|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Compromised User Account, Scattered Lapsus$ Hunters, Suspicious Cloud User Activities
|
2026-03-10
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-03-10
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2026-03-10
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-03-10
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
|
Anomaly
|
Disabling Security Tools
|
2026-03-26
|
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Azorult, Crypto Stealer, Forest Blizzard, IcedID, Interlock Rat, Quasar RAT
|
2026-03-23
|
|
Detect DGA domains using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2026-03-10
|
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic, VoidLink Cloud-Native Linux Malware
|
2026-02-25
|
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic, VoidLink Cloud-Native Linux Malware
|
2026-03-10
|
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2026-03-10
|
|
DNS Query Length Outliers - MLTK
|
|
DNS
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2026-03-10
|
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
Exploit Public-Facing Application
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2026-03-27
|
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-03-03
|
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Anomaly
|
Suspicious Command-Line Executions
|
2026-03-10
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Hellcat Ransomware, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2026-03-26
|
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Azorult, Crypto Stealer, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Scattered Spider, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2026-03-26
|
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2026-03-10
|
|
Unusually Long Command Line - MLTK
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2026-03-10
|
|
Windows Excel ActiveMicrosoftApp Child Process
|
Sysmon EventID 1
|
Distributed Component Object Model
|
Anomaly
|
PathWiper
|
2026-03-16
|
