDefaults Spawning a Process	Sysmon EventID 1	T1548.002	TTP	Castle RAT, BlankGrabber Stealer	2026-05-13
Screensaver Event Trigger Execution	Sysmon EventID 13	T1546.002	TTP	Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation	2026-05-13
Windows Remote Host Computer Management Access	Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	Anomaly	Medusa Ransomware	2026-05-13
Check Elevated CMD using whoami	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	TTP	FIN7	2026-05-13
Windows Remote Services Rdp Enable	Sysmon EventID 13	T1021.001	TTP	Windows RDP Artifacts and Defense Evasion, Azorult, BlackSuit Ransomware, Medusa Ransomware	2026-05-13
Linux Deleting Critical Directory Using RM Command	Sysmon for Linux EventID 1	T1485	TTP	AwfulShred, Data Destruction, Industroyer2	2026-05-13
Windows Security Support Provider Reg Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1547.005	Anomaly	Sneaky Active Directory Persistence Tricks, Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows Registry BootExecute Modification	Sysmon EventID 13	T1542 T1547.001	TTP	Windows BootKits	2026-05-13
Detect Regasm with Network Connection	Sysmon EventID 3	T1218.009	TTP	Suspicious Regsvcs Regasm Activity, Living Off The Land, Handala Wiper, Hellcat Ransomware, Void Manticore	2026-05-13
System Processes Run From Unexpected Locations	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003	Anomaly	Windows Error Reporting Service Elevation of Privilege Vulnerability, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Qakbot, DarkGate Malware, Suspicious Command-Line Executions	2026-05-13
Vbscript Execution Using Wscript App	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1059.005	TTP	Remcos, FIN7, AsyncRAT	2026-05-13
Windows Firewall Rule Modification	Windows Event Log Security 4947	T1686	Anomaly	Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker	2026-05-13
Windows Registry SIP Provider Modification	Sysmon EventID 13	T1553.003	TTP	Subvert Trust Controls SIP and Trust Provider Hijacking	2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Sysmon EventID 17, Sysmon EventID 18	T1071	TTP	Azorult	2026-05-13
Get DomainUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Windows Modify Registry MaxConnectionPerServer	Sysmon EventID 13	T1112	Anomaly	Warzone RAT	2026-05-13
Crowdstrike User with Duplicate Password		T1110	Anomaly	Compromised Windows Host	2026-05-13
Powershell Remote Thread To Known Windows Process	Sysmon EventID 8	T1055	TTP	Trickbot	2026-05-13
Windows Registry Certificate Added	Sysmon EventID 13	T1553.004	Anomaly	Windows Drivers, Windows Registry Abuse	2026-05-13
Get ADUserResultantPasswordPolicy with Powershell Script Block	Powershell Script Block Logging 4104	T1201	TTP	CISA AA23-347A, Active Directory Discovery	2026-05-13
Linux Ruby Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Malicious InProcServer32 Modification	Sysmon EventID 12, Sysmon EventID 13	T1112 T1218.010	TTP	Remcos, Suspicious Regsvr32 Activity	2026-05-13
Detect Baron Samedit CVE-2021-3156		T1068	TTP	Baron Samedit CVE-2021-3156	2026-05-13
Windows Indicator Removal Via Rmdir	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	Anomaly	ZOVWiper, APT37 Rustonotto and FadeStealer, DarkGate Malware	2026-05-13
Disable Logs Using WevtUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.005	TTP	Rhysida Ransomware, CISA AA23-347A, Ransomware	2026-05-13
Windows Credentials Access via VaultCli Module	Sysmon EventID 7	T1555.004	Anomaly	Hellcat Ransomware, Meduza Stealer	2026-05-13
Windows Rundll32 Execution With Log.DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574	Anomaly	Lotus Blossom Chrysalis Backdoor	2026-05-13
GitHub Workflow File Creation or Modification	Sysmon EventID 11, Sysmon for Linux EventID 11	T1195 T1554 T1574.006	Hunting	NPM Supply Chain Compromise	2026-05-13
Windows AD Domain Root ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows Devtunnels Image Loaded	Sysmon EventID 7	T1090	Anomaly	Reverse Network Proxy	2026-05-13
Windows Modify Registry USeWuServer	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
Windows Delete or Modify System Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686	Hunting	NjRAT, ShrinkLocker	2026-05-13
Detect Remote Access Software Usage Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1219	Anomaly	Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, Interlock Ransomware, Insider Threat, GhostRedirector IIS Module and Rungan Backdoor, Storm-0501 Ransomware, Scattered Lapsus$ Hunters	2026-05-13
Windows Ngrok Reverse Proxy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1090 T1102 T1572	Anomaly	CISA AA22-320A, Reverse Network Proxy, CISA AA24-241A	2026-05-13
Windows Unusual NTLM Authentication Destinations By User	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Linux Auditd File And Directory Discovery	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Auditd Daemon Abort	Linux Auditd Daemon Abort	T1685.004	Anomaly	Compromised Linux Host	2026-05-13
Windows Process Injection Wermgr Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	Anomaly	Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability	2026-05-13
Possible Lateral Movement PowerShell Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003	Anomaly	Scheduled Tasks, CISA AA24-241A, Hermetic Wiper, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Active Directory Lateral Movement	2026-05-13
Windows Possible Credential Dumping	Sysmon EventID 10	T1003.001	TTP	DarkSide Ransomware, CISA AA22-257A, Credential Dumping, Detect Zerologon Attack, CISA AA22-264A, CISA AA23-347A, Scattered Lapsus$ Hunters	2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack	2026-05-13
Active Setup Registry Autostart	Sysmon EventID 13	T1547.014	TTP	Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Persistence Techniques	2026-05-13
BCDEdit Failure Recovery Modification	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Compromised Windows Host, Ransomware, Ryuk Ransomware, Storm-2460 CLFS Zero Day Exploitation, Void Manticore	2026-05-13
Windows Registry Modification for Safe Mode Persistence	Sysmon EventID 13	T1547.001	TTP	Windows Drivers, Windows Registry Abuse, Ransomware	2026-05-13
Runas Execution in CommandLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1134.001	Hunting	Hermetic Wiper, Windows Privilege Escalation, Quasar RAT, Data Destruction	2026-05-13
Allow File And Printing Sharing In Firewall	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686.001	TTP	BlackByte Ransomware, Hellcat Ransomware, Ransomware	2026-05-13
Suspicious MSBuild Rename	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1127.001	Hunting	Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows PowerShell Process Implementing Manual Base64 Decoder	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.010 T1059.001	Anomaly	Compromised Windows Host, Deobfuscate-Decode Files or Information	2026-05-13
Detect Mimikatz With PowerShell Script Block Logging	Powershell Script Block Logging 4104	T1003 T1059.001	TTP	CISA AA22-320A, Scattered Spider, Hermetic Wiper, CISA AA22-264A, CISA AA23-347A, Hellcat Ransomware, Data Destruction, Sandworm Tools, Malicious PowerShell	2026-05-13
Windows UAC Bypass Suspicious Escalation Behavior	Sysmon EventID 1	T1548.002	TTP	Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics	2026-05-13
Active Directory Lateral Movement Identified		T1210	Correlation	Active Directory Lateral Movement	2026-05-13
Suspicious mshta child process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Suspicious MSHTA Activity, Living Off The Land, Lumma Stealer, MuddyWater	2026-05-13
BITS Job Persistence	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1197	TTP	Living Off The Land, BITS Jobs	2026-05-13
Disable Defender Spynet Reporting	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Qakbot, Azorult, CISA AA23-347A, IcedID	2026-05-13
Detect HTML Help Renamed	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	Hunting	Living Off The Land, APT37 Rustonotto and FadeStealer, Suspicious Compiled HTML Activity	2026-05-13
Linux Stdout Redirection To Dev Null File	Sysmon for Linux EventID 1	T1686	Anomaly	Cyclops Blink, Data Destruction, Industroyer2	2026-05-13
Windows Modify Registry Tamper Protection	Sysmon EventID 13	T1112	TTP	Scattered Lapsus$ Hunters, RedLine Stealer	2026-05-13
Certutil exe certificate extraction	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	TTP	Cloud Federated Credential Abuse, Living Off The Land, Compromised Windows Host, Windows Persistence Techniques, Windows Certificate Services, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Malicious PowerShell Process - Execution Policy Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	Anomaly	APT37 Rustonotto and FadeStealer, Volt Typhoon, DHS Report TA18-074A, AsyncRAT, XWorm, DarkCrystal RAT, HAFNIUM Group, 0bj3ctivity Stealer, Salt Typhoon, BlankGrabber Stealer, MuddyWater, China-Nexus Threat Activity	2026-05-13
WMI Permanent Event Subscription - Sysmon	Sysmon EventID 21	T1546.003	TTP	Suspicious WMI Use	2026-05-13
Windows Gather Victim Host Information Camera	Powershell Script Block Logging 4104	T1592.001	Anomaly	DarkCrystal RAT	2026-05-13
Cisco NVM - Installation of Typosquatted Python Package	Cisco Network Visibility Module Flow Data	T1059	TTP	Cisco Network Visibility Module Analytics	2026-05-13
Linux Ngrok Reverse Proxy Usage	Sysmon for Linux EventID 1	T1090 T1102 T1572	Anomaly	Reverse Network Proxy	2026-05-13
GetAdGroup with PowerShell Script Block	Powershell Script Block Logging 4104	T1069.002	Hunting	Scattered Lapsus$ Hunters, Active Directory Discovery	2026-05-13
Control Loading from World Writable Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.002	TTP	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host	2026-05-13
GetDomainController with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Windows Rundll32 WebDAV Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1048.003	Hunting	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
Suspicious Rundll32 dllregisterserver	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, IcedID, Suspicious Rundll32 Activity	2026-05-13
Windows RunMRU Registry Key or Value Deleted	Sysmon EventID 12	T1112	Anomaly	NetSupport RMM Tool Abuse	2026-05-13
Windows Disable Shutdown Button Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Ransomware	2026-05-13
Linux System Reboot Via System Request Key	Sysmon for Linux EventID 1	T1529	TTP	AwfulShred, Data Destruction	2026-05-13
Windows Rundll32 WebDav With Network Connection	Sysmon EventID 1, Sysmon EventID 3	T1048.003	TTP	CVE-2023-23397 Outlook Elevation of Privilege	2026-05-13
MacOS Gatekeeper Bypass	Osquery Results	T1553.001	Anomaly	MacOS Privilege Escalation, MacOS Persistence Techniques, MacOS Post-Exploitation	2026-05-13
Linux Auditd Possible Access To Sudoers File	Linux Auditd Cwd, Linux Auditd Path	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host	2026-05-13
Detect Renamed RClone	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1020	Hunting	DarkSide Ransomware, Cactus Ransomware, Ransomware, Black Basta Ransomware	2026-05-13
Windows Steal Authentication Certificates CS Backup	Windows Event Log Security 4876	T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Executable Masquerading as Benign File Types	Sysmon EventID 29	T1036.008	Anomaly	NetSupport RMM Tool Abuse	2026-05-13
Crowdstrike Privilege Escalation For Non-Admin User		T1110	Anomaly	Compromised Windows Host	2026-05-13
Windows Suspicious Driver Loaded Path	Sysmon EventID 6	T1543.003	TTP	APT37 Rustonotto and FadeStealer, CISA AA22-320A, XMRig, BlackByte Ransomware, Interlock Ransomware, AgentTesla, Snake Keylogger	2026-05-13
Windows Schtasks Create Run As System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Scheduled Tasks, Medusa Ransomware, Castle RAT, Qakbot, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques	2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	T1030	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Disabling Windows Local Security Authority Defences via Registry	Sysmon EventID 13	T1556	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Cisco Isovalent - Nsenter Usage in Kubernetes Pod	Cisco Isovalent Process Exec	T1543	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Windows Renamed Powershell Execution	Sysmon EventID 1	T1036.003	TTP	XWorm, Axios Supply Chain Post Compromise, Hellcat Ransomware	2026-05-13
PowerShell Invoke CIMMethod CIMSession	Powershell Script Block Logging 4104	T1047	Anomaly	Scattered Lapsus$ Hunters, Malicious PowerShell, Active Directory Lateral Movement	2026-05-13
Windows Modify Registry Suppress Win Defender Notif	Sysmon EventID 13	T1112	Anomaly	Azorult, CISA AA23-347A	2026-05-13
Suspicious Reg exe Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112	Anomaly	DHS Report TA18-074A, Windows Defense Evasion Tactics, Disabling Security Tools	2026-05-13
Wermgr Process Create Executable File	Sysmon EventID 11	T1027	TTP	Trickbot	2026-05-13
Windows Wmic Memory Chip Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Windows Process With NetExec Command Line Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1550.003 T1558.003 T1558.004	TTP	Active Directory Kerberos Attacks, Active Directory Privilege Escalation	2026-05-13
Windows Screen Capture Via Powershell	Powershell Script Block Logging 4104	T1113	TTP	Winter Vivern, APT37 Rustonotto and FadeStealer, Water Gamayun, BlankGrabber Stealer	2026-05-13
Remote WMI Command Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Living Off The Land, Volt Typhoon, Suspicious WMI Use, CISA AA23-347A, Graceful Wipe Out Attack, IcedID	2026-05-13
Windows Group Policy Object Created	Windows Event Log Security 5137, Windows Event Log Security 5136	T1078.002 T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Windows PowerShell IIS Components WebGlobalModule Usage	Powershell Script Block Logging 4104	T1505.004	Anomaly	GhostRedirector IIS Module and Rungan Backdoor, IIS Components	2026-05-13
Windows AD Short Lived Server Object	Windows Event Log Security 5141, Windows Event Log Security 5137	T1207	TTP	Sneaky Active Directory Persistence Tricks, Compromised Windows Host	2026-05-13
Windows Admon Group Policy Object Created	Windows Active Directory Admon	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Detection of tools built by NirSoft	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1072	Anomaly	Emotet Malware DHS Report TA18-201A	2026-05-13
Sunburst Correlation DLL and Network Event	Sysmon EventID 7, Sysmon EventID 22	T1203	TTP	NOBELIUM Group	2026-05-13
Windows Modify Registry ProxyEnable	Sysmon EventID 13	T1112	Anomaly	DarkGate Malware	2026-05-13
Windows Multiple Account Passwords Changed	Windows Event Log Security 4724	T1078 T1098	TTP	Azure Active Directory Persistence	2026-05-13
MacOS Keychains Dumped	Osquery Results	T1555.001	TTP	MacOS Privilege Escalation	2026-05-13
Windows File and Directory Enable ReadOnly Permissions	Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	TTP	NetSupport RMM Tool Abuse, Crypto Stealer	2026-05-13
Excessive Usage Of Cacls App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer, XMRig, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Credential Dumping via Copy Command from Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Credential Dumping, Compromised Windows Host	2026-05-13
Interactive Session on Remote Endpoint with PowerShell	Powershell Script Block Logging 4104	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Windows MSHTA Writing to World Writable Path	Sysmon EventID 11	T1218.005	TTP	APT29 Diplomatic Deceptions with WINELOADER, XWorm, Suspicious MSHTA Activity	2026-05-13
Windows Defender ASR Rule Disabled	Windows Event Log Defender 5007	T1112	TTP	Windows Attack Surface Reduction	2026-05-13
Rundll32 Control RunDLL World Writable Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Suspicious Rundll32 Activity	2026-05-13
Windows AD Privileged Group Modification	Windows Event Log Security 4728	T1098	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Cisco NVM - Suspicious Download From File Sharing Website	Cisco Network Visibility Module Flow Data	T1197	Anomaly	APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, BlankGrabber Stealer	2026-05-13
Linux Auditd Osquery Service Stop	Linux Auditd Service Stop	T1489	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Privilege Escalation System Process Without System Parent	Sysmon EventID 1	T1068 T1134 T1548	TTP	Windows Privilege Escalation, BlackSuit Ransomware	2026-05-13
Windows EventLog Recon Activity Using Log Query Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1654	Anomaly	Windows Discovery Techniques, BlankGrabber Stealer	2026-05-13
Detect Renamed PSExec	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569.002	Hunting	DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, HAFNIUM Group, Rhysida Ransomware, Salt Typhoon, VanHelsing Ransomware, DarkGate Malware, China-Nexus Threat Activity, Sandworm Tools, Active Directory Lateral Movement	2026-05-13
WinRM Spawning a Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190	TTP	Rhysida Ransomware, CISA AA23-347A, Unusual Processes, Microsoft WSUS CVE-2025-59287	2026-05-13
Windows Archive Collected Data via Rar	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Anomaly	APT37 Rustonotto and FadeStealer, Salt Typhoon, China-Nexus Threat Activity, DarkGate Malware	2026-05-13
Windows Rapid Authentication On Multiple Hosts	Windows Event Log Security 4624	T1003.002	TTP	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
SAM Database File Access Attempt	Windows Event Log Security 4663	T1003.002	Hunting	Rhysida Ransomware, Credential Dumping, Graceful Wipe Out Attack	2026-05-13
Windows Service Create RemComSvc	Windows Event Log System 7045	T1543.003	Anomaly	Active Directory Discovery	2026-05-13
Windows KrbRelayUp Service Creation	Windows Event Log System 7045	T1543.003	TTP	Local Privilege Escalation With KrbRelayUp, Compromised Windows Host	2026-05-13
Windows Process Injection In Non-Service SearchIndexer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1055	TTP	Qakbot	2026-05-13
Windows SQL Server xp_cmdshell Config Change	Windows Event Log Application 15457	T1505.001	TTP	GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse, Seashell Blizzard	2026-05-13
GetAdComputer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Hunting	Medusa Ransomware, Active Directory Discovery	2026-05-13
Windows MSIExec Spawn Discovery Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	Anomaly	Water Gamayun, Windows System Binary Proxy Execution MSIExec, Medusa Ransomware, StealC Stealer	2026-05-13
Windows Impair Defense Configure App Install Control	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Modify Registry DisableRemoteDesktopAntiAlias	Sysmon EventID 13	T1112	TTP	DarkGate Malware	2026-05-13
Remcos client registry install entry	Sysmon EventID 12, Sysmon EventID 13	T1112	TTP	Remcos, Windows Registry Abuse	2026-05-13
Resize ShadowStorage volume	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Compromised Windows Host, Medusa Ransomware, BlackByte Ransomware, VanHelsing Ransomware, Clop Ransomware	2026-05-13
Windows File and Directory Permissions Remove Inheritance	Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Crypto Stealer	2026-05-13
Windows Wmic Network Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1082	Anomaly	LAMEHUG	2026-05-13
Windows DNS Gather Network Info	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1590.002	Anomaly	Sandworm Tools, Volt Typhoon	2026-05-13
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	T1115	Anomaly	Linux Living Off The Land, Compromised Linux Host	2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe	Sysmon EventID 17, Sysmon EventID 18	T1071	Anomaly	Qakbot	2026-05-13
Permission Modification using Takeown App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Crypto Stealer, Sandworm Tools, Ransomware, Scattered Lapsus$ Hunters	2026-05-13
Linux Indicator Removal Clear Cache	Sysmon for Linux EventID 1	T1070	TTP	AwfulShred, Data Destruction	2026-05-13
Get WMIObject Group Discovery with Script Block Logging	Powershell Script Block Logging 4104	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Windows Boot or Logon Autostart Execution In Startup Folder	Sysmon EventID 11	T1547.001	Anomaly	Crypto Stealer, APT37 Rustonotto and FadeStealer, PromptFlux, XWorm, Gozi Malware, NjRAT, Interlock Ransomware, Quasar RAT, Chaos Ransomware, BlankGrabber Stealer, RedLine Stealer	2026-05-13
Linux Gem Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Office Product Spawned MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Spearphishing Attachments	2026-05-13
Linux c89 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows BitLockerToGo Process Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1218	Hunting	Lumma Stealer	2026-05-13
PowerShell Script Block With URL Chain	Powershell Script Block Logging 4104	T1059.001 T1105	TTP	Hellcat Ransomware, Malicious PowerShell	2026-05-13
Linux Insert Kernel Module Using Insmod Utility	Sysmon for Linux EventID 1	T1547.006	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, XorDDos, Linux Rootkit	2026-05-13
Windows Office Product Loaded MSHTML Module	Sysmon EventID 7	T1566.001	Anomaly	Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments	2026-05-13
Windows Impair Defense Change Win Defender Health Check Intervals	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows IIS Components Get-WebGlobalModule Module Query	Powershell Installed IIS Modules	T1505.004	Hunting	GhostRedirector IIS Module and Rungan Backdoor, WS FTP Server Critical Vulnerabilities, IIS Components	2026-05-13
Suspicious wevtutil Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.005	TTP	Ransomware, Scattered Spider, VoidLink Cloud-Native Linux Malware, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, CISA AA23-347A, Storm-0501 Ransomware, Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows Default Cobalt Strike PowerShell Beacon	Powershell Script Block Logging 4104	T1059.001 T1204.002	TTP	Cobalt Strike	2026-05-13
Windows Impair Defense Disable Win Defender Gen reports	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Modify Registry Configure BitLocker	Sysmon EventID 13	T1112	TTP	ShrinkLocker	2026-05-13
Suspicious PlistBuddy Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.001	TTP	Silver Sparrow	2026-05-13
Windows Admin Permission Discovery	Sysmon EventID 11	T1069.001	Anomaly	NjRAT	2026-05-13
Windows Important Audit Policy Disabled	Windows Event Log Security 4719	T1685	TTP	Windows Audit Policy Tampering	2026-05-13
Windows PowerShell Get CIMInstance Remote Computer	Powershell Script Block Logging 4104	T1059.001	Anomaly	Active Directory Lateral Movement	2026-05-13
Windows Modify Registry on Smart Card Group Policy	Sysmon EventID 13	T1112	Anomaly	ShrinkLocker	2026-05-13
Linux Auditd Private Keys and Certificate Enumeration	Linux Auditd Execve	T1552.004	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Linux Auditd Service Started	Linux Auditd Proctitle	T1569.002	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows Modify Registry Disable Toast Notifications	Sysmon EventID 13	T1112	Anomaly	Azorult	2026-05-13
Detect WMI Event Subscription Persistence	Sysmon EventID 20	T1546.003	TTP	Suspicious WMI Use, Hellcat Ransomware	2026-05-13
Windows Computer Account With SPN	Windows Event Log Security 4741	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp, Compromised Windows Host	2026-05-13
Windows Browser Process Launched with Unusual Flags	Sysmon EventID 1	T1185	Anomaly	Castle RAT	2026-05-13
Suspicious mshta spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.005	TTP	Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer	2026-05-13
Windows AI Platform DNS Query	Sysmon EventID 22	T1071.004	Anomaly	LAMEHUG, PromptFlux, SesameOp	2026-05-13
Windows Process Injection Remote Thread	Sysmon EventID 8	T1055.002	TTP	Earth Alux, Warzone RAT, Water Gamayun, Qakbot, Graceful Wipe Out Attack	2026-05-13
Linux Auditd Find Credentials From Password Managers	Linux Auditd Execve	T1555.005	TTP	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Scattered Lapsus$ Hunters, Compromised Linux Host	2026-05-13
Linux Magic SysRq Key Abuse	Linux Auditd Cwd, Linux Auditd Path	T1059.004 T1489 T1499 T1529	TTP	Compromised Linux Host	2026-05-13
Windows Unusual Count Of Users Failed To Authenticate Using NTLM	Windows Event Log Security 4776	T1110.003	Anomaly	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Disable Security Logs Using MiniNt Registry	Sysmon EventID 13	T1112	TTP	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Identify Protocol Handlers	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	Hunting	Living Off The Land	2026-05-13
Windows SQL Server Extended Procedure DLL Loading Hunt	Windows Event Log Application 8128	T1059.009 T1505.001	Hunting	SQL Server Abuse	2026-05-13
Windows New Deny Permission Set On Service SD Via Sc.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564	Anomaly	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows MSC EvilTwin Directory Path Manipulation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1203 T1218	TTP	Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics	2026-05-13
Windows Azure Storage Utility Execution Via CLI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1567.002	Anomaly	Data Exfiltration	2026-05-13
Windows InstallUtil in Non Standard Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1218.004	TTP	Living Off The Land, Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Data Destruction, WhisperGate	2026-05-13
Windows Steal Authentication Certificates - ESC1 Abuse	Windows Event Log Security 4886, Windows Event Log Security 4887	T1649	TTP	Windows Certificate Services	2026-05-13
Linux Gdrive Binary Activity	Sysmon for Linux EventID 1	T1567	TTP	China-Nexus Threat Activity	2026-05-13
Windows Process Injection Of Wermgr to Known Browser	Sysmon EventID 8	T1055.001	TTP	Qakbot	2026-05-13
Windows Detect Network Scanner Behavior	Sysmon EventID 3	T1595.001 T1595.002	Anomaly	Windows Discovery Techniques, Network Discovery	2026-05-13
Windows Execution of Microsoft MSC File In Suspicious Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.014	Anomaly	XML Runner Loader	2026-05-13
Windows RDP Server Registry Deletion	Sysmon EventID 12, Sysmon EventID 13	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Modify Registry Disable RDP	Sysmon EventID 13	T1112	Anomaly	Windows RDP Artifacts and Defense Evasion, ShrinkLocker	2026-05-13
Windows Post Exploitation Risk Behavior		T1003 T1012 T1016 T1049 T1069 T1082 T1115 T1552	Correlation	Windows Post-Exploitation	2026-05-13
Windows Unusual SysWOW64 Process Run System32 Executable	Sysmon EventID 1, Windows Event Log Security 4688	T1036.009	Anomaly	Salt Typhoon, China-Nexus Threat Activity, DarkGate Malware	2026-05-13
Windows Modify Registry Auto Update Notif	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Revil Common Exec Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1204	TTP	Revil Ransomware, Ransomware	2026-05-13
Windows RDP Cache File Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Linux Iptables Firewall Modification	Sysmon for Linux EventID 1	T1686	Anomaly	Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools	2026-05-13
Windows Network Share Interaction Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1039 T1135	Hunting	Active Directory Privilege Escalation, Network Discovery, Active Directory Discovery	2026-05-13
Detect Regsvcs with No Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Suspicious Regsvcs Regasm Activity, Living Off The Land	2026-05-13
XSL Script Execution With WMIC	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1220	TTP	FIN7, Suspicious WMI Use	2026-05-13
Windows Symlink Evaluation Change via Fsutil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222.001	Anomaly	Windows Post-Exploitation	2026-05-13
GetLocalUser with PowerShell Script Block	Powershell Script Block Logging 4104	T1059.001 T1087.001	Hunting	Malicious PowerShell, Active Directory Discovery	2026-05-13
Windows Audit Policy Disabled via Legacy Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Ingress Tool Transfer Using Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	Anomaly	DarkCrystal RAT	2026-05-13
Powershell Remove Windows Defender Directory	Powershell Script Block Logging 4104	T1685	TTP	WhisperGate, Data Destruction	2026-05-13
MacOS Account Created	Osquery Results	T1136	Anomaly	MacOS Persistence Techniques	2026-05-13
ServicePrincipalNames Discovery with PowerShell	Powershell Script Block Logging 4104	T1558.003	TTP	Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Active Directory Discovery, Hellcat Ransomware, Malicious PowerShell	2026-05-13
Windows Multiple Accounts Disabled	Windows Event Log Security 4725	T1078 T1098	TTP	Azure Active Directory Persistence	2026-05-13
Windows Proxy Via Registry	Sysmon EventID 13	T1090.001	Anomaly	Volt Typhoon	2026-05-13
Windows BitLocker Suspicious Command Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1486 T1490	TTP	ShrinkLocker	2026-05-13
Windows RDP Connection Successful	Windows Event Log RemoteConnectionManager 1149	T1563.002	Hunting	Windows RDP Artifacts and Defense Evasion, BlackByte Ransomware, Interlock Ransomware, NetSupport RMM Tool Abuse, Active Directory Lateral Movement	2026-05-13
Windows SymbolicLink-Testing-Tools Utility Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222 T1564.004	TTP	Windows Privilege Escalation, Windows Post-Exploitation, Windows Persistence Techniques	2026-05-13
Windows Impair Defenses Disable Win Defender Auto Logging	Sysmon EventID 13	T1685	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Root Domain linked policies Discovery	Powershell Script Block Logging 4104	T1087.002	Anomaly	Industroyer2, Data Destruction, Active Directory Discovery	2026-05-13
Detect Remote Access Software Usage FileInfo	Sysmon EventID 1	T1219	Anomaly	Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
Windows Universal Data Link File Creation	Sysmon EventID 11	T1204.002 T1566.001	Anomaly	Spearphishing Attachments	2026-05-13
Windows Indirect Command Execution Via Series Of Forfiles	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1202	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows Defender ASR Block Events	Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1121, Windows Event Log Defender 1126	T1059 T1566.001 T1566.002	Anomaly	Windows Attack Surface Reduction	2026-05-13
Allow Inbound Traffic In Firewall Rule	Powershell Script Block Logging 4104	T1021.001	TTP	NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Kerberos TGT Request Using RC4 Encryption	Windows Event Log Security 4768	T1550	TTP	Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters	2026-05-13
Windows Privilege Escalation Suspicious Process Elevation	Sysmon EventID 1	T1068 T1134 T1548	TTP	GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware	2026-05-13
Windows Command Obfuscation with Environment Variable Substrings	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.010	Anomaly	Malicious PowerShell	2026-05-13
Linux Data Destruction Command	Sysmon for Linux EventID 1	T1485	TTP	AwfulShred, Data Destruction	2026-05-13
Kerberoasting spn request with RC4 encryption	Windows Event Log Security 4769	T1558.003	TTP	Compromised Windows Host, Active Directory Kerberos Attacks, Hermetic Wiper, Data Destruction, Windows Privilege Escalation	2026-05-13
Windows Alternate DataStream - Base64 Content	Sysmon EventID 15	T1564.004	TTP	APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics	2026-05-13
Windows Service Stop Win Updates	Windows Event Log System 7040	T1489	Anomaly	CISA AA23-347A, RedLine Stealer	2026-05-13
MacOS Data Chunking	Osquery Results	T1030	Anomaly	MacOS Post-Exploitation	2026-05-13
Windows Create Local Account	Windows Event Log Security 4720	T1136.001	Anomaly	Active Directory Password Spraying, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A	2026-05-13
Create Remote Thread into LSASS	Sysmon EventID 8	T1003.001	TTP	Lokibot, Credential Dumping, BlackSuit Ransomware	2026-05-13
Windows WBAdmin File Recovery From Backup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490 T1565.001	Anomaly	Credential Dumping	2026-05-13
FodHelper UAC Bypass	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1112 T1548.002	TTP	ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, BlankGrabber Stealer, IcedID	2026-05-13
Windows PowerShell Disable HTTP Logging	Powershell Script Block Logging 4104	T1505.004 T1685.001	TTP	Windows Defense Evasion Tactics, IIS Components	2026-05-13
Windows ClipBoard Data via Get-ClipBoard	Powershell Script Block Logging 4104	T1115	Anomaly	Prestige Ransomware, Windows Post-Exploitation, BlankGrabber Stealer	2026-05-13
Windows Spearphishing Attachment Onenote Spawn Mshta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	TTP	APT37 Rustonotto and FadeStealer, AsyncRAT, Compromised Windows Host, Spearphishing Attachments	2026-05-13
WinEvent Scheduled Task Created Within Public Path	Windows Event Log Security 4698	T1053.005	TTP	Ransomware, Castle RAT, AsyncRAT, Ryuk Ransomware, IcedID, Active Directory Lateral Movement, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, Winter Vivern, PlugX, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, ValleyRAT, Compromised Windows Host, Industroyer2, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, CISA AA23-347A, SystemBC, APT37 Rustonotto and FadeStealer, Remcos, Quasar RAT, Data Destruction	2026-05-13
Remote Desktop Process Running On System	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	Hunting	Active Directory Lateral Movement, Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware	2026-05-13
MacOS Kextload Usage	Osquery Results	T1543	TTP	MacOS Privilege Escalation, MacOS Persistence Techniques	2026-05-13
Windows MpCmdRun RemoveDefinitions Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	BlankGrabber Stealer	2026-05-13
Windows Scheduled Task Service Spawned Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1053.005 T1059	TTP	Windows Persistence Techniques	2026-05-13
Windows Modify Registry Disable Windows Security Center Notif	Sysmon EventID 13	T1112	Anomaly	Azorult, CISA AA23-347A	2026-05-13
Windows Computer Account Requesting Kerberos Ticket	Windows Event Log Security 4768	T1558	TTP	Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp	2026-05-13
Rundll32 LockWorkStation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	Anomaly	Ransomware	2026-05-13
Anomalous usage of 7zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Anomaly	Cobalt Strike, BlackSuit Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, NOBELIUM Group	2026-05-13
Get-ForestTrust with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1482	TTP	Active Directory Discovery	2026-05-13
Windows Processes Killed By Industroyer2 Malware	Sysmon EventID 5	T1489	Anomaly	Data Destruction, Industroyer2	2026-05-13
Unusual Number of Computer Service Tickets Requested	Windows Event Log Security 4769	T1078	Hunting	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement	2026-05-13
Windows Suspicious C2 Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	TTP	DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter	2026-05-13
Windows Process Injection With Public Source Path	Sysmon EventID 8	T1055.002	Hunting	Brute Ratel C4, Earth Alux	2026-05-13
GetAdComputer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	Hunting	Gozi Malware, CISA AA22-320A, Medusa Ransomware, Active Directory Discovery	2026-05-13
Hunting 3CXDesktopApp Software	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1195.002	Hunting	3CX Supply Chain Attack	2026-05-13
Windows Suspicious QEMU Execution	Sysmon EventID 1	T1001 T1036 T1204.002 T1564.006	TTP	Linux Rootkit, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Process Writing DynamicWrapperX	Sysmon EventID 11	T1059 T1559.001	Hunting	Remcos	2026-05-13
Cisco Isovalent - Kprobe Spike	Cisco Isovalent Process Kprobe	T1068	Hunting	VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity	2026-05-13
Windows Certutil Root Certificate Addition	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1587.003	TTP	Secret Blizzard	2026-05-13
Short Lived Windows Accounts	Windows Event Log System 4720, Windows Event Log System 4726	T1078.003 T1136.001	TTP	GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement	2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process	Sysmon EventID 23	T1068 T1218.007	TTP	Windows Privilege Escalation	2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block	Powershell Script Block Logging 4104	T1021.003	TTP	Active Directory Lateral Movement	2026-05-13
Add DefaultUser And Password In Registry	Sysmon EventID 12, Sysmon EventID 13	T1552.002	Anomaly	BlackMatter Ransomware	2026-05-13
Scheduled Task Initiation on Remote Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	TTP	Living Off The Land, Scheduled Tasks, Medusa Ransomware, Seashell Blizzard, Active Directory Lateral Movement	2026-05-13
Windows NirSoft AdvancedRun	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1588.002	TTP	Unusual Processes, Data Destruction, Ransomware, WhisperGate	2026-05-13
Exchange PowerShell Module Usage	Powershell Script Block Logging 4104	T1059.001	TTP	Scattered Spider, BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell	2026-05-13
Windows CAB File on Disk	Sysmon EventID 11	T1566.001	Anomaly	APT37 Rustonotto and FadeStealer, DarkGate Malware	2026-05-13
Windows PaperCut NG Spawn Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059 T1133 T1190	TTP	Compromised Windows Host, PaperCut MF NG Vulnerability	2026-05-13
Windows Private Keys Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1552.004	Anomaly	Prestige Ransomware, Windows Post-Exploitation	2026-05-13
Windows Phishing PDF File Executes URL Link	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1566.001	Anomaly	MuddyWater, Snake Keylogger, Spearphishing Attachments	2026-05-13
Windows Hijack Execution Flow Version Dll Side Load	Sysmon EventID 7	T1574.001	Anomaly	Brute Ratel C4, XWorm, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader	2026-05-13
PowerShell PInvoke Process Injection API Chain	Powershell Script Block Logging 4104	T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620	TTP	VIP Keylogger	2026-05-13
Loading Of Dynwrapx Module	Sysmon EventID 7	T1055.001	TTP	Remcos, AsyncRAT	2026-05-13
Windows WMI Process Call Create	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Hunting	Cactus Ransomware, Volt Typhoon, Qakbot, CISA AA23-347A, Suspicious WMI Use, IcedID	2026-05-13
Windows ConHost with Headless Argument	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003 T1564.006	TTP	Compromised Windows Host, Spearphishing Attachments	2026-05-13
Shim Database Installation With Suspicious Parameters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.011	TTP	Compromised Windows Host, Windows Persistence Techniques	2026-05-13
Windows Alternate DataStream - Executable Content	Sysmon EventID 15	T1564.004	TTP	Windows Defense Evasion Tactics	2026-05-13
PowerShell Environment Variable Execution	Powershell Script Block Logging 4104	T1059.001	Anomaly	VIP Keylogger	2026-05-13
Windows Modify Registry No Auto Reboot With Logon User	Sysmon EventID 13	T1112	Anomaly	RedLine Stealer	2026-05-13
Windows Unusual FileZilla XML Config Access	Windows Event Log Security 4663	T1552.001	Anomaly	Quasar RAT	2026-05-13
Rundll32 Process Creating Exe Dll Files	Sysmon EventID 11	T1218.011	TTP	Gh0st RAT, Living Off The Land, IcedID	2026-05-13
Overwriting Accessibility Binaries	Sysmon EventID 11	T1546.008	TTP	Hermetic Wiper, Flax Typhoon, Windows Privilege Escalation, Data Destruction	2026-05-13
Suspicious PlistBuddy Usage via OSquery	Osquery Results	T1543.001	TTP	Silver Sparrow	2026-05-13
Windows Create Local Administrator Account Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1136.001	Anomaly	Medusa Ransomware, CISA AA22-257A, DHS Report TA18-074A, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters	2026-05-13
Schedule Task with HTTP Command Arguments	Windows Event Log Security 4698	T1053	TTP	Living Off The Land, Scheduled Tasks, Compromised Windows Host, Winter Vivern, Hellcat Ransomware, Windows Persistence Techniques	2026-05-13
Windows Raw Access To Master Boot Record Drive	Sysmon EventID 9	T1561.002	TTP	Disk Wiper, BlackByte Ransomware, NjRAT, Hermetic Wiper, CISA AA22-264A, PathWiper, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Caddy Wiper, Void Manticore	2026-05-13
Ryuk Wake on LAN Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	TTP	Compromised Windows Host, Hellcat Ransomware, Ryuk Ransomware	2026-05-13
Windows IIS Components New Module Added	Windows IIS 29	T1505.004	TTP	GhostRedirector IIS Module and Rungan Backdoor, IIS Components	2026-05-13
Windows Masquerading Msdtc Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036	TTP	Compromised Windows Host, PlugX	2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Sysmon EventID 10	T1134.001	Hunting	Brute Ratel C4	2026-05-13
Windows Modify Registry Auto Minor Updates	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
Windows MOF Event Triggered Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1546.003	TTP	Living Off The Land, Compromised Windows Host	2026-05-13
Windows RMM Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	Anomaly	Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters	2026-05-13
High Frequency Copy Of Files In Network Share	Windows Event Log Security 5145	T1537	Anomaly	Insider Threat, Information Sabotage, Hellcat Ransomware	2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary	Sysmon EventID 1	T1036 T1572	TTP	Linux Persistence Techniques, Flax Typhoon, Linux Privilege Escalation	2026-05-13
MacOS List Firewall Rules	Osquery Results	T1016	Anomaly	Network Discovery	2026-05-13
Detect AzureHound File Modifications	Sysmon EventID 11	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques	2026-05-13
Windows Process Commandline Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1057	Hunting	CISA AA23-347A	2026-05-13
Bcdedit Command Back To Normal Mode Boot	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackMatter Ransomware, Black Basta Ransomware	2026-05-13
GetWmiObject Ds Computer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Windows Modify Registry Default Icon Setting	Sysmon EventID 13	T1112	Anomaly	LockBit Ransomware	2026-05-13
Windows Snake Malware Registry Modification wav OpenWithProgIds	Sysmon EventID 13	T1112	TTP	Snake Malware	2026-05-13
Disabling CMD Application	Sysmon EventID 13	T1112 T1685	TTP	NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows TinyCC Shellcode Execution	Sysmon EventID 1, Windows Event Log Security 4688	T1027 T1036 T1059.003	TTP	Lotus Blossom Chrysalis Backdoor	2026-05-13
Suspicious Computer Account Name Change	Windows Event Log Security 4781	T1078.002	TTP	Compromised Windows Host, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation	2026-05-13
Windows InstallUtil Credential Theft	Sysmon EventID 7	T1218.004	TTP	Signed Binary Proxy Execution InstallUtil	2026-05-13
Windows AD Abnormal Object Access Activity	Windows Event Log Security 4662	T1087.002	Anomaly	BlackSuit Ransomware, Active Directory Discovery	2026-05-13
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	T1115	Anomaly	Linux Living Off The Land	2026-05-13
Cisco Isovalent - Late Process Execution	Cisco Isovalent Process Exec	T1543	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Executables Or Script Creation In Suspicious Path	Sysmon EventID 11	T1036	Anomaly	Crypto Stealer, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, DynoWiper, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger, Graceful Wipe Out Attack, Derusbi, IcedID, Trickbot, RedLine Stealer, Earth Alux, Warzone RAT, Cactus Ransomware, DarkCrystal RAT, PlugX, NjRAT, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, WinDealer RAT, Interlock Rat, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, XML Runner Loader, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, AcidPour, SesameOp	2026-05-13
Schedule Task with Rundll32 Command Trigger	Windows Event Log Security 4698	T1053	TTP	Living Off The Land, Scheduled Tasks, Compromised Windows Host, Castle RAT, Windows Persistence Techniques, IcedID, Trickbot	2026-05-13
Windows AD Dangerous Deny ACL Modification	Windows Event Log Security 5136	T1222.001 T1484	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Windows USBSTOR Registry Key Modification	Sysmon EventID 12, Sysmon EventID 13	T1025 T1091 T1200	Anomaly	Data Protection, APT37 Rustonotto and FadeStealer	2026-05-13
Crowdstrike User Weak Password Policy		T1110	Anomaly	Compromised Windows Host	2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags	Cisco Isovalent Process Exec	T1105	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
Powershell COM Hijacking InprocServer32 Modification	Powershell Script Block Logging 4104	T1059.001 T1546.015	TTP	Malicious PowerShell	2026-05-13
Linux APT Privilege Escalation	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Modify Show Compress Color And Info Tip Registry	Sysmon EventID 13	T1112	TTP	Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics, Data Destruction	2026-05-13
Suspicious Ticket Granting Ticket Request	Windows Event Log Security 4768, Windows Event Log Security 4781	T1078.002	Hunting	Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation	2026-05-13
MS Scripting Process Loading WMI Module	Sysmon EventID 7	T1059.007	Anomaly	FIN7	2026-05-13
Monitor Registry Keys for Print Monitors	Sysmon EventID 13	T1547.010	TTP	Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques	2026-05-13
Windows System Network Connections Discovery Netsh	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1049	Anomaly	Prestige Ransomware, Windows Post-Exploitation, VIP Keylogger, Snake Keylogger, BlankGrabber Stealer	2026-05-13
Detect RClone Command-Line Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1020	TTP	DarkSide Ransomware, Ransomware, Black Basta Ransomware, Cactus Ransomware, Storm-0501 Ransomware, Hellcat Ransomware, Cisco Network Visibility Module Analytics	2026-05-13
Get DomainPolicy with Powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1201	TTP	Active Directory Discovery	2026-05-13
Suspicious Linux Discovery Commands	Sysmon for Linux EventID 1	T1059.004	TTP	Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware	2026-05-13
Windows Disable Notification Center	Sysmon EventID 13	T1112	Anomaly	CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse	2026-05-13
Windows Phishing Outlook Drop Dll In FORM Dir	Sysmon EventID 1, Sysmon EventID 11	T1566	TTP	Outlook RCE CVE-2024-21378	2026-05-13
Windows Impair Defenses Disable Auto Logger Session	Sysmon EventID 13	T1685	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Batch File Write to System32	Sysmon EventID 11	T1204.002	TTP	Compromised Windows Host, SamSam Ransomware	2026-05-13
Detect Use of cmd exe to Launch Script Interpreters	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Anomaly	Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions	2026-05-13
Windows Deleted Registry By A Non Critical Process File Path	Sysmon EventID 1, Sysmon EventID 12	T1112	Anomaly	Double Zero Destructor, Data Destruction	2026-05-13
Linux Auditd Dd File Overwrite	Linux Auditd Proctitle	T1485	TTP	Compromised Linux Host, Data Destruction, Industroyer2	2026-05-13
CSC Net On The Fly Compilation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1027.004	Hunting	Windows Defense Evasion Tactics	2026-05-13
Process Kill Base On File Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	XMRig	2026-05-13
Windows AD Domain Controller Audit Policy Disabled	Windows Event Log Security 4719	T1685	TTP	Windows Audit Policy Tampering	2026-05-13
Get WMIObject Group Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001	Hunting	Active Directory Discovery	2026-05-13
Windows DotNet Binary in Non Standard Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036.003 T1218.004	TTP	Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Data Destruction, WhisperGate	2026-05-13
Windows BitDefender Submission Wizard DLL Sideloading	Sysmon EventID 7	T1574	TTP	Lotus Blossom Chrysalis Backdoor	2026-05-13
Detect Certify Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105 T1649	TTP	Windows Certificate Services, Compromised Windows Host, Ingress Tool Transfer	2026-05-13
Windows ESX Admins Group Creation via PowerShell	Powershell Script Block Logging 4104	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Windows Hide Notification Features Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware	2026-05-13
Suspicious Curl Network Connection	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688	T1105	TTP	APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware	2026-05-13
Windows Metasploit Confluence Plugin Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1190 T1505.003 T1608	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2026-05-13
Windows File Download Via PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1059.001 T1105	Anomaly	GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Ingress Tool Transfer, Winter Vivern, HAFNIUM Group, StealC Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, NPM Supply Chain Compromise, XWorm, Malicious PowerShell, APT37 Rustonotto and FadeStealer, PHP-CGI RCE Attack on Japanese Organizations, SolarWinds WHD RCE Post Exploitation, Data Destruction, Phemedrone Stealer, Tuoni	2026-05-13
Windows PuTTY Suite Utility Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.004	Anomaly	Command And Control, Active Directory Lateral Movement	2026-05-13
Windows User Deletion Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1531	Anomaly	XMRig, DarkGate Malware, Graceful Wipe Out Attack	2026-05-13
Windows Service Execution RemCom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569.002	TTP	Active Directory Discovery	2026-05-13
Windows Application Whitelisting Bypass Attempt via Rundll32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, Compromised Windows Host, Suspicious Rundll32 Activity	2026-05-13
Windows Excessive Disabled Services Event	Windows Event Log System 7040	T1685	TTP	Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A	2026-05-13
Windows LOLBAS Executed Outside Expected Path	Sysmon EventID 1, Windows Event Log Security 4688	T1036.005 T1218.011	Anomaly	Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics	2026-05-13
Windows Powershell Logoff User via Quser	Powershell Script Block Logging 4104	T1059.001 T1531	Anomaly	Crypto Stealer	2026-05-13
CMD Carry Out String Command Parameter	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Hunting	Gh0st RAT, Crypto Stealer, AsyncRAT, Hermetic Wiper, IcedID, Log4Shell CVE-2021-44228, RedLine Stealer, Warzone RAT, DarkCrystal RAT, Winter Vivern, PlugX, StealC Stealer, NjRAT, Rhysida Ransomware, DarkGate Malware, Chaos Ransomware, Malicious Inno Setup Loader, Interlock Rat, 0bj3ctivity Stealer, Qakbot, CISA AA23-347A, WhisperGate, ProxyNotShell, Living Off The Land, Azorult, Quasar RAT, Data Destruction	2026-05-13
Linux High Frequency Of File Deletion In Etc Folder	Sysmon for Linux EventID 11	T1070.004 T1485	Anomaly	AcidRain, Data Destruction	2026-05-13
Windows Powershell History File Deletion	Powershell Script Block Logging 4104	T1059.003 T1070.003	Anomaly	Medusa Ransomware	2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block	Powershell Script Block Logging 4104	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Linux At Allow Config File Creation	Sysmon for Linux EventID 11	T1053.003	Anomaly	Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Attacker Tools On Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1003 T1036.005 T1595	TTP	Compromised Windows Host, Scattered Spider, XMRig, PHP-CGI RCE Attack on Japanese Organizations, Unusual Processes, CISA AA22-264A, Cisco Network Visibility Module Analytics, SamSam Ransomware	2026-05-13
Domain Account Discovery with Dsquery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	Anomaly	LAMEHUG, Active Directory Discovery	2026-05-13
Windows Software Discovery Via PowerShell	Powershell Script Block Logging 4104	T1012 T1059.001 T1518	Anomaly	Windows Discovery Techniques	2026-05-13
Windows Office Product Dropped Uncommon File	Sysmon EventID 1, Sysmon EventID 11	T1566.001	Anomaly	Compromised Windows Host, Warzone RAT, PlugX, AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7	2026-05-13
Windows Account Discovery for None Disable User Account	Powershell Script Block Logging 4104	T1087.001	Hunting	CISA AA23-347A	2026-05-13
Icacls Deny Command	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1222	Anomaly	Crypto Stealer, Compromised Windows Host, XMRig, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools	2026-05-13
Msmpeng Application DLL Side Loading	Sysmon EventID 11	T1574.001	TTP	Revil Ransomware, Ransomware	2026-05-13
Windows Privilege Escalation User Process Spawn System Process	Sysmon EventID 1	T1068 T1134 T1548	TTP	GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware, Compromised Windows Host	2026-05-13
Windows MsiExec HideWindow Rundll32 Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.007	TTP	Qakbot, Water Gamayun	2026-05-13
Windows Raw Access To Disk Volume Partition	Sysmon EventID 9	T1561.002	Anomaly	Disk Wiper, BlackByte Ransomware, NjRAT, Hermetic Wiper, CISA AA22-264A, PathWiper, Data Destruction, Graceful Wipe Out Attack, Caddy Wiper, Void Manticore	2026-05-13
Windows Credentials from Password Stores Chrome Copied in TEMP Dir	Sysmon EventID 11	T1555.003	TTP	Braodo Stealer, Scattered Lapsus$ Hunters, BlankGrabber Stealer	2026-05-13
Windows AD DSRM Password Reset	Windows Event Log Security 4794	T1098	TTP	Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters	2026-05-13
Windows AppX Deployment Unsigned Package Installation	Windows Event Log AppXDeployment-Server 855	T1204.002 T1553.005	TTP	MSIX Package Abuse	2026-05-13
GetDomainComputer with PowerShell Script Block	Powershell Script Block Logging 4104	T1018	TTP	Active Directory Discovery	2026-05-13
Windows AD GPO New CSE Addition	Windows Event Log Security 5136	T1222.001 T1484.001	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
IcedID Exfiltrated Archived File Creation	Sysmon EventID 11	T1560.001	Hunting	IcedID, APT37 Rustonotto and FadeStealer	2026-05-13
Remote Process Instantiation via WMI and PowerShell Script Block	Powershell Script Block Logging 4104	T1047	TTP	Active Directory Lateral Movement	2026-05-13
Windows WMI Reconnaissance Class Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	Anomaly	BlankGrabber Stealer	2026-05-13
MS Scripting Process Loading Ldap Module	Sysmon EventID 7	T1059.007	Anomaly	FIN7	2026-05-13
Windows PowGoop Beacon Decoding	CrowdStrike ProcessRollup2, Sysmon EventID 1	T1001 T1059.001	TTP	Compromised Windows Host	2026-05-13
Detect Excessive Account Lockouts From Endpoint		T1078.002	Anomaly	Active Directory Password Spraying	2026-05-13
Linux GDB Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Audit Policy Security Descriptor Tampering via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Suspicious IcedID Rundll32 Cmdline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.011	TTP	Living Off The Land, IcedID	2026-05-13
Windows Parent PID Spoofing with Explorer	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1134.004	TTP	Compromised Windows Host, Windows Defense Evasion Tactics	2026-05-13
Windows PowerShell MSIX Package Installation	Powershell Script Block Logging 4104	T1059.001 T1547.001	TTP	MSIX Package Abuse, Malicious PowerShell	2026-05-13
Linux Hardware Addition SwapOff	Sysmon for Linux EventID 1	T1200	Anomaly	Scattered Lapsus$ Hunters, AwfulShred, Data Destruction	2026-05-13
Windows Debugger Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1036	Hunting	PlugX, DarkGate Malware	2026-05-13
First Time Seen Child Process of Zoom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	Anomaly	Suspicious Zoom Child Processes	2026-05-13
Scheduled Task Deleted Or Created via CMD	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.005	Anomaly	DHS Report TA18-074A, AsyncRAT, MoonPeak, Amadey, NetSupport RMM Tool Abuse, Trickbot, RedLine Stealer, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, DarkCrystal RAT, Winter Vivern, NjRAT, PlugX, Rhysida Ransomware, Salt Typhoon, NOBELIUM Group, Windows Persistence Techniques, China-Nexus Threat Activity, ValleyRAT, Lokibot, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, AgentTesla, Qakbot, CISA AA23-347A, Sandworm Tools, Living Off The Land, APT37 Rustonotto and FadeStealer, Remcos, Scattered Spider, ShrinkLocker, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Azorult, Phemedrone Stealer	2026-05-13
Windows AppLocker Block Events		T1218	Anomaly	Windows AppLocker	2026-05-13
Windows Raccine Scheduled Task Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Compromised Windows Host, Ransomware	2026-05-13
Windows App Layer Protocol Qakbot NamedPipe	Sysmon EventID 17, Sysmon EventID 18	T1071	Anomaly	Qakbot	2026-05-13
Windows File Collection Via Copy Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1119	Anomaly	LAMEHUG	2026-05-13
Registry Keys for Creating SHIM Databases	Sysmon EventID 13	T1546.011	TTP	Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques	2026-05-13
Unusual Number of Remote Endpoint Authentication Events	Windows Event Log Security 4624	T1078	Hunting	Active Directory Privilege Escalation, Active Directory Lateral Movement	2026-05-13
Prevent Automatic Repair Mode using Bcdedit	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	Void Manticore, Chaos Ransomware, Ransomware	2026-05-13
Windows Unsigned DLL Side-Loading	Sysmon EventID 7	T1574.001	Anomaly	Earth Alux, Warzone RAT, NjRAT, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Derusbi, China-Nexus Threat Activity	2026-05-13
Windows SQL Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1105	TTP	Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows Short Lived DNS Record	Windows Event Log Security 5137, Windows Event Log Security 5136	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic	2026-05-13
Windows Disable Windows Group Policy Features Through Registry	Sysmon EventID 13	T1112	Anomaly	Windows Defense Evasion Tactics, Windows Registry Abuse, CISA AA23-347A, Ransomware	2026-05-13
Windows Server Software Component GACUtil Install to GAC	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1505.004	TTP	IIS Components	2026-05-13
Script Execution via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Suspicious WMI Use, Scattered Spider	2026-05-13
Windows Suspect Process With Authentication Traffic	Sysmon EventID 3	T1087.002 T1204.002	Anomaly	Active Directory Discovery	2026-05-13
Disable Defender MpEngine Registry	Sysmon EventID 13	T1685	TTP	IcedID, Windows Registry Abuse	2026-05-13
DLLHost with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	Cobalt Strike, Earth Alux, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Linux Auditd Add User Account Type	Linux Auditd Add User	T1136.001	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows WMI Impersonate Token	Sysmon EventID 10	T1047	Anomaly	Qakbot, Water Gamayun	2026-05-13
Windows Set Account Password Policy To Unlimited Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Anomaly	XMRig, BlackByte Ransomware, Crypto Stealer, Ransomware	2026-05-13
Randomly Generated Windows Service Name	Windows Event Log System 7045	T1543.003	Hunting	BlackSuit Ransomware, Active Directory Lateral Movement	2026-05-13
Disabling NoRun Windows App	Sysmon EventID 13	T1112 T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Default Group Policy Object Modified	Windows Event Log Security 5136	T1484.001	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
WinEvent Windows Task Scheduler Event Action Started	Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200	T1053.005	Hunting	BlackSuit Ransomware, AsyncRAT, Amadey, IcedID, Prestige Ransomware, Scheduled Tasks, DarkCrystal RAT, Winter Vivern, PlugX, Windows Persistence Techniques, Malicious Inno Setup Loader, ValleyRAT, Industroyer2, CISA AA22-257A, Qakbot, Sandworm Tools, SystemBC, Remcos, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Data Destruction	2026-05-13
Malicious PowerShell Process With Obfuscation Techniques	Sysmon EventID 1	T1059.001	TTP	Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Data Destruction, Hellcat Ransomware, Malicious PowerShell	2026-05-13
Windows Masquerading Explorer As Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1574.001	TTP	Water Gamayun, Qakbot, Compromised Windows Host	2026-05-13
Linux High Frequency Of File Deletion In Boot Folder	Sysmon for Linux EventID 11	T1070.004 T1485	TTP	AcidPour, Data Destruction, Industroyer2	2026-05-13
Windows System Discovery Using Qwinsta	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Qakbot	2026-05-13
UAC Bypass With Colorui COM Object	Sysmon EventID 7	T1218.003	TTP	Ransomware, LockBit Ransomware	2026-05-13
Linux Sqlite3 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Wmic NonInteractive App Uninstallation	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Hunting	IcedID, Azorult	2026-05-13
MSI Module Loaded by Non-System Binary	Sysmon EventID 7	T1574.001	Hunting	Hermetic Wiper, Windows Privilege Escalation, Data Destruction	2026-05-13
Linux Ingress Tool Transfer with Curl	Sysmon for Linux EventID 1	T1105	Anomaly	XorDDos, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer	2026-05-13
Windows WinDBG Spawning AutoIt3	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059	TTP	Compromised Windows Host, DarkGate Malware	2026-05-13
GPUpdate with no Command Line Arguments with Network	Sysmon EventID 1, Sysmon EventID 3	T1055	TTP	Compromised Windows Host, Cobalt Strike, BlackByte Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware	2026-05-13
Get ADUser with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	Hunting	CISA AA23-347A, Active Directory Discovery	2026-05-13
Headless Browser Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497 T1564.003	Anomaly	Forest Blizzard, Browser Hijacking	2026-05-13
Detect Regasm with no Command Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.009	TTP	Suspicious Regsvcs Regasm Activity, Living Off The Land, Void Manticore, Handala Wiper	2026-05-13
Windows Modify Registry Disabling WER Settings	Sysmon EventID 13	T1112	TTP	Azorult, CISA AA23-347A	2026-05-13
Windows Protocol Tunneling with Plink	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.004 T1572	TTP	CISA AA22-257A	2026-05-13
Spoolsv Suspicious Loaded Modules	Sysmon EventID 7	T1547.012	TTP	PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
Windows Snake Malware Service Create	Windows Event Log System 7045	T1547.006 T1569.002	TTP	Compromised Windows Host, Snake Malware	2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery	Sysmon EventID 22	T1071.004	TTP	Lokibot	2026-05-13
Windows MOVEit Transfer Writing ASPX	Sysmon EventID 11	T1133 T1190	TTP	MOVEit Transfer Critical Vulnerability, Hellcat Ransomware	2026-05-13
Network Discovery Using Route Windows App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1016.001	Hunting	Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery, Qakbot, CISA AA22-277A	2026-05-13
Cisco Isovalent - Pods Running Offensive Tools	Cisco Isovalent Process Exec	T1204.003	Anomaly	Cisco Isovalent Suspicious Activity	2026-05-13
PowerShell Start or Stop Service	Powershell Script Block Logging 4104	T1059.001	Anomaly	Scattered Lapsus$ Hunters, Active Directory Lateral Movement	2026-05-13
Windows PowerShell Process With Malicious String	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	TTP	Malicious PowerShell	2026-05-13
Windows Snake Malware Kernel Driver Comadmin	Sysmon EventID 11	T1547.006	TTP	Snake Malware	2026-05-13
Windows Modify Registry wuStatusServer	Sysmon EventID 13	T1112	Hunting	RedLine Stealer	2026-05-13
PowerShell Loading DotNET into Memory via Reflection	Powershell Script Block Logging 4104	T1059.001	Anomaly	VIP Keylogger, Winter Vivern, AsyncRAT, 0bj3ctivity Stealer, Hermetic Wiper, AgentTesla, Data Destruction, Hellcat Ransomware, Axios Supply Chain Post Compromise, Malicious PowerShell	2026-05-13
Detect SharpHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	BlackSuit Ransomware, Windows Discovery Techniques, Ransomware	2026-05-13
Windows Multiple Users Remotely Failed To Authenticate From Host	Windows Event Log Security 4625	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows High File Deletion Frequency	Sysmon EventID 23, Sysmon EventID 26	T1485	Anomaly	APT37 Rustonotto and FadeStealer, Medusa Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, DarkCrystal RAT, Void Manticore, DynoWiper, Interlock Ransomware, Swift Slicer, Handala Wiper, Data Destruction, WhisperGate, Clop Ransomware, Sandworm Tools, ZOVWiper	2026-05-13
Allow Operation with Consent Admin	Sysmon EventID 13	T1548	TTP	MoonPeak, Windows Registry Abuse, Ransomware, Azorult	2026-05-13
Windows PowerShell Script From WindowsApps Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1204.002	TTP	MSIX Package Abuse, Malicious PowerShell	2026-05-13
Windows Netspy Network Scanner Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018 T1595	Anomaly	Windows Discovery Techniques, Network Discovery	2026-05-13
Windows Theme File Creation in Unusual Location	Sysmon EventID 11	T1021.002 T1187 T1557.001	Anomaly	Spearphishing Attachments	2026-05-13
Windows Steal Authentication Certificates CertUtil Backup	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1649	Anomaly	Windows Certificate Services, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Common Ransomware Extensions	Sysmon EventID 11	T1485	TTP	Prestige Ransomware, Medusa Ransomware, Ransomware, Ryuk Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Clop Ransomware, LockBit Ransomware, Termite Ransomware, SamSam Ransomware	2026-05-13
Shai-Hulud 2 Exfiltration Artifact Files	Sysmon EventID 11, Sysmon for Linux EventID 11	T1074.001 T1195.002 T1552.001	TTP	NPM Supply Chain Compromise	2026-05-13
Windows AppLocker Rare Application Launch Detection		T1218	Hunting	Windows AppLocker	2026-05-13
Windows PUA Named Pipe	Sysmon EventID 17, Sysmon EventID 18	T1021.002 T1055 T1559	Anomaly	DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, Volt Typhoon, HAFNIUM Group, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, DarkGate Malware, IcedID, Sandworm Tools, Active Directory Lateral Movement	2026-05-13
Windows Mock Trusted Directory MSC File Creation	Sysmon EventID 11	T1218.014 T1548.002 T1574	TTP	Windows Privilege Escalation, Windows Persistence Techniques	2026-05-13
Windows Password Managers Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1555.005	Anomaly	Prestige Ransomware, Windows Post-Exploitation, Scattered Lapsus$ Hunters, Scattered Spider	2026-05-13
Windows Chromium Process Loaded Extension via Command-Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1185	Anomaly	Browser Hijacking	2026-05-13
Powershell Remote Services Add TrustedHost	Powershell Script Block Logging 4104	T1021.006	TTP	DarkGate Malware	2026-05-13
Remcos RAT File Creation in Remcos Folder	Sysmon EventID 11	T1113	TTP	Remcos	2026-05-13
Windows Unusual Count Of Users Failed To Auth Using Kerberos	Windows Event Log Security 4771	T1110.003	Anomaly	Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon	2026-05-13
Windows Forest Discovery with GetForestDomain	Powershell Script Block Logging 4104	T1087.002	TTP	Active Directory Discovery	2026-05-13
Windows MMC Loaded Script Engine DLL	Sysmon EventID 7	T1620	Anomaly	XML Runner Loader	2026-05-13
Microsoft Defender ATP Alerts	MS Defender ATP Alerts	N/A	TTP	Critical Alerts	2026-05-13
Windows IIS Components Module Failed to Load	Windows Event Log Application 2282	T1505.004	Anomaly	IIS Components	2026-05-13
Clear Unallocated Sector Using Cipher App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070.004	TTP	Scattered Spider, Compromised Windows Host, Ransomware	2026-05-13
Shai-Hulud Workflow File Creation or Modification	Sysmon EventID 11, Sysmon for Linux EventID 11	T1195 T1554 T1574.006	TTP	NPM Supply Chain Compromise	2026-05-13
Windows Impair Defense Change Win Defender Tracing Level	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Mimikatz Crypto Export File Extensions	Sysmon EventID 11	T1649	Anomaly	Windows Certificate Services, CISA AA23-347A, Sandworm Tools	2026-05-13
Samsam Test File Write	Sysmon EventID 11	T1486	TTP	SamSam Ransomware	2026-05-13
Windows Modify Registry Disable Win Defender Raw Write Notif	Sysmon EventID 13	T1112	Anomaly	Azorult, CISA AA23-347A	2026-05-13
Windows Chromium Browser No Security Sandbox Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	TTP	Malicious Inno Setup Loader	2026-05-13
Windows Steal Authentication Certificates Certificate Request	Windows Event Log Security 4886	T1649	Anomaly	Windows Certificate Services	2026-05-13
Linux Possible Access To Credential Files	Sysmon for Linux EventID 1	T1003.008	Anomaly	Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity	2026-05-13
Linux Auditd Stop Services	Linux Auditd Service Stop	T1489	Hunting	Compromised Linux Host, AwfulShred, Data Destruction, Industroyer2	2026-05-13
Windows System Remote Discovery With Query	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1033	Hunting	Medusa Ransomware, Active Directory Discovery	2026-05-13
Creation of Shadow Copy with wmic and powershell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Living Off The Land, Credential Dumping, Compromised Windows Host, Volt Typhoon	2026-05-13
Windows Known GraphicalProton Loaded Modules	Sysmon EventID 7	T1574.001	Anomaly	Water Gamayun, CISA AA23-347A, Hellcat Ransomware	2026-05-13
Headless Browser Mockbin or Mocky Request	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1564.003	TTP	GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard	2026-05-13
Linux At Application Execution	Sysmon for Linux EventID 1	T1053.002	Anomaly	Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity	2026-05-13
SLUI RunAs Elevated	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	TTP	DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics	2026-05-13
Living Off The Land Detection		T1059 T1105 T1133 T1190	Correlation	Living Off The Land, Hellcat Ransomware	2026-05-13
Windows Disable or Modify Tools Via Taskkill	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	NjRAT, PXA Stealer, BlankGrabber Stealer, Crypto Stealer	2026-05-13
Windows MSTSC RDP Commandline	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Medusa Ransomware	2026-05-13
Windows SQL Server Critical Procedures Enabled	Windows Event Log Application 15457	T1505.001	TTP	SQL Server Abuse	2026-05-13
Windows Common Abused Cmd Shell Risk Behavior		T1016 T1033 T1049 T1059 T1222 T1529	Correlation	Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Windows Defense Evasion Tactics, FIN7, Qakbot, Azorult, CISA AA23-347A, Netsh Abuse, Microsoft WSUS CVE-2025-59287, Sandworm Tools, Disabling Security Tools	2026-05-13
Windows PowerView Unconstrained Delegation Discovery	Powershell Script Block Logging 4104	T1018	TTP	Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks	2026-05-13
Suspicious MSBuild Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1127.001	TTP	Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation	2026-05-13
Windows Modify Registry DontShowUI	Sysmon EventID 13	T1112	TTP	DarkGate Malware	2026-05-13
Windows Vulnerable Driver Installed	Windows Event Log System 7045	T1543.003	TTP	Windows Drivers, Void Manticore	2026-05-13
Windows File Association Modification via Ftype	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.003	Anomaly	Windows File Extension and Association Abuse	2026-05-13
Scheduled Task Creation on Remote Endpoint using At	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1053.002	TTP	Living Off The Land, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement	2026-05-13
Windows Bypass UAC via Pkgmgr Tool	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1548.002	Anomaly	Warzone RAT	2026-05-13
GetWmiObject Ds Computer with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1018	Anomaly	Active Directory Discovery	2026-05-13
Esentutl SAM Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.002	Hunting	Living Off The Land, Credential Dumping	2026-05-13
Windows ISO LNK File Creation	Sysmon EventID 11	T1204.001 T1566.001	Hunting	Remcos, Brute Ratel C4, APT37 Rustonotto and FadeStealer, Warzone RAT, Spearphishing Attachments, Gozi Malware, Qakbot, AgentTesla, Azorult, Amadey, IcedID	2026-05-13
Windows Remote Service Rdpwinst Tool Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001	TTP	Windows RDP Artifacts and Defense Evasion, Azorult, Scattered Lapsus$ Hunters, Compromised Windows Host	2026-05-13
Remote Process Instantiation via WMI	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Ransomware, Salt Typhoon, Suspicious WMI Use, CISA AA23-347A, China-Nexus Threat Activity, Void Manticore, Active Directory Lateral Movement	2026-05-13
Windows Account Access Removal via Logoff Exec	Sysmon EventID 1	T1059.001 T1531	Anomaly	Crypto Stealer	2026-05-13
Windows Archived Collected Data In TEMP Folder	Sysmon EventID 11	T1560	Anomaly	Braodo Stealer, APT37 Rustonotto and FadeStealer	2026-05-13
Windows InstallUtil Remote Network Connection	Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data	T1218.004	Anomaly	Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil	2026-05-13
Windows Audit Policy Auditing Option Modified - Registry	Sysmon EventID 13	T1547.014	Anomaly	Windows Audit Policy Tampering	2026-05-13
Windows Multiple Users Failed To Authenticate Using Kerberos	Windows Event Log Security 4771	T1110.003	TTP	Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon	2026-05-13
Windows PowerShell Module File Created	Sysmon EventID 11	T1059.001 T1129 T1574	Anomaly	Malicious PowerShell, Windows Persistence Techniques	2026-05-13
Linux Kworker Process In Writable Process Path	Sysmon for Linux EventID 1	T1036.004	Hunting	Cyclops Blink, Sandworm Tools	2026-05-13
Dump LSASS via comsvcs DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.001	TTP	Living Off The Land, Prestige Ransomware, Compromised Windows Host, Volt Typhoon, CISA AA22-257A, Industroyer2, Flax Typhoon, Credential Dumping, HAFNIUM Group, CISA AA22-264A, Data Destruction, Scattered Lapsus$ Hunters, Hellcat Ransomware, Suspicious Rundll32 Activity	2026-05-13
ETW Registry Disabled	Sysmon EventID 13	T1127 T1685	TTP	Windows Registry Abuse, Hermetic Wiper, CISA AA23-347A, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation	2026-05-13
Windows Process Accessing Windows Recall Directory	Windows Event Log Security 4663	T1059 T1119	Anomaly	Windows Post-Exploitation	2026-05-13
File with Samsam Extension	Sysmon EventID 11	N/A	TTP	Hellcat Ransomware, SamSam Ransomware	2026-05-13
Windows Outlook Macro Created by Suspicious Process	Sysmon EventID 11	T1059.005 T1137	TTP	NotDoor Malware	2026-05-13
Detect Excessive User Account Lockouts		T1078.003	Anomaly	Active Directory Password Spraying, Scattered Lapsus$ Hunters	2026-05-13
Windows Modify Registry NoChangingWallPaper	Sysmon EventID 13	T1112	TTP	Rhysida Ransomware	2026-05-13
SilentCleanup UAC Bypass	Sysmon EventID 13	T1548.002	TTP	MoonPeak, Windows Registry Abuse, Windows Defense Evasion Tactics	2026-05-13
Windows Unusual File Creation in Confluence Directory	Sysmon EventID 11	T1190 T1608.001 T1608.002	Anomaly	Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Windows Computer Account Changed to Domain Controller	Windows Event Log Security 4742	T1136.002	TTP	Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation	2026-05-13
Windows Modify Registry Delete Firewall Rules	Sysmon EventID 12	T1112	TTP	NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A	2026-05-13
Linux Curl Upload File	Sysmon for Linux EventID 1, Cisco Isovalent Process Exec	T1105	TTP	Data Exfiltration, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer	2026-05-13
Change To Safe Mode With Network Config	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1490	TTP	BlackMatter Ransomware, Black Basta Ransomware	2026-05-13
Windows Unusual NTLM Authentication Users By Source	NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006	T1110.003	Anomaly	Active Directory Password Spraying	2026-05-13
Detect MSHTA Url in Command Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data	T1218.005	TTP	Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, XWorm, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Lumma Stealer	2026-05-13
Executable File Written in Administrative SMB Share	Windows Event Log Security 5145	T1021.002	TTP	Prestige Ransomware, Compromised Windows Host, BlackSuit Ransomware, Industroyer2, Hermetic Wiper, VanHelsing Ransomware, Data Destruction, Graceful Wipe Out Attack, IcedID, Trickbot, Active Directory Lateral Movement	2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File	Linux Auditd Proctitle	T1548.003	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host	2026-05-13
Windows Product Key Registry Query	Windows Event Log Security 4663	T1012	Anomaly	BlankGrabber Stealer	2026-05-13
Linux Setuid Using Setcap Utility	Sysmon for Linux EventID 1	T1548.001	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2026-05-13
High Process Termination Frequency	Sysmon EventID 5	T1486	Anomaly	Crypto Stealer, Medusa Ransomware, NailaoLocker Ransomware, BlackByte Ransomware, Rhysida Ransomware, Interlock Ransomware, Snake Keylogger, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, Termite Ransomware	2026-05-13
Windows DiskCryptor Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1486	Hunting	Ransomware	2026-05-13
GetWmiObject DS User with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.002	Anomaly	Active Directory Discovery	2026-05-13
Windows Service Create with Tscon	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1543.003 T1563.002	TTP	Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement	2026-05-13
GetDomainGroup with PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.002	TTP	Active Directory Discovery	2026-05-13
Detect Certipy File Modifications	Sysmon EventID 11	T1560 T1649	TTP	Windows Certificate Services, Data Exfiltration, Ingress Tool Transfer	2026-05-13
Suspicious Image Creation In Appdata Folder	Sysmon EventID 1, Sysmon EventID 11	T1113	TTP	Remcos, APT37 Rustonotto and FadeStealer	2026-05-13
Remote Process Instantiation via WinRM and PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	TTP	Active Directory Lateral Movement	2026-05-13
Registry Keys Used For Privilege Escalation	Sysmon EventID 13	T1546.012	TTP	Cloud Federated Credential Abuse, Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Data Destruction, Windows Privilege Escalation	2026-05-13
Rundll32 CreateRemoteThread In Browser	Sysmon EventID 8	T1055	TTP	Living Off The Land, IcedID	2026-05-13
Windows Service Creation Using Registry Entry	Sysmon EventID 13	T1574.011	Anomaly	Gh0st RAT, Crypto Stealer, Windows Registry Abuse, Brute Ratel C4, PlugX, Suspicious Windows Registry Activities, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Derusbi, Windows Persistence Techniques, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement	2026-05-13
Windows ESX Admins Group Creation via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1136.001 T1136.002	TTP	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085	2026-05-13
Windows DISM Remove Defender	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	TTP	Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A	2026-05-13
Fsutil Zeroing File	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1070	TTP	Ransomware, LockBit Ransomware	2026-05-13
Windows AppLocker Privilege Escalation via Unauthorized Bypass		T1218	TTP	Windows AppLocker	2026-05-13
MacOS Log Removal	Osquery Results	T1070	TTP	MacOS Post-Exploitation	2026-05-13
GetWmiObject User Account with PowerShell Script Block	Powershell Script Block Logging 4104	T1059.001 T1087.001	Hunting	Winter Vivern, Malicious PowerShell, Active Directory Discovery	2026-05-13
Windows Impair Defense Add Xml Applocker Rules	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Hunting	Azorult	2026-05-13
Windows User Discovery Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Sandworm Tools, Medusa Ransomware, Active Directory Discovery	2026-05-13
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials	Windows Event Log Security 4648	T1110.003	Anomaly	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2026-05-13
Windows Default Rdp File Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows AD AdminSDHolder ACL Modified	Windows Event Log Security 5136	T1546	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Microsoft Defender Incident Alerts	MS365 Defender Incident Alerts	N/A	TTP	Critical Alerts	2026-05-13
Powershell Creating Thread Mutex	Powershell Script Block Logging 4104	T1027.005 T1059.001	TTP	Water Gamayun, Malicious PowerShell	2026-05-13
Windows Autostart Execution LSASS Driver Registry Modification	Sysmon EventID 13	T1547.008	TTP	Windows Registry Abuse	2026-05-13
Spoolsv Spawning Rundll32	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1547.012	TTP	Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware	2026-05-13
Windows Service Stop By Deletion	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1489	Hunting	Crypto Stealer, Azorult, Graceful Wipe Out Attack	2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries	Sysmon EventID 10	T1134.001	Anomaly	Castle RAT	2026-05-13
Linux Kernel Module Enumeration	Sysmon for Linux EventID 1	T1014 T1082	Anomaly	Linux Rootkit, XorDDos	2026-05-13
Detect AzureHound Command-Line Arguments	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Compromised Windows Host, Windows Discovery Techniques	2026-05-13
PowerShell Domain Enumeration	Powershell Script Block Logging 4104	T1059.001	TTP	Hermetic Wiper, Interlock Ransomware, CISA AA23-347A, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell	2026-05-13
Windows DLL Search Order Hijacking Hunt with Sysmon	Sysmon EventID 7	T1574.001	Hunting	Malicious Inno Setup Loader, Living Off The Land, Qakbot, Windows Defense Evasion Tactics	2026-05-13
Sqlite Module In Temp Folder	Sysmon EventID 11	T1005	TTP	Lokibot, IcedID	2026-05-13
Windows Rdp AutomaticDestinations Deletion	Sysmon EventID 23, Sysmon EventID 26	T1070.004	Anomaly	Windows RDP Artifacts and Defense Evasion	2026-05-13
Windows Multiple Users Failed To Authenticate From Host Using NTLM	Windows Event Log Security 4776	T1110.003	TTP	Active Directory Password Spraying, Volt Typhoon	2026-05-13
Windows Chromium Browser with Custom User Data Directory	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1497	Anomaly	Malicious Inno Setup Loader, Lokibot, StealC Stealer	2026-05-13
Windows NirSoft Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1588.002	Hunting	WhisperGate, Data Destruction	2026-05-13
Linux Auditd Hidden Files And Directories Creation	Linux Auditd Execve	T1083	Anomaly	Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host	2026-05-13
Windows AppLocker Execution from Uncommon Locations		T1218	Hunting	Windows AppLocker	2026-05-13
Windows Potential Web Shell Creation For VMware Workspace ONE	Sysmon EventID 11	T1505.003	Anomaly	VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation	2026-05-13
Detect SharpHound Usage	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Windows Discovery Techniques, Ransomware	2026-05-13
Linux Auditd Auditd Daemon Start	Linux Auditd Daemon Start	T1685.004	Anomaly	Compromised Linux Host	2026-05-13
SchCache Change By App Connect And Create ADSI Object	Sysmon EventID 11	T1087.002	Anomaly	BlackMatter Ransomware	2026-05-13
Windows Explorer LNK Exploit Process Launch With Padding	Sysmon EventID 1, Windows Event Log Security 4688	T1059.001 T1204.002	TTP	ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day	2026-05-13
Linux Unix Shell Enable All SysRq Functions	Sysmon for Linux EventID 1	T1059.004	Anomaly	AwfulShred, Data Destruction	2026-05-13
Windows Steal Authentication Certificates Certificate Issued	Windows Event Log Security 4887	T1649	Anomaly	Windows Certificate Services	2026-05-13
Windows Service Created with Suspicious Service Path	Windows Event Log System 7045	T1569.002	TTP	Gh0st RAT, Crypto Stealer, Brute Ratel C4, Snake Malware, APT37 Rustonotto and FadeStealer, Flax Typhoon, PlugX, Qakbot, Salt Typhoon, CISA AA23-347A, Derusbi, Clop Ransomware, China-Nexus Threat Activity, Active Directory Lateral Movement	2026-05-13
Cisco NVM - Rclone Execution With Network Activity	Cisco Network Visibility Module Flow Data	T1567.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics	2026-05-13
Unknown Process Using The Kerberos Protocol	Sysmon EventID 1, Sysmon EventID 3	T1550	TTP	Active Directory Kerberos Attacks, BlackSuit Ransomware	2026-05-13
Windows Defender ASR Rules Stacking	Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1134, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1122, Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1125	T1059 T1566.001 T1566.002	Hunting	Windows Attack Surface Reduction	2026-05-13
Wmiprvse LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1047	TTP	Active Directory Lateral Movement	2026-05-13
Credential Dumping via Symlink to Shadow Copy	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1003.003	TTP	Credential Dumping, Compromised Windows Host	2026-05-13
Windows Modify System Firewall with Notable Process Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1686	TTP	Compromised Windows Host, NjRAT, Medusa Ransomware	2026-05-13
Crowdstrike Medium Identity Risk Severity		T1110	TTP	Compromised Windows Host	2026-05-13
Windows WinPEAS PowerShell Script Execution	Powershell Script Block Logging 4104	T1007 T1016 T1033 T1082 T1590 T1592.002 T1592.004 T1615	TTP	Windows Post-Exploitation	2026-05-13
Windows Remote Access Software BRC4 Loaded Dll	Sysmon EventID 7	T1003 T1219	Anomaly	Brute Ratel C4	2026-05-13
Local Account Discovery With Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1087.001	Hunting	Scattered Lapsus$ Hunters, Active Directory Discovery	2026-05-13
Windows WMIC Shadowcopy Delete	Sysmon EventID 1	T1490	Anomaly	Suspicious WMI Use, Cactus Ransomware, Volt Typhoon	2026-05-13
Windows ScManager Security Descriptor Tampering Via Sc.EXE	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1569.002	TTP	Defense Evasion or Unauthorized Access Via SDDL Tampering	2026-05-13
Windows Impair Defenses Disable AV AutoStart via Registry	Sysmon EventID 13	T1112	TTP	ValleyRAT, Scattered Lapsus$ Hunters	2026-05-13
Ryuk Test Files Detected	Sysmon EventID 11	T1486	TTP	Ryuk Ransomware	2026-05-13
Windows Set Network Profile Category to Private via Registry	Sysmon EventID 13	T1112	Anomaly	Secret Blizzard	2026-05-13
Local LLM Framework DNS Query	Sysmon EventID 22	T1590	Hunting	Suspicious Local LLM Frameworks	2026-05-13
Windows Driver Load Non-Standard Path	Windows Event Log System 7045	T1014 T1068	TTP	CISA AA22-320A, BlackSuit Ransomware, BlackByte Ransomware, Windows Drivers, AgentTesla	2026-05-13
Cisco NVM - Webserver Download From File Sharing Website	Cisco Network Visibility Module Flow Data	T1105 T1190	TTP	GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics	2026-05-13
Linux c99 Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Linux SSH Authorized Keys Modification	Sysmon for Linux EventID 1	T1098.004	Anomaly	VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware	2026-05-13
PetitPotam Network Share Access Request	Windows Event Log Security 5145	T1187	TTP	PetitPotam NTLM Relay on Active Directory Certificate Services	2026-05-13
Windows Modify Registry LongPathsEnabled	Sysmon EventID 13	T1112	Anomaly	BlackByte Ransomware	2026-05-13
Cisco Isovalent - Potential Escape to Host	Cisco Isovalent Process Exec	T1611	Anomaly	VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity	2026-05-13
Verclsid CLSID Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.012	Hunting	Unusual Processes	2026-05-13
Disable AMSI Through Registry	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, CISA AA23-347A, Ransomware	2026-05-13
Linux Medusa Rootkit	Sysmon for Linux EventID 11	T1014 T1589.001	TTP	Medusa Rootkit, China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware	2026-05-13
Windows CrowdStrike Agent Registry Key Removal	Sysmon EventID 12	T1685	Anomaly	Windows Defense Evasion Tactics, Security Solution Tampering	2026-05-13
Windows Modify Registry ValleyRAT C2 Config	Sysmon EventID 13	T1112	TTP	ValleyRAT	2026-05-13
Windows SOAPHound Binary Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1069.001 T1069.002 T1087.001 T1087.002 T1482	TTP	Compromised Windows Host, Windows Discovery Techniques	2026-05-13
Windows Credential Target Information Structure in Commandline	Sysmon EventID 1	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic	2026-05-13
Linux Stop Services	Sysmon for Linux EventID 1	T1489	TTP	AwfulShred, Data Destruction, Industroyer2	2026-05-13
Windows EDRSilencer Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685	Anomaly	Security Solution Tampering	2026-05-13
Wsmprovhost LOLBAS Execution Process Spawn	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.006	TTP	CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement	2026-05-13
Linux Possible Ssh Key File Creation	Sysmon for Linux EventID 11	T1098.004	Anomaly	Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows Audit Policy Disabled via Auditpol	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1685.001	Anomaly	Windows Audit Policy Tampering	2026-05-13
Suspicious SQLite3 LSQuarantine Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1074	TTP	Silver Sparrow	2026-05-13
Nishang PowershellTCPOneLine	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	TTP	Cleo File Transfer Software, HAFNIUM Group	2026-05-13
Windows Multiple Users Failed To Authenticate From Process	Windows Event Log Security 4625	T1110.003	TTP	Active Directory Password Spraying, Insider Threat, Volt Typhoon	2026-05-13
Windows RDP File Execution	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1021.001 T1598.002	TTP	Windows RDP Artifacts and Defense Evasion, Interlock Ransomware, Spearphishing Attachments	2026-05-13
Windows DisableAntiSpyware Registry	Sysmon EventID 13	T1685	TTP	Windows Registry Abuse, Windows Defense Evasion Tactics, SolarWinds WHD RCE Post Exploitation, Azorult, CISA AA22-264A, CISA AA23-347A, Ryuk Ransomware, RedLine Stealer	2026-05-13
Linux MySQL Privilege Escalation	Sysmon for Linux EventID 1	T1548.003	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2026-05-13
Windows PowerShell Script TabExpansion Direct Call	Powershell Script Block Logging 4104	T1059.001 T1129	Anomaly	Malicious PowerShell	2026-05-13
PaperCut NG Remote Web Access Attempt	Suricata	T1133 T1190	TTP	PaperCut MF NG Vulnerability	2026-05-13
Hunting for Log4Shell	Nginx Access	T1133 T1190	Hunting	Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
Windows IIS Server PSWA Console Access	Windows IIS	T1190	Hunting	CISA AA24-241A	2026-05-13
Zscaler Exploit Threat Blocked		T1566	TTP	Zscaler Browser Proxy Threats	2026-05-13
Zscaler Malware Activity Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Web Remote ShellServlet Access	Nginx Access	T1190	TTP	GhostRedirector IIS Module and Rungan Backdoor, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Web Spring4Shell HTTP Request Class Module	Splunk Stream HTTP	T1133 T1190	TTP	Spring4Shell CVE-2022-22965	2026-05-13
Zscaler Behavior Analysis Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
SAP NetWeaver Visual Composer Exploitation Attempt	Suricata	T1190	Hunting	SAP NetWeaver Exploitation	2026-05-13
Unusually Long Content-Type Length		N/A	Anomaly	Apache Struts Vulnerability	2026-05-13
Log4Shell JNDI Payload Injection with Outbound Connection		T1133 T1190	Anomaly	Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
JetBrains TeamCity Authentication Bypass CVE-2024-27198	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2026-05-13
Zscaler Phishing Activity Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats, Hellcat Ransomware	2026-05-13
Tomcat Session Deserialization Attempt	Nginx Access	T1190 T1505.003	Anomaly	Apache Tomcat Session Deserialization Attacks	2026-05-13
Zscaler Scam Destinations Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Cisco IOS XE Implant Access	Suricata	T1190	TTP	Cisco IOS XE Software Web Management User Interface vulnerability	2026-05-13
Zscaler Virus Download threat blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Zscaler Potentially Abused File Download		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Adobe ColdFusion Access Control Bypass	Suricata	T1190	Anomaly	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2026-05-13
Juniper Networks Remote Code Execution Exploit Detection	Suricata	T1059 T1105 T1190	TTP	Juniper JunOS Remote Code Execution	2026-05-13
Adobe ColdFusion Unauthenticated Arbitrary File Read	Suricata	T1190	Anomaly	Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360	2026-05-13
Zscaler Employment Search Web Activity		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
HTTP Duplicated Header	Suricata	T1071.001 T1190	Anomaly	HTTP Request Smuggling	2026-05-13
Ivanti EPM SQL Injection Remote Code Execution	Suricata	T1190	TTP	GhostRedirector IIS Module and Rungan Backdoor, Ivanti EPM Vulnerabilities, Hellcat Ransomware	2026-05-13
Spring4Shell Payload URL Request	Nginx Access	T1133 T1190 T1505.003	TTP	Spring4Shell CVE-2022-22965	2026-05-13
Ivanti Connect Secure Command Injection Attempts	Suricata	T1190	TTP	Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A	2026-05-13
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527	Suricata	T1190	TTP	Confluence Data Center and Confluence Server Vulnerabilities	2026-05-13
Detect Web Access to Decommissioned S3 Bucket	AWS Cloudfront	T1485	Anomaly	AWS S3 Bucket Security Monitoring, Data Destruction	2026-05-13
Ivanti Connect Secure SSRF in SAML Component	Suricata	T1190	TTP	Ivanti Connect Secure VPN Vulnerabilities	2026-05-13
Supernova Webshell		T1133 T1505.003	TTP	GhostRedirector IIS Module and Rungan Backdoor, Earth Alux, NOBELIUM Group	2026-05-13
Windows Exchange Autodiscover SSRF Abuse	Windows IIS	T1133 T1190	TTP	ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard	2026-05-13
JetBrains TeamCity RCE Attempt	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities, CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE	2026-05-13
ProxyShell ProxyNotShell Behavior Detected		T1133 T1190	Correlation	ProxyNotShell, ProxyShell, Seashell Blizzard	2026-05-13
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities	2026-05-13
Log4Shell JNDI Payload Injection Attempt	Nginx Access	T1133 T1190	Anomaly	CISA AA22-257A, Log4Shell CVE-2021-44228, CISA AA22-320A	2026-05-13
Detect attackers scanning for vulnerable JBoss servers		T1082 T1133	TTP	SamSam Ransomware, JBoss Vulnerability	2026-05-13
High Volume of Bytes Out to Url	Nginx Access	T1567	Anomaly	Data Exfiltration, Hellcat Ransomware	2026-05-13
Windows SharePoint Spinstall0 GET Request	Suricata	T1190 T1505.003 T1552	TTP	Microsoft SharePoint Vulnerabilities	2026-05-13
WS FTP Remote Code Execution	Suricata	T1190	TTP	WS FTP Server Critical Vulnerabilities	2026-05-13
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint	Suricata	T1190	TTP	Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A	2026-05-13
Zscaler Privacy Risk Destinations Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
VMWare Aria Operations Exploit Attempt	Palo Alto Network Threat	T1068 T1133 T1190 T1210	TTP	VMware Aria Operations vRealize CVE-2023-20887	2026-05-13
Nginx ConnectWise ScreenConnect Authentication Bypass	Nginx Access	T1190	TTP	Hellcat Ransomware, Scattered Lapsus$ Hunters, ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard	2026-05-13
Tomcat Session File Upload Attempt	Nginx Access	T1190 T1505.003	Anomaly	Apache Tomcat Session Deserialization Attacks	2026-05-13
Microsoft SharePoint Server Elevation of Privilege	Suricata	T1068	Anomaly	Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357	2026-05-13
Detect F5 TMUI RCE CVE-2020-5902		T1190	TTP	F5 TMUI RCE CVE-2020-5902	2026-05-13
Fortinet Appliance Auth bypass	Palo Alto Network Threat	T1133 T1190	TTP	CVE-2022-40684 Fortinet Appliance Auth bypass	2026-05-13
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure	Suricata	T1190	Anomaly	Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777	2026-05-13
SQL Injection with Long URLs		T1190	TTP	SQL Injection, GhostRedirector IIS Module and Rungan Backdoor	2026-05-13
Detect Remote Access Software Usage URL	Palo Alto Network Threat	T1219	Anomaly	Command And Control, Ransomware, Remote Monitoring and Management Software, CISA AA24-241A, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082	Suricata	T1133 T1190	TTP	Ivanti EPMM Remote Unauthenticated Access	2026-05-13
Web Spring Cloud Function FunctionRouter	Splunk Stream HTTP	T1133 T1190	TTP	Spring4Shell CVE-2022-22965	2026-05-13
Zscaler CryptoMiner Downloaded Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
Windows SharePoint ToolPane Endpoint Exploitation Attempt	Suricata	T1190 T1505.003	TTP	Microsoft SharePoint Vulnerabilities	2026-05-13
F5 TMUI Authentication Bypass	Suricata	N/A	TTP	F5 Authentication Bypass with TMUI	2026-05-13
HTTP Request to Reserved Name on IIS Server	Suricata	T1071.001 T1190	TTP	HTTP Request Smuggling	2026-05-13
Confluence CVE-2023-22515 Trigger Vulnerability	Suricata	T1190	TTP	CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Jenkins Arbitrary File Read CVE-2024-23897	Nginx Access	T1190	TTP	Jenkins Server Vulnerabilities, Hellcat Ransomware	2026-05-13
Citrix ADC Exploitation CVE-2023-3519	Palo Alto Network Threat	T1190	Hunting	Citrix Netscaler ADC CVE-2023-3519, CISA AA24-241A	2026-05-13
Confluence Data Center and Server Privilege Escalation	Nginx Access	T1190	TTP	Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server	2026-05-13
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952	Palo Alto Network Threat	T1133 T1190	TTP	Hellcat Ransomware, Fortinet FortiNAC CVE-2022-39952	2026-05-13
Monitor Web Traffic For Brand Abuse		N/A	TTP	Brand Monitoring	2026-05-13
Ivanti Connect Secure System Information Access via Auth Bypass	Suricata	T1190	Anomaly	Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A	2026-05-13
Citrix ShareFile Exploitation CVE-2023-24489	Suricata	T1190	Hunting	Citrix ShareFile RCE CVE-2023-24489	2026-05-13
Java Class File download by Java User Agent	Splunk Stream HTTP	T1190	TTP	Log4Shell CVE-2021-44228	2026-05-13
Exploit Public Facing Application via Apache Commons Text	Nginx Access	T1133 T1190 T1505.003	Anomaly	Text4Shell CVE-2022-42889	2026-05-13
Citrix ADC and Gateway Unauthorized Data Disclosure	Suricata	T1190	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters	2026-05-13
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Palo Alto Network Threat	T1133 T1190 T1505	TTP	Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities	2026-05-13
CrushFTP Authentication Bypass Exploitation	CrushFTP	T1059.001 T1059.003 T1190	TTP	CrushFTP Vulnerabilities, Hellcat Ransomware	2026-05-13
Plain HTTP POST Exfiltrated Data	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, APT37 Rustonotto and FadeStealer, Command And Control	2026-05-13
Detect malicious requests to exploit JBoss servers		N/A	TTP	SamSam Ransomware, JBoss Vulnerability	2026-05-13
Zscaler Adware Activities Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
HTTP Rapid POST with Mixed Status Codes	Nginx Access	T1071.001 T1190 T1595	Anomaly	HTTP Request Smuggling	2026-05-13
CrushFTP Max Simultaneous Users From IP	CrushFTP	T1110.001 T1110.004	Anomaly	CrushFTP Vulnerabilities	2026-05-13
Web JSP Request via URL	Nginx Access	T1133 T1190 T1505.003	TTP	Spring4Shell CVE-2022-22965, Earth Alux	2026-05-13
ConnectWise ScreenConnect Authentication Bypass	Suricata	T1190	TTP	ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard	2026-05-13
WordPress Bricks Builder plugin RCE	Nginx Access	T1190	TTP	WordPress Vulnerabilities, Hellcat Ransomware	2026-05-13
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198	Suricata	T1190	TTP	JetBrains TeamCity Vulnerabilities, Hellcat Ransomware	2026-05-13
VMware Workspace ONE Freemarker Server-side Template Injection	Palo Alto Network Threat	T1133 T1190	Anomaly	VMware Server Side Injection and Privilege Escalation	2026-05-13
Zscaler Legal Liability Threat Blocked		T1566	Anomaly	Zscaler Browser Proxy Threats	2026-05-13
HTTP Possible Request Smuggling	Suricata	T1071.001	TTP	HTTP Request Smuggling	2026-05-13
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078	Suricata	T1133 T1190	TTP	Ivanti EPMM Remote Unauthenticated Access	2026-05-13
VMware Server Side Template Injection Hunt	Palo Alto Network Threat	T1133 T1190	Hunting	VMware Server Side Injection and Privilege Escalation	2026-05-13
Multiple Archive Files Http Post Traffic	Splunk Stream HTTP	T1048.003	TTP	Data Exfiltration, APT37 Rustonotto and FadeStealer, Command And Control, Hellcat Ransomware	2026-05-13
ESXi Syslog Config Change	VMWare ESXi Syslog	T1690	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - Device File Copy to Remote Location	Cisco ASA Logs	T1005 T1041 T1048.003	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
ESXi Shared or Stolen Root Account	VMWare ESXi Syslog	T1078	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Bulk VM Termination	VMWare ESXi Syslog	T1499 T1529 T1673	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Lockdown Mode Disabled	VMWare ESXi Syslog	T1685	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Loghost Config Tampering	VMWare ESXi Syslog	T1685	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Multiple Accounts Locked Out	Okta	T1110	Anomaly	Okta Account Takeover	2026-05-13
Cisco ASA - Logging Disabled via CLI	Cisco ASA Logs	T1685	TTP	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
ESXi Encryption Settings Modified	VMWare ESXi Syslog	T1685	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
ESXi Firewall Disabled	VMWare ESXi Syslog	T1686	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - New Local User Account Created	Cisco ASA Logs	T1078.003 T1136.001	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
PingID New MFA Method Registered For User	PingID	T1098.005 T1556.006 T1621	TTP	Compromised User Account	2026-05-13
Okta Multi-Factor Authentication Disabled	Okta	T1556.006	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Okta Multiple Users Failing To Authenticate From Ip	Okta	T1110.003	Anomaly	Okta Account Takeover	2026-05-13
Cisco Duo Policy Allow Old Java	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Admin Login Unusual Os	Cisco Duo Activity	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco ASA - User Privilege Level Change	Cisco ASA Logs	T1078.003 T1098	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
ESXi SSH Brute Force	VMWare ESXi Syslog	T1110	Anomaly	ESXi Post Compromise, Hellcat Ransomware, Black Basta Ransomware	2026-05-13
ESXi Sensitive Files Accessed	VMWare ESXi Syslog	T1003.008 T1005	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Suspicious Use of a Session Cookie	Okta	T1539	Anomaly	Scattered Lapsus$ Hunters, Okta Account Takeover, Suspicious Okta Activity	2026-05-13
M365 Copilot Application Usage Pattern Anomalies	M365 Copilot Graph API	T1078	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Zoom Rare Input Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
ESXi Shell Access Enabled	VMWare ESXi Syslog	T1021	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Detect Password Spray Attempts	Windows Event Log Security 4625	T1110.003	TTP	Active Directory Password Spraying, Compromised User Account	2026-05-13
Splunk AppDynamics Secure Application Alerts	Splunk AppDynamics Secure Application Alert	N/A	Anomaly	Critical Alerts	2026-05-13
Cisco Duo Policy Allow Devices Without Screen Lock	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi SSH Enabled	VMWare ESXi Syslog	T1021.004	TTP	ESXi Post Compromise, Hellcat Ransomware, Black Basta Ransomware	2026-05-13
M365 Copilot Failed Authentication Patterns	M365 Copilot Graph API	T1110	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Okta New API Token Created	Okta	T1078.001	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
M365 Copilot Non Compliant Devices Accessing M365 Copilot	M365 Copilot Graph API	T1685	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Cisco Duo Policy Allow Old Flash	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Admin Login Unusual Country	Cisco Duo Activity	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco AI Defense Security Alerts by Application Name	Cisco AI Defense Alerts	N/A	Anomaly	Critical Alerts	2026-05-13
MCP Sensitive System File Search	MCP Server	T1552.001	Hunting	Suspicious MCP Activities	2026-05-13
M365 Copilot Jailbreak Attempts	M365 Exported eDiscovery Prompts	T1685	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
Ivanti VTM New Account Creation	Ivanti VTM Audit	T1190	TTP	Ivanti Virtual Traffic Manager CVE-2024-7593, Scattered Lapsus$ Hunters, Hellcat Ransomware	2026-05-13
Zoom High Video Latency		T1078	Anomaly	Remote Employment Fraud	2026-05-13
Okta Phishing Detection with FastPass Origin Check	Okta	T1078.001 T1556	TTP	Okta Account Takeover	2026-05-13
ESXi External Root Login Activity	VMWare ESXi Syslog	T1078	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - User Account Deleted From Local Database	Cisco ASA Logs	T1070.008 T1531	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco ASA - AAA Policy Tampering	Cisco ASA Logs	T1556.004	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Okta New Device Enrolled on Account	Okta	T1098.005	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
PingID Multiple Failed MFA Requests For User	PingID	T1078 T1110 T1621	TTP	Compromised User Account	2026-05-13
Email servers sending high volume traffic to hosts		T1114.002	Anomaly	Collection and Staging, HAFNIUM Group	2026-05-13
No Windows Updates in a time frame		N/A	Hunting	Monitor for Updates	2026-05-13
Cisco Duo Bypass Code Generation	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
MCP Github Suspicious Operation	MCP Server	T1552.001	Hunting	Suspicious MCP Activities	2026-05-13
Cisco ASA - Logging Message Suppression	Cisco ASA Logs	T1070 T1685.001	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco ASA - Reconnaissance Command Activity	Cisco ASA Logs	T1082 T1590.001 T1590.005	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco Duo Policy Skip 2FA for Other Countries	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi Account Modified	VMWare ESXi Syslog	T1078 T1098 T1136.001	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta IDP Lifecycle Modifications	Okta	T1087.004	Anomaly	Suspicious Okta Activity	2026-05-13
ESXi User Granted Admin Role	VMWare ESXi Syslog	T1078 T1098	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Ollama Abnormal Service Crash Availability Attack	Ollama Server	T1489	Anomaly	Suspicious Ollama Activities	2026-05-13
ESXi Reverse Shell Patterns	VMWare ESXi Syslog	T1059	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Email Attachments With Lots Of Spaces		T1036.008 T1566.001	Anomaly	Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails, Data Destruction	2026-05-13
Ollama Possible Memory Exhaustion Resource Abuse	Ollama Server	T1499	Anomaly	Suspicious Ollama Activities	2026-05-13
Ollama Possible RCE via Model Loading	Ollama Server	T1190	Anomaly	Suspicious Ollama Activities	2026-05-13
Detect HTML Help Spawn Child Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1218.001	TTP	Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, AgentTesla, Suspicious Compiled HTML Activity	2026-05-13
Okta Suspicious Activity Reported	Okta	T1078.001	TTP	Okta Account Takeover	2026-05-13
ESXi System Clock Manipulation	VMWare ESXi Syslog	T1070.006	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - Core Syslog Message Volume Drop	Cisco ASA Logs	T1685	Hunting	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Zoom Rare Audio Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
Cisco ASA - Packet Capture Activity	Cisco ASA Logs	T1040 T1557	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
PingID New MFA Method After Credential Reset	PingID	T1098.005 T1556.006 T1621	TTP	Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
ESXi VM Discovery	VMWare ESXi Syslog	T1673	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Multiple Failed MFA Requests For User	Okta	T1621	Anomaly	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Okta Risk Threshold Exceeded	Okta	T1078 T1110	Correlation	Okta MFA Exhaustion, Suspicious Okta Activity, Okta Account Takeover	2026-05-13
Okta Unauthorized Access to Application	Okta	T1087.004	Anomaly	Okta Account Takeover	2026-05-13
Suspicious Java Classes		T1190	Anomaly	Apache Struts Vulnerability	2026-05-13
MCP Prompt Injection	MCP Server	T1059	TTP	Suspicious MCP Activities	2026-05-13
Ollama Abnormal Network Connectivity	Ollama Server	T1571	Anomaly	Suspicious Ollama Activities	2026-05-13
Monitor Email For Brand Abuse		N/A	TTP	Brand Monitoring, Suspicious Emails, Scattered Lapsus$ Hunters	2026-05-13
Okta User Logins from Multiple Cities	Okta	T1586.003	Anomaly	Okta Account Takeover	2026-05-13
Cisco Duo Bulk Policy Deletion	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	T1110.003	Hunting	Active Directory Password Spraying, Compromised User Account	2026-05-13
Ollama Suspicious Prompt Injection Jailbreak	Ollama Server	T1059 T1190	Anomaly	Suspicious Ollama Activities	2026-05-13
ESXi VIB Acceptance Level Tampering	VMWare ESXi Syslog	T1685	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Suspicious Email Attachment Extensions		T1566.001	Anomaly	Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails, Data Destruction	2026-05-13
Cisco Duo Policy Allow Tampered Devices	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Set User Status to Bypass 2FA	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Okta Multiple Failed Requests to Access Applications	Okta	T1538 T1550.004	Hunting	Okta Account Takeover	2026-05-13
Email files written outside of the Outlook directory	Sysmon EventID 11	T1114.001	TTP	Collection and Staging	2026-05-13
M365 Copilot Information Extraction Jailbreak Attack	M365 Exported eDiscovery Prompts	T1685	TTP	Suspicious Microsoft 365 Copilot Activities	2026-05-13
CrushFTP Server Side Template Injection	CrushFTP	T1190	TTP	CrushFTP Vulnerabilities, Hellcat Ransomware	2026-05-13
MCP Postgres Suspicious Query	MCP Server	T1555	Hunting	Suspicious MCP Activities	2026-05-13
Cisco Duo Policy Deny Access	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Cisco Duo Policy Bypass 2FA	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi Malicious VIB Forced Install	VMWare ESXi Syslog	T1505.006	TTP	China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Mismatch Between Source and Response for Verify Push Request	Okta	T1621	TTP	Okta MFA Exhaustion, Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Cisco ASA - Logging Filters Configuration Tampering	Cisco ASA Logs	T1685	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
MCP Filesystem Server Suspicious Extension Write	MCP Server	T1059	Hunting	Suspicious MCP Activities	2026-05-13
Okta MFA Exhaustion Hunt	Okta	T1110	Hunting	Okta MFA Exhaustion, Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
ESXi System Information Discovery	VMWare ESXi Syslog	T1082	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Okta Successful Single Factor Authentication	Okta	T1078.004 T1586.003 T1621	Anomaly	Okta Account Takeover	2026-05-13
ESXi Audit Tampering	VMWare ESXi Syslog	T1070 T1690	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Ollama Excessive API Requests	Ollama Server	T1498	Anomaly	Suspicious Ollama Activities	2026-05-13
M365 Copilot Session Origin Anomalies	M365 Copilot Graph API	T1078	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
M365 Copilot Agentic Jailbreak Attack	M365 Exported eDiscovery Prompts	T1685	Anomaly	Suspicious Microsoft 365 Copilot Activities	2026-05-13
ESXi VM Exported via Remote Tool	VMWare ESXi Syslog	T1005	TTP	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
Cisco ASA - Device File Copy Activity	Cisco ASA Logs	T1005 T1530	Anomaly	ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco ASA - User Account Lockout Threshold Exceeded	Cisco ASA Logs	T1110.001 T1110.003	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity	2026-05-13
Cisco Duo Policy Allow Network Bypass 2FA	Cisco Duo Administrator	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
Zoom Rare Video Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
Detect New Login Attempts to Routers		N/A	TTP	Router and Infrastructure Security, Scattered Lapsus$ Hunters	2026-05-13
Ollama Possible API Endpoint Scan Reconnaissance	Ollama Server	T1595	Anomaly	Suspicious Ollama Activities	2026-05-13
Ollama Possible Model Exfiltration Data Leakage	Ollama Server	T1048	Anomaly	Suspicious Ollama Activities	2026-05-13
Okta Authentication Failed During MFA Challenge	Okta	T1078.004 T1586.003 T1621	TTP	Scattered Lapsus$ Hunters, Okta Account Takeover	2026-05-13
Okta ThreatInsight Threat Detected	Okta	T1078.004	Anomaly	Okta Account Takeover	2026-05-13
PingID Mismatch Auth Source and Verification Response	PingID	T1098.005 T1556.006 T1621	TTP	Compromised User Account	2026-05-13
Cisco Duo Admin Login Unusual Browser	Cisco Duo Activity	T1556	TTP	Cisco Duo Suspicious Activity	2026-05-13
ESXi Download Errors	VMWare ESXi Syslog	T1601.001 T1685	Anomaly	ESXi Post Compromise, Black Basta Ransomware	2026-05-13
O365 ZAP Activity Detection	Office 365 Universal Audit Log	T1566.001 T1566.002	Anomaly	Suspicious Emails, Spearphishing Attachments	2026-05-13
AWS Defense Evasion Impair Security Services	AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteWebACL	T1685.002	TTP	AWS Defense Evasion	2026-05-13
O365 Excessive SSO logon errors	O365 UserLoginFailed	T1556	Anomaly	Cloud Federated Credential Abuse, Office 365 Account Takeover	2026-05-13
GCP Successful Single-Factor Authentication	Google Workspace	T1078.004 T1586.003	TTP	GCP Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
Kubernetes Scanner Image Pulling		T1526	TTP	Dev Sec Ops	2026-05-13
O365 Email Transport Rule Changed	Office 365 Universal Audit Log	T1114.003 T1564.008	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
O365 Advanced Audit Disabled	O365 Change user license.	T1685.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
ASL AWS IAM Successful Group Deletion	ASL AWS CloudTrail	T1069.003 T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
AWS SAML Update identity provider	AWS CloudTrail UpdateSAMLProvider	T1078	TTP	Cloud Federated Credential Abuse	2026-05-13
ASL AWS IAM AccessDenied Discovery Events	ASL AWS CloudTrail	T1580	Anomaly	Suspicious Cloud User Activities	2026-05-13
ASL AWS Disable Bucket Versioning	ASL AWS CloudTrail	T1490	Anomaly	Data Exfiltration, Suspicious AWS S3 Activities	2026-05-13
ASL AWS ECR Container Upload Unknown User	ASL AWS CloudTrail	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Multiple Failed MFA Requests For User	AWS CloudTrail ConsoleLogin	T1586.003 T1621	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
AWS Network Access Control List Created with All Open Ports	AWS CloudTrail ReplaceNetworkAclEntry, AWS CloudTrail CreateNetworkAclEntry	T1686.001	TTP	AWS Network ACL Activity	2026-05-13
O365 Cross-Tenant Access Change	Office 365 Universal Audit Log	T1484.002	TTP	Azure Active Directory Persistence	2026-05-13
Kubernetes newly seen UDP edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
GCP Detect gcploit framework		T1078	TTP	GCP Cross Account Activity	2026-05-13
Kubernetes Cron Job Creation	Kubernetes Audit	T1053.007	Anomaly	Kubernetes Security	2026-05-13
Cloud Provisioning Activity From Previously Unseen IP Address	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
O365 Service Principal Privilege Escalation	O365 Add app role assignment grant to user.	T1098.003	TTP	Office 365 Account Takeover, Azure Active Directory Privilege Escalation	2026-05-13
Microsoft Intune Device Health Scripts	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Detect AWS Console Login by New User	AWS CloudTrail	T1552 T1586.003	Hunting	Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover	2026-05-13
O365 SharePoint Suspicious Search Behavior	Office 365 Universal Audit Log	T1213.002 T1552	Anomaly	Office 365 Account Takeover, CISA AA22-320A, Office 365 Collection Techniques, Compromised User Account	2026-05-13
O365 File Permissioned Application Consent Granted by User	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2026-05-13
O365 Email Reported By User Found Malicious	Office 365 Universal Audit Log	T1566.001 T1566.002	TTP	Suspicious Emails, Spearphishing Attachments	2026-05-13
ASL AWS New MFA Method Registered For User	ASL AWS CloudTrail	T1556.006	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Nginx Ingress LFI		T1212	TTP	Dev Sec Ops	2026-05-13
O365 Email Security Feature Changed	Office 365 Universal Audit Log	T1685.002	TTP	Office 365 Account Takeover, Office 365 Persistence Mechanisms	2026-05-13
AWS Excessive Security Scanning	AWS CloudTrail	T1526	TTP	AWS User Monitoring	2026-05-13
GitHub Organizations Disable Dependabot	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
Azure AD Successful PowerShell Authentication	Azure Active Directory	T1078.004 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	T1484.002	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Storm-0501 Ransomware, Hellcat Ransomware	2026-05-13
Gsuite Drive Share In External Email	G Suite Drive	T1567.002	Anomaly	Dev Sec Ops, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
AWS ECR Container Upload Outside Business Hours	AWS CloudTrail PutImage	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
ASL AWS ECR Container Upload Outside Business Hours	ASL AWS CloudTrail	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Exfiltration via Bucket Replication	AWS CloudTrail PutBucketReplication	T1537	TTP	Data Exfiltration, Suspicious AWS S3 Activities	2026-05-13
Kubernetes Shell Running on Worker Node with CPU Activity		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Multiple Service Principals Created by User	O365 Add service principal.	T1136.003	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Cloud Provisioning Activity From Previously Unseen City	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
Gsuite Suspicious Shared File Name	G Suite Drive	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
Detect Spike in AWS Security Hub Alerts for User	AWS Security Hub	N/A	Anomaly	Critical Alerts, AWS Security Hub Alerts	2026-05-13
ASL AWS Defense Evasion Delete CloudWatch Log Group	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
Kubernetes Nginx Ingress RFI		T1212	TTP	Dev Sec Ops	2026-05-13
ASL AWS UpdateLoginProfile	ASL AWS CloudTrail	T1136.003	TTP	AWS IAM Privilege Escalation	2026-05-13
O365 Mailbox Email Forwarding Enabled		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
AWS Console Login Failed During MFA Challenge	AWS CloudTrail ConsoleLogin	T1586.003 T1621	TTP	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
AWS Lambda UpdateFunctionCode	AWS CloudTrail	T1204	Hunting	Suspicious Cloud User Activities	2026-05-13
ASL AWS Detect Users creating keys with encrypt policy without MFA	ASL AWS CloudTrail	T1486	TTP	Ransomware Cloud	2026-05-13
O365 Multi-Source Failed Authentications Spike	O365 UserLoginFailed	T1110.003 T1110.004 T1586.003	Hunting	Office 365 Account Takeover, NOBELIUM Group	2026-05-13
O365 Privileged Role Assigned	Office 365 Universal Audit Log	T1098.003	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters	2026-05-13
Detect Spike in AWS Security Hub Alerts for EC2 Instance	AWS Security Hub	N/A	Anomaly	Critical Alerts, AWS Security Hub Alerts	2026-05-13
Azure AD AzureHound UserAgent Detected	Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs	T1087.004 T1526	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2026-05-13
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	T1185	TTP	AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
O365 Bypass MFA via Trusted IP	O365 Set Company Information.	T1686.001	TTP	Office 365 Persistence Mechanisms	2026-05-13
Azure AD External Guest User Invited	Azure Active Directory Invite external user	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune Mobile Apps	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	T1046	Anomaly	Kubernetes Security	2026-05-13
AWS ECR Container Scanning Findings Low Informational Unknown	AWS CloudTrail DescribeImageScanFindings	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Credential Access Failed Login	AWS CloudTrail ConsoleLogin	T1110.001 T1586.003	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
O365 Privileged Graph API Permission Assigned	O365 Update application.	T1003.002	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Kubernetes Falco Shell Spawned	Kubernetes Falco	T1204	Anomaly	Kubernetes Security	2026-05-13
AWS Exfiltration via EC2 Snapshot	AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail DescribeSnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS IAM AccessDenied Discovery Events	AWS CloudTrail	T1580	Anomaly	Suspicious Cloud User Activities	2026-05-13
Amazon EKS Kubernetes cluster scan detection		T1526	Hunting	Kubernetes Scanning Activity	2026-05-13
Kubernetes Abuse of Secret by Unusual Location	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
Detect Spike in blocked Outbound Traffic from your AWS		N/A	Anomaly	Suspicious AWS Traffic, AWS Network ACL Activity, Command And Control	2026-05-13
O365 PST export alert	O365	T1114	TTP	Data Exfiltration, Office 365 Collection Techniques	2026-05-13
GCP Multiple Users Failing To Authenticate From Ip	Google Workspace	T1110.003 T1110.004 T1586.003	Anomaly	GCP Account Takeover	2026-05-13
AWS Bedrock Delete Model Invocation Logging Configuration	AWS CloudTrail DeleteModelInvocationLoggingConfiguration	T1685.002	TTP	AWS Bedrock Security	2026-05-13
Cloud Compute Instance Created By Previously Unseen User	AWS CloudTrail	T1078.004	Anomaly	Cloud Cryptomining	2026-05-13
O365 High Number Of Failed Authentications for User	O365 UserLoginFailed	T1110.001	TTP	Office 365 Account Takeover	2026-05-13
Kubernetes Abuse of Secret by Unusual User Name	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
ASL AWS Multi-Factor Authentication Disabled	ASL AWS CloudTrail	T1556.006 T1586.003 T1621	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
GitHub Enterprise Disable IP Allow List	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
O365 Add App Role Assignment Grant User	O365 Add app role assignment grant to user.	T1136.003	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2026-05-13
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	T1003.002	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
AWS Defense Evasion Update Cloudtrail	AWS CloudTrail UpdateTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
GitHub Organizations Repository Archived	GitHub Organizations Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	T1078.004	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2026-05-13
Kubernetes Anomalous Outbound Network Activity from Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
AWS IAM Assume Role Policy Brute Force	AWS CloudTrail	T1110 T1580	TTP	AWS IAM Privilege Escalation	2026-05-13
AWS Network Access Control List Deleted	AWS CloudTrail DeleteNetworkAclEntry	T1686.001	Anomaly	AWS Network ACL Activity	2026-05-13
O365 New Forwarding Mailflow Rule Created		T1114	TTP	Office 365 Collection Techniques	2026-05-13
O365 FullAccessAsApp Permission Assigned	O365 Update application.	T1098.002 T1098.003	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
ASL AWS Create Access Key	ASL AWS CloudTrail	T1136.003	Hunting	AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, NOBELIUM Group, Compromised User Account	2026-05-13
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	T1185	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
Azure AD PIM Role Assigned	Azure Active Directory	T1098.003	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Kubernetes Abuse of Secret by Unusual User Agent	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
O365 DLP Rule Triggered	Office 365 Universal Audit Log	T1048 T1567	Anomaly	Data Exfiltration	2026-05-13
AWS ECR Container Scanning Findings Medium	AWS CloudTrail DescribeImageScanFindings	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
AWS Successful Single-Factor Authentication	AWS CloudTrail ConsoleLogin	T1078.004 T1586.003	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
AWS CreateLoginProfile	AWS CloudTrail CreateLoginProfile, AWS CloudTrail ConsoleLogin	T1136.003	TTP	AWS IAM Privilege Escalation	2026-05-13
AWS Bedrock Delete Knowledge Base	AWS CloudTrail DeleteKnowledgeBase	T1485	TTP	AWS Bedrock Security	2026-05-13
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	T1119	Anomaly	Data Exfiltration	2026-05-13
GitHub Organizations Delete Branch Ruleset	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
AWS Credential Access RDS Password reset	AWS CloudTrail ModifyDBInstance	T1110 T1586.003	TTP	Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover	2026-05-13
ASL AWS Network Access Control List Created with All Open Ports	ASL AWS CloudTrail	T1686.001	TTP	AWS Network ACL Activity	2026-05-13
GitHub Enterprise Register Self Hosted Runner	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
AWS Detect Users with KMS keys performing encryption S3	AWS CloudTrail	T1486	Anomaly	Ransomware Cloud	2026-05-13
ASL AWS Defense Evasion Update Cloudtrail	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
O365 Email Send Attachments Excessive Volume	Office 365 Universal Audit Log	T1070.008 T1485	Anomaly	Office 365 Account Takeover, Suspicious Emails	2026-05-13
Azure AD Device Code Authentication	Azure Active Directory	T1528 T1566.002	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS EC2 Snapshot Shared Externally	AWS CloudTrail ModifySnapshotAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
GitHub Enterprise Repository Deleted	GitHub Enterprise Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Privileged Role Assigned To Service Principal	Office 365 Universal Audit Log	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
O365 SharePoint Malware Detection	Office 365 Universal Audit Log	T1204.002	TTP	Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud	2026-05-13
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
AWS Disable Bucket Versioning	AWS CloudTrail PutBucketVersioning	T1490	Anomaly	Data Exfiltration, Suspicious AWS S3 Activities	2026-05-13
O365 Safe Links Detection	Office 365 Universal Audit Log	T1566.001	TTP	Office 365 Account Takeover, Spearphishing Attachments	2026-05-13
AWS Defense Evasion Delete CloudWatch Log Group	AWS CloudTrail DeleteLogGroup	T1685.002	TTP	AWS Defense Evasion	2026-05-13
GCP Multi-Factor Authentication Disabled	Google Workspace	T1556.006 T1586.003	TTP	GCP Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
GCP Unusual Number of Failed Authentications From Ip	Google Workspace	T1110.003 T1110.004 T1586.003	Anomaly	GCP Account Takeover	2026-05-13
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Kubernetes Previously Unseen Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Kubernetes Abuse of Secret by Unusual User Group	Kubernetes Audit	T1552.007	Anomaly	Kubernetes Security	2026-05-13
Detect New Open S3 buckets	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2026-05-13
AWS Credential Access GetPasswordData	AWS CloudTrail GetPasswordData	T1110.001 T1586.003	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
ASL AWS Defense Evasion Stop Logging Cloudtrail	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
GitHub Enterprise Delete Branch Ruleset	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Application Registration Owner Added	O365 Add owner to application.	T1098	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
ASL AWS Concurrent Sessions From Different Ips	ASL AWS CloudTrail	T1185	Anomaly	AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
AWS SetDefaultPolicyVersion	AWS CloudTrail SetDefaultPolicyVersion	T1078.004	TTP	AWS IAM Privilege Escalation	2026-05-13
O365 Security And Compliance Alert Triggered		T1078.004	TTP	Office 365 Account Takeover	2026-05-13
AWS Detect Users creating keys with encrypt policy without MFA	AWS CloudTrail PutKeyPolicy, AWS CloudTrail CreateKey	T1486	TTP	Ransomware Cloud	2026-05-13
AWS Multiple Users Failing To Authenticate From Ip	AWS CloudTrail ConsoleLogin	T1110.003 T1110.004	Anomaly	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
ASL AWS Credential Access RDS Password reset	ASL AWS CloudTrail	T1110 T1586.003	TTP	Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes newly seen TCP edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Circle CI Disable Security Job	CircleCI	T1554	Anomaly	Dev Sec Ops	2026-05-13
Gdrive suspicious file sharing		T1566	Hunting	Data Exfiltration, Scattered Lapsus$ Hunters, Spearphishing Attachments	2026-05-13
Detect S3 access from a new IP		T1530	Anomaly	Suspicious AWS S3 Activities	2026-05-13
AWS Successful Console Authentication From Multiple IPs	AWS CloudTrail ConsoleLogin	T1535 T1586	Anomaly	Suspicious AWS Login Activities, Compromised User Account	2026-05-13
GCP Authentication Failed During MFA Challenge	Google Workspace login_failure	T1078.004 T1586.003 T1621	TTP	GCP Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Service Principal Privilege Escalation	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation	2026-05-13
ASL AWS Credential Access GetPasswordData	ASL AWS CloudTrail	T1110.001 T1586.003	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Anomalous Inbound to Outbound Network IO Ratio		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Email Suspicious Search Behavior	Office 365 Universal Audit Log	T1114.002 T1552	Anomaly	Office 365 Account Takeover, CISA AA22-320A, Office 365 Collection Techniques, Compromised User Account	2026-05-13
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	T1119	TTP	Data Exfiltration	2026-05-13
O365 Service Principal New Client Credentials	O365	T1098.001	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Microsoft Intune Bulk Wipe	Azure Monitor Activity	T1561.001	TTP	Azure Active Directory Account Takeover	2026-05-13
GitHub Organizations Disable 2FA Requirement	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
O365 Mail Permissioned Application Consent Granted by User	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2026-05-13
Gsuite Email Suspicious Subject With Attachment	G Suite Gmail	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
O365 Email Password and Payroll Compromise Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	TTP	Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques	2026-05-13
AWS ECR Container Upload Unknown User	AWS CloudTrail PutImage	T1204.003	Anomaly	Dev Sec Ops	2026-05-13
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
O365 New Federated Domain Added	O365	T1136.003	TTP	Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms	2026-05-13
O365 Threat Intelligence Suspicious File Detected	Office 365 Universal Audit Log	T1204.002	TTP	Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud	2026-05-13
Kubernetes Shell Running on Worker Node		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Circle CI Disable Security Step	CircleCI	T1554	Anomaly	Dev Sec Ops	2026-05-13
O365 Mailbox Read Access Granted to Application	O365 Update application.	T1098.003 T1114.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Block User Consent For Risky Apps Disabled	O365 Update authorization policy.	T1685	TTP	Office 365 Account Takeover	2026-05-13
GitHub Enterprise Disable Audit Log Event Stream	GitHub Enterprise Audit Logs	T1195 T1685.002	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
O365 Email Receive and Hard Delete Takeover Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques	2026-05-13
O365 New MFA Method Registered	O365 Update user.	T1098.005	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Disable MFA	O365 Disable Strong Authentication.	T1556	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Added Service Principal	O365	T1136.003	TTP	Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
AWS Bedrock Delete GuardRails	AWS CloudTrail DeleteGuardrail	T1685.002	TTP	AWS Bedrock Security	2026-05-13
ASL AWS Defense Evasion Impair Security Services	ASL AWS CloudTrail	T1685.002	Hunting	AWS Defense Evasion	2026-05-13
AWS High Number Of Failed Authentications For User	AWS CloudTrail ConsoleLogin	T1201	Anomaly	AWS Identity and Access Management Account Takeover, Compromised User Account	2026-05-13
AWS UpdateLoginProfile	AWS CloudTrail UpdateLoginProfile	T1136.003	TTP	AWS IAM Privilege Escalation	2026-05-13
Detect AWS Console Login by User from New Region	AWS CloudTrail	T1535 T1586.003	Hunting	Suspicious AWS Login Activities, Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Process with Resource Ratio Anomalies		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Cloud Compute Instance Created In Previously Unused Region	AWS CloudTrail	T1535	Anomaly	Cloud Cryptomining	2026-05-13
Kubernetes Anomalous Inbound Outbound Network IO		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
ASL AWS Network Access Control List Deleted	ASL AWS CloudTrail	T1686.001	Anomaly	AWS Network ACL Activity, Scattered Lapsus$ Hunters	2026-05-13
Kubernetes Node Port Creation	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 High Privilege Role Granted	O365 Add member to role.	T1098.003	TTP	Office 365 Persistence Mechanisms	2026-05-13
Azure AD Service Principal Created	Azure Active Directory Add service principal	T1136.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Cloud Compute Instance Created With Previously Unseen Instance Type	AWS CloudTrail	T1578.002	Anomaly	Cloud Cryptomining	2026-05-13
O365 Email Hard Delete Excessive Volume	Office 365 Universal Audit Log	T1070.008 T1485	Anomaly	Office 365 Account Takeover, Suspicious Emails, Data Destruction	2026-05-13
Okta Non-Standard VPN Usage	Okta	T1078 T1090 T1572	TTP	Remote Employment Fraud, Suspicious Okta Activity	2026-05-13
ASL AWS IAM Delete Policy	ASL AWS CloudTrail	T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	T1685	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS AMI Attribute Modification for Exfiltration	AWS CloudTrail ModifyImageAttribute	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
Cloud Provisioning Activity From Previously Unseen Country	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	T1098	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	T1078.004	TTP	Azure Active Directory Persistence	2026-05-13
AWS S3 Exfiltration Behavior Identified		T1537	Correlation	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
Detect AWS Console Login by User from New City	AWS CloudTrail	T1535 T1586.003	Hunting	Suspicious AWS Login Activities, Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Suspicious Image Pulling	Kubernetes Audit	T1526	Anomaly	Kubernetes Security	2026-05-13
AWS Defense Evasion Delete Cloudtrail	AWS CloudTrail DeleteTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
ASL AWS EC2 Snapshot Shared Externally	ASL AWS CloudTrail	T1537	TTP	Data Exfiltration, Suspicious Cloud Instance Activities	2026-05-13
O365 Multiple OS Vendors Authenticating From User	Office 365 Universal Audit Log	T1110	TTP	Office 365 Account Takeover	2026-05-13
GitHub Organizations Disable Classic Branch Protection Rule	GitHub Organizations Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
O365 SharePoint Allowed Domains Policy Changed	Office 365 Universal Audit Log	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Kubernetes Previously Unseen Container Image Name		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Microsoft Intune Manual Device Management	Azure Monitor Activity	T1021.007 T1072 T1529	Hunting	Azure Active Directory Account Takeover	2026-05-13
Kubernetes Anomalous Inbound Network Activity from Process		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Exfiltration via File Access	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
Kubernetes Pod With Host Network Attachment	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 Email Suspicious Behavior Alert	Office 365 Universal Audit Log	T1114.003	TTP	Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails	2026-05-13
O365 Compliance Content Search Started		T1114.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD PIM Role Assignment Activated	Azure Active Directory	T1098.003	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
O365 Email New Inbox Rule Created	Office 365 Universal Audit Log	T1114.003 T1564.008	Anomaly	Office 365 Collection Techniques	2026-05-13
AWS IAM Delete Policy	AWS CloudTrail DeletePolicy	T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
AWS Unusual Number of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	T1110.003 T1110.004 T1586.003	Anomaly	AWS Identity and Access Management Account Takeover	2026-05-13
Cloud Compute Instance Created With Previously Unseen Image	AWS CloudTrail	N/A	Anomaly	Cloud Cryptomining	2026-05-13
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike	O365 UserLoginFailed, O365 UserLoggedIn	T1078	Anomaly	Office 365 Account Takeover	2026-05-13
AWS High Number Of Failed Authentications From Ip	AWS CloudTrail ConsoleLogin	T1110.003 T1110.004	Anomaly	Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
GitHub Enterprise Modify Audit Log Event Stream	GitHub Enterprise Audit Logs	T1195 T1685.002	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	T1078	Anomaly	Azure Active Directory Account Takeover	2026-05-13
GitHub Enterprise Disable Dependabot	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
AWS Create Policy Version to allow all resources	AWS CloudTrail CreatePolicyVersion	T1078.004	TTP	AWS IAM Privilege Escalation	2026-05-13
Gsuite Email With Known Abuse Web Service Link	G Suite Gmail	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
Cloud Instance Modified By Previously Unseen User	AWS CloudTrail	T1078.004	Anomaly	Suspicious Cloud Instance Activities	2026-05-13
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
AWS New MFA Method Registered For User	AWS CloudTrail CreateVirtualMFADevice	T1556.006	TTP	AWS Identity and Access Management Account Takeover	2026-05-13
Kubernetes Create or Update Privileged Pod	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 New Email Forwarding Rule Enabled		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	T1484.002	TTP	Azure Active Directory Persistence	2026-05-13
O365 New Email Forwarding Rule Created		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
GitHub Enterprise Pause Audit Log Event Stream	GitHub Enterprise Audit Logs	T1195 T1685.002	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
AWS Defense Evasion PutBucketLifecycle	AWS CloudTrail PutBucketLifecycle	T1485.001 T1685.002	Hunting	AWS Defense Evasion	2026-05-13
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
AWS IAM Failure Group Deletion	AWS CloudTrail DeleteGroup	T1098	Anomaly	AWS IAM Privilege Escalation	2026-05-13
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	T1098.002 T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Service Principal Enumeration	Azure Active Directory MicrosoftGraphActivityLogs	T1087.004 T1526	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2026-05-13
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	T1556.006 T1586.003	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
O365 External Guest User Invited	Office 365 Universal Audit Log	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD Successful Single-Factor Authentication	Azure Active Directory	T1078.004 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
O365 Excessive Authentication Failures Alert		T1110	Anomaly	Office 365 Account Takeover	2026-05-13
Kubernetes Pod Created in Default Namespace	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
Kubernetes AWS detect suspicious kubectl calls	Kubernetes Audit	N/A	Anomaly	Kubernetes Security	2026-05-13
AWS Defense Evasion Stop Logging Cloudtrail	AWS CloudTrail StopLogging	T1685.002	TTP	AWS Defense Evasion	2026-05-13
O365 Email Send and Hard Delete Exfiltration Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques	2026-05-13
Kubernetes DaemonSet Deployed	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
O365 Mailbox Folder Read Permission Assigned	O365 ModifyFolderPermissions	T1098.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD Service Principal New Client Credentials	Azure Active Directory	T1098.001	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Kubernetes Access Scanning	Kubernetes Audit	T1046	Anomaly	Kubernetes Security	2026-05-13
AWS ECR Container Scanning Findings High	AWS CloudTrail DescribeImageScanFindings	T1204.003	TTP	Dev Sec Ops	2026-05-13
Detect AWS Console Login by User from New Country	AWS CloudTrail	T1535 T1586.003	Hunting	Suspicious AWS Login Activities, Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover	2026-05-13
GitHub Enterprise Disable Classic Branch Protection Rule	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
GSuite Email Suspicious Attachment	G Suite Gmail	T1566.001	Anomaly	Dev Sec Ops	2026-05-13
O365 External Identity Policy Changed	Office 365 Universal Audit Log	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
O365 Threat Intelligence Suspicious Email Delivered	Office 365 Universal Audit Log	T1566.001 T1566.002	Anomaly	Suspicious Emails, Spearphishing Attachments	2026-05-13
ASL AWS Create Policy Version to allow all resources	ASL AWS CloudTrail	T1078.004	TTP	AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	T1119	TTP	Data Exfiltration, Hellcat Ransomware, Suspicious AWS S3 Activities	2026-05-13
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Detect New Open GCP Storage Buckets		T1530	TTP	Suspicious GCP Storage Activities	2026-05-13
O365 Application Available To Other Tenants	Office 365 Universal Audit Log	T1098.003	TTP	Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration	2026-05-13
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Storm-0501 Ransomware, NOBELIUM Group	2026-05-13
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	T1003.002	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
O365 Multiple Service Principals Created by SP	O365 Add service principal.	T1136.003	Anomaly	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Kubernetes Process with Anomalous Resource Utilisation		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
Azure AD New MFA Method Registered	Azure Active Directory Update user	T1098.005	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters	2026-05-13
Cloud API Calls From Previously Unseen User Roles	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud User Activities	2026-05-13
O365 Multiple Failed MFA Requests For User	O365 UserLoginFailed	T1621	TTP	Office 365 Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
ASL AWS Defense Evasion PutBucketLifecycle	ASL AWS CloudTrail	T1485.001 T1685.002	Hunting	AWS Defense Evasion	2026-05-13
GitHub Organizations Repository Deleted	GitHub Organizations Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
O365 Admin Consent Bypassed by Service Principal	O365 Add app role assignment to service principal.	T1098.003	TTP	Office 365 Persistence Mechanisms	2026-05-13
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	T1556.006	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
AWS Bedrock Invoke Model Access Denied	AWS CloudTrail	T1078 T1550	TTP	AWS Bedrock Security	2026-05-13
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
O365 ApplicationImpersonation Role Assigned	O365	T1098.002	TTP	Office 365 Collection Techniques, NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	T1110.003 T1110.004 T1586.003	Hunting	Azure Active Directory Account Takeover, NOBELIUM Group	2026-05-13
AWS Password Policy Changes	AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy	T1201	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2026-05-13
ASL AWS Defense Evasion Delete Cloudtrail	ASL AWS CloudTrail	T1685.002	TTP	AWS Defense Evasion	2026-05-13
AWS IAM Successful Group Deletion	AWS CloudTrail DeleteGroup	T1069.003 T1098	Hunting	AWS IAM Privilege Escalation	2026-05-13
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	T1098	TTP	Azure Active Directory Persistence, Hellcat Ransomware	2026-05-13
Gsuite Outbound Email With Attachment To External Domain	G Suite Gmail	T1048.003	Hunting	Dev Sec Ops, Insider Threat	2026-05-13
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
High Number of Login Failures from a single source	O365 UserLoginFailed	T1110.001	Anomaly	Office 365 Account Takeover	2026-05-13
Kubernetes Anomalous Traffic on Network Edge		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 User Consent Blocked for Risky Application	O365 Consent to application.	T1528	TTP	Office 365 Account Takeover	2026-05-13
Kubernetes Process Running From New Path		T1204	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2026-05-13
O365 Email Reported By Admin Found Malicious	Office 365 Universal Audit Log	T1566.001 T1566.002	TTP	Suspicious Emails, Spearphishing Attachments	2026-05-13
GitHub Enterprise Remove Organization	GitHub Enterprise Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity	2026-05-13
Detect Spike in S3 Bucket deletion	AWS CloudTrail	T1530	Anomaly	Suspicious AWS S3 Activities	2026-05-13
Kubernetes Unauthorized Access	Kubernetes Audit	T1204	Anomaly	Kubernetes Security	2026-05-13
ASL AWS SAML Update identity provider	ASL AWS CloudTrail	T1078	TTP	Cloud Federated Credential Abuse	2026-05-13
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	T1021.007 T1072 T1484 T1685 T1686	Hunting	Azure Active Directory Account Takeover	2026-05-13
AWS Multi-Factor Authentication Disabled	AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice	T1556.006 T1586.003 T1621	TTP	Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover	2026-05-13
Azure AD User Enabled And Password Reset	Azure Active Directory Enable account, Azure Active Directory Update user, Azure Active Directory Reset password (by admin)	T1098	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters	2026-05-13
Gsuite suspicious calendar invite		T1566	Hunting	Spearphishing Attachments	2026-05-13
Amazon EKS Kubernetes Pod scan detection		T1526	Hunting	Kubernetes Scanning Activity	2026-05-13
GitHub Enterprise Disable 2FA Requirement	GitHub Enterprise Audit Logs	T1195 T1685	Anomaly	GitHub Malicious Activity	2026-05-13
Geographic Improbable Location	Okta	T1078	Anomaly	Remote Employment Fraud	2026-05-13
ASL AWS IAM Failure Group Deletion	ASL AWS CloudTrail	T1098	Anomaly	AWS IAM Privilege Escalation	2026-05-13
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	T1114.002 T1567	TTP	Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover	2026-05-13
Cloud Provisioning Activity From Previously Unseen Region	AWS CloudTrail	T1078	Anomaly	Suspicious Cloud Provisioning Activities	2026-05-13
Azure AD Successful Authentication From Different Ips	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
Risk Rule for Dev Sec Ops by Repository		T1204.003	Correlation	Dev Sec Ops	2026-05-13
GitHub Enterprise Repository Archived	GitHub Enterprise Audit Logs	T1195 T1485	Anomaly	GitHub Malicious Activity, NPM Supply Chain Compromise	2026-05-13
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	T1185	TTP	Office 365 Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
O365 Multiple Users Failing To Authenticate From Ip	O365 UserLoginFailed	T1110.003 T1110.004 T1586.003	TTP	Office 365 Account Takeover, NOBELIUM Group	2026-05-13
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	T1114.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
Cloud Security Groups Modifications by User	AWS CloudTrail	T1578.005	Anomaly	Suspicious Cloud User Activities	2026-05-13
ASL AWS IAM Assume Role Policy Brute Force	ASL AWS CloudTrail	T1110 T1580	TTP	AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
GCP Multiple Failed MFA Requests For User	Google Workspace	T1078.004 T1586.003 T1621	TTP	GCP Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
O365 Tenant Wide Admin Consent Granted	O365 Consent to application.	T1098.003	TTP	NOBELIUM Group, Office 365 Persistence Mechanisms	2026-05-13
GCP Kubernetes cluster pod scan detection		T1526	Hunting	Kubernetes Scanning Activity, Scattered Lapsus$ Hunters	2026-05-13
O365 Elevated Mailbox Permission Assigned	O365 Add-MailboxPermission	T1098.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure Active Directory High Risk Sign-in	Azure Active Directory	T1110.003 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
AWS CreateAccessKey	AWS CloudTrail CreateAccessKey	T1136.003	Hunting	AWS IAM Privilege Escalation	2026-05-13
O365 User Consent Denied for OAuth Application	O365	T1528	TTP	Office 365 Account Takeover	2026-05-13
O365 Exfiltration via File Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Data Exfiltration, Office 365 Account Takeover	2026-05-13
Detect GCP Storage access from a new IP		T1530	Anomaly	Suspicious GCP Storage Activities	2026-05-13
O365 Email Send and Hard Delete Suspicious Behavior	Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques	2026-05-13
O365 Compliance Content Search Exported		T1114.002	TTP	Office 365 Collection Techniques	2026-05-13
O365 BEC Email Hiding Rule Created		T1564.008	TTP	Office 365 Account Takeover	2026-05-13
O365 Mailbox Folder Read Permission Granted	O365 ModifyFolderPermissions	T1098.002	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	T1110.001	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
AWS Bedrock High Number List Foundation Model Failures	AWS CloudTrail	T1580	TTP	AWS Bedrock Security	2026-05-13
Prohibited Network Traffic Allowed	Cisco Secure Firewall Threat Defense Connection Event	T1048	TTP	Cisco Secure Firewall Threat Defense Analytics, Command And Control, Ransomware, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
3CX Supply Chain Attack Network Indicators	Sysmon EventID 22	T1195.002	TTP	3CX Supply Chain Attack	2026-05-13
Windows Multi hop Proxy TOR Website Query	Sysmon EventID 22	T1071.003	Anomaly	Interlock Ransomware, AgentTesla	2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Internal Horizontal Port Scan NMAP Top 20	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery	2026-05-13
HTTP RMM User Agent	Suricata	T1071.001 T1219	Anomaly	Suspicious User Agents, Remote Monitoring and Management Software	2026-05-13
Windows Remote Desktop Network Bruteforce Attempt	Sysmon EventID 3, Cisco Secure Access Firewall	T1110.001	Anomaly	SamSam Ransomware, Windows RDP Artifacts and Defense Evasion, Cisco Secure Access Analytics, Ryuk Ransomware, Compromised User Account	2026-05-13
HTTP Malware User Agent	Suricata	T1071.001	TTP	Lokibot, Crypto Stealer, Meduza Stealer, Suspicious User Agents, Lumma Stealer, RedLine Stealer	2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
DNS Query Length With High Standard Deviation	Sysmon EventID 22	T1048.003	Anomaly	Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware	2026-05-13
Wermgr Process Connecting To IP Check Web Services	Sysmon EventID 22	T1590.005	TTP	Trickbot	2026-05-13
Cisco SD-WAN - Peering Activity	Cisco SD-WAN NTCE 1000001	T1190	Hunting	Cisco Catalyst SD-WAN Analytics	2026-05-13
Cisco Secure Firewall - Bits Network Activity	Cisco Secure Firewall Threat Defense Connection Event	N/A	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Remote Desktop Network Traffic	Zeek Conn	T1021.001	Anomaly	SamSam Ransomware, Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware, Ryuk Ransomware, Active Directory Lateral Movement	2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution		T1021.004 T1078 T1136	Correlation	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP C2 Framework User Agent	Suricata	T1071.001	TTP	Malicious PowerShell, Brute Ratel C4, Cobalt Strike, Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Suspicious User Agents, Tuoni, Meterpreter	2026-05-13
Detect Remote Access Software Usage DNS	Sysmon EventID 22	T1219	Anomaly	Command And Control, Ransomware, Remote Monitoring and Management Software, Scattered Spider, CISA AA24-241A, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
Cisco Secure Firewall - Blocked Connection	Cisco Secure Firewall Threat Defense Connection Event	T1018 T1046 T1110 T1203 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts	Cisco Secure Firewall Threat Defense Intrusion Event	T1027 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Large ICMP Traffic	Palo Alto Network Traffic, Cisco Secure Access Firewall	T1095	TTP	China-Nexus Threat Activity, Cisco Secure Access Analytics, Command And Control, Backdoor Pingpong	2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1505.003	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP PUA User Agent	Suricata	T1071.001	Anomaly	Suspicious User Agents, Local Privilege Escalation With KrbRelayUp, BlackSuit Ransomware, Cactus Ransomware	2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	React2Shell	2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor	2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports	Cisco Secure Firewall Threat Defense Connection Event	T1021 T1055 T1059.001 T1105 T1219 T1571	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect DNS Query to Decommissioned S3 Bucket	Sysmon EventID 22	T1485	Anomaly	AWS S3 Bucket Security Monitoring, Data Destruction	2026-05-13
Detect ARP Poisoning	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Internal Horizontal Port Scan	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery	2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections	Cisco Secure Firewall Threat Defense Connection Event	T1018 T1046 T1110 T1203 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Smart Install Oversized Packet Detection	Splunk Stream TCP	T1190	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Smart Install Port Discovery and Status	Splunk Stream TCP	T1190	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters	2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1048.003 T1567.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
TOR Traffic	Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event	T1090.003	TTP	Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration	Cisco IOS Logs	T1005 T1567	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Zeek x509 Certificate with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity	Cisco SD-WAN Service Proxy Access Logs	T1190	TTP	Cisco Catalyst SD-WAN Analytics	2026-05-13
SSL Certificates with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2026-05-13
Detect Software Download To Network Device		T1542.005	TTP	Router and Infrastructure Security	2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer	Cisco SD-WAN NTCE 1000001	T1190	Anomaly	Cisco Catalyst SD-WAN Analytics	2026-05-13
Detect Zerologon via Zeek		T1190	TTP	Detect Zerologon Attack, Rhysida Ransomware, Black Basta Ransomware	2026-05-13
Detect SNICat SNI Exfiltration		T1041	TTP	Data Exfiltration	2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic	Cisco Secure Firewall Threat Defense Connection Event	T1219	Anomaly	Command And Control, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
Protocols passing authentication in cleartext	Cisco Secure Firewall Threat Defense Connection Event	N/A	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Use of Cleartext Protocols	2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Palo Alto Network Threat	T1133 T1190	TTP	F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A	2026-05-13
Cisco Secure Firewall - Malware File Downloaded	Cisco Secure Firewall Threat Defense File Event	T1105 T1203	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Internal Vulnerability Scan		T1046 T1595.002	TTP	Scattered Lapsus$ Hunters, Network Discovery	2026-05-13
Windows DNS Query Request by Telegram Bot API	Sysmon EventID 22	T1071.004 T1102.002	Anomaly	Crypto Stealer, 0bj3ctivity Stealer, VIP Keylogger, BlankGrabber Stealer	2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse	Cisco Secure Firewall Threat Defense Intrusion Event	T1190 T1210 T1499	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Suspicious Process With Discord DNS Query	Sysmon EventID 22	T1059.005	Anomaly	Cactus Ransomware, PXA Stealer, BlankGrabber Stealer, Data Destruction, WhisperGate	2026-05-13
Cisco Configuration Archive Logging Analysis	Cisco IOS Logs	T1098 T1505.003 T1685	Hunting	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1573.002 T1587.002 T1588.004	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Rundll32 DNSQuery	Sysmon EventID 22	T1218.011	TTP	Living Off The Land, IcedID	2026-05-13
Detect Remote Access Software Usage Traffic	Palo Alto Network Traffic	T1219	Anomaly	Command And Control, Scattered Spider, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters	2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1203	TTP	Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777	2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity		T1021.004 T1078 T1136	Correlation	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Rogue DHCP Server	Cisco IOS Logs	T1200 T1498 T1557	TTP	Router and Infrastructure Security, Scattered Lapsus$ Hunters	2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification	Cisco Secure Firewall Threat Defense Intrusion Event	T1003 T1071 T1078 T1190 T1203	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered	Cisco Secure Firewall Threat Defense Intrusion Event	T1583.006 T1598	Hunting	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services	Sysmon EventID 22	T1590.005	Anomaly	VIP Keylogger, DarkCrystal RAT, Castle RAT, Water Gamayun, 0bj3ctivity Stealer, Meduza Stealer, Azorult, PXA Stealer, Snake Keylogger, Handala Wiper, Quasar RAT, BlankGrabber Stealer, Phemedrone Stealer, Void Manticore	2026-05-13
Internal Vertical Port Scan	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery	2026-05-13
Cisco IOS Suspicious Privileged Account Creation	Cisco IOS Logs	T1078 T1136	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Suspicious Process DNS Query Known Abuse Web Services	Sysmon EventID 22	T1059.005	TTP	Malicious Inno Setup Loader, Remcos, Cactus Ransomware, Braodo Stealer, Meduza Stealer, PXA Stealer, Snake Keylogger, Data Destruction, BlankGrabber Stealer, WhisperGate, Phemedrone Stealer, RedLine Stealer	2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1071.001 T1105 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads	Cisco Secure Firewall Threat Defense File Event	T1027 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware	2026-05-13
Windows AD Replication Service Traffic		T1003.006 T1207	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port	Cisco Secure Firewall Threat Defense Intrusion Event	T1021.004	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows AD Rogue Domain Controller Network Activity		T1207	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Cisco Network Interface Modifications	Cisco IOS Logs	T1021 T1133 T1556	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Wget or Curl Download	Cisco Secure Firewall Threat Defense Connection Event	T1053.003 T1059 T1071.001 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Abused Web Services	Sysmon EventID 22	T1102	Anomaly	Malicious Inno Setup Loader, NjRAT, BlankGrabber Stealer, CISA AA24-241A	2026-05-13
Detect Port Security Violation	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Large Volume of DNS ANY Queries		T1498.002	Anomaly	DNS Amplification Attacks	2026-05-13
Ngrok Reverse Proxy on Network	Sysmon EventID 22	T1090 T1102 T1572	Anomaly	CISA AA22-320A, Reverse Network Proxy, CISA AA24-241A	2026-05-13
Detect Windows DNS SIGRed via Zeek		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2026-05-13
Detect hosts connecting to dynamic domain providers	Sysmon EventID 22	T1189	TTP	Command And Control, Data Protection, DNS Hijacking, Suspicious DNS Traffic, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port	Cisco Secure Firewall Threat Defense File Event	T1105 T1571	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1003.001 T1059.001 T1190 T1210	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Protocol or Port Mismatch	Cisco Secure Firewall Threat Defense Connection Event	T1048.003	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Detect Outbound SMB Traffic	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event	T1071.002	TTP	DHS Report TA18-074A, Cisco Secure Access Analytics, Cisco Secure Firewall Threat Defense Analytics, Hidden Cobra Malware, NOBELIUM Group	2026-05-13
Detect Unauthorized Assets by MAC address		N/A	TTP	Asset Tracking	2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Binary File Type Download	Cisco Secure Firewall Threat Defense File Event	T1059 T1203	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Traffic Mirroring	Cisco IOS Logs	T1020.001 T1200 T1498	TTP	Router and Infrastructure Security	2026-05-13
DNS Kerberos Coercion	Suricata, Sysmon EventID 22	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic	2026-05-13
Cisco Secure Firewall - Possibly Compromised Host	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1203 T1587.001	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1090.002 T1105 T1567.002 T1588.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters	2026-05-13
Excessive DNS Failures		T1071.004	Anomaly	Command And Control, Suspicious DNS Traffic	2026-05-13
Cisco SNMP Community String Configuration Changes	Cisco IOS Logs	T1040 T1552 T1685	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1027 T1190 T1204 T1210	TTP	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain	Sysmon EventID 22	T1566.001	Hunting	AsyncRAT, MuddyWater, Spearphishing Attachments	2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity	Cisco SD-WAN Service Proxy Access Logs	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-05-13
SMB Traffic Spike		T1021.002	Anomaly	Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A, Ransomware, Hidden Cobra Malware	2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1071 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect IPv6 Network Infrastructure Threats	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security, Scattered Lapsus$ Hunters	2026-05-13
Hosts receiving high volume of network traffic from email server		T1114.002	Anomaly	Collection and Staging	2026-05-13
Detect Windows DNS SIGRed via Splunk Stream		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2026-05-13
Detect Outbound LDAP Traffic	Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event	T1059 T1190	Hunting	Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics	2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns	Cisco Secure Firewall Threat Defense Intrusion Event	T1021.004	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Linux Suspicious Namespace Creation	Linux Auditd Syscall, Sysmon for Linux EventID 1	T1068	TTP	Linux Privilege Escalation	2026-05-12
Powershell Defender Threat Actions Set to Allow	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1059.001	TTP	Salat Stealer	2026-05-12
Linux Binary Launched Process with Null Argv	Linux Messages Syslog	T1068	TTP	Linux Privilege Escalation	2026-05-12
Linux PF_ALG Registration Outside of Boot Window	Linux Messages Syslog	T1068	TTP	Linux Privilege Escalation	2026-05-11
Linux Malformed Auth Entry	Linux Secure	T1068	Anomaly	Linux Privilege Escalation	2026-05-06
Windows Suspicious Child Process of TieringEngineService.exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1068	TTP	Windows Privilege Escalation, RedSun	2026-05-01
Windows VSSVC Process Accessing Defender Engine	Sysmon EventID 10	T1068	TTP	Windows Privilege Escalation, RedSun	2026-05-01
Windows Cloud Files Filter Log Created by Non-System Process	Sysmon EventID 11	T1068	TTP	Windows Privilege Escalation, RedSun	2026-05-01
Windows Suspicious Burst of Password Changes	Windows Event Log Security 4723, Windows Event Log Security 4724	T1068	TTP	BlueHammer, Windows Privilege Escalation	2026-04-29
Windows Suspicious Defender Engine or Signature Files Created	Sysmon EventID 11	T1068	Anomaly	BlueHammer, Windows Privilege Escalation	2026-04-27
Windows Suspicious Defender Update Activity in INetCache	Sysmon EventID 23, Sysmon EventID 11	T1068 T1105	Anomaly	BlueHammer, Windows Persistence Techniques	2026-04-27
Windows MsMpEng Writing to System32	Sysmon EventID 11, Sysmon EventID 15	T1068 T1543.003	TTP	BlueHammer, Windows Drivers, Windows Privilege Escalation, RedSun	2026-04-27
Windows Admin Password Changed by Non-Admin	Windows Event Log Security 4723	T1068 T1543.003	TTP	BlueHammer, Windows Privilege Escalation	2026-04-27
Windows Non-System Process Querying Definition Update	Sysmon EventID 22	T1068 T1071.001	Anomaly	BlueHammer, Windows Privilege Escalation, RedSun	2026-04-27