|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware
|
2026-06-01
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Windows Group Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Cleo File Transfer Software, Medusa Ransomware, Volt Typhoon, Active Directory Discovery, Rhysida Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques, Azorult, Graceful Wipe Out Attack, Microsoft WSUS CVE-2025-59287, IcedID
|
2026-05-13
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
DarkSide Ransomware, ValleyRAT, Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
Windows Potato Privilege Escalation Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
T1649
|
Correlation
|
Windows Certificate Services
|
2026-05-13
|
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.004
|
TTP
|
Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Excel Spawning Microsoft Project Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
|
Anomaly
|
PathWiper
|
2026-05-13
|
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Ransomware, Black Basta Ransomware, Cactus Ransomware, Medusa Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VanHelsing Ransomware, CISA AA22-264A, Windows Log Manipulation, Chaos Ransomware, DarkGate Malware, LockBit Ransomware, Clop Ransomware, Termite Ransomware, Void Manticore, SamSam Ransomware
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1133
T1190
|
TTP
|
SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055.001
T1218
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics, Hellcat Ransomware
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir
|
2026-05-13
|
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
NetSupport RMM Tool Abuse, Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host
|
2026-05-13
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
Windows Log Manipulation, Ransomware
|
2026-05-13
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Living Off The Land, IcedID, APT37 Rustonotto and FadeStealer, Trickbot
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
VIP Keylogger, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
TTP
|
Masquerading - Rename System Utilities, AsyncRAT, DarkGate Malware, Windows File Extension and Association Abuse
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
Braodo Stealer, Water Gamayun, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, Cactus Ransomware, Medusa Ransomware, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, MuddyWater, China-Nexus Threat Activity, XWorm, Flax Typhoon, Salat Stealer, 0bj3ctivity Stealer, CISA AA23-347A, Lumma Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, SystemBC, APT37 Rustonotto and FadeStealer, Cleo File Transfer Software, Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, CISA AA24-241A, Interlock Ransomware, Data Destruction
|
2026-06-08
|
|
Windows Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Potential Cloudflared Network Connection
|
Sysmon EventID 3
|
T1572
|
Hunting
|
Reverse Network Proxy
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Scattered Lapsus$ Hunters, Compromised Linux Host
|
2026-05-13
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
T1136.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.011
|
TTP
|
Windows Service Abuse, Living Off The Land, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
T1589.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.004
|
TTP
|
Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
Anomaly
|
Compromised Windows Host, Volt Typhoon, AsyncRAT, Water Gamayun, Unusual Processes, Qakbot, IcedID, Sandworm Tools
|
2026-05-13
|
|
Spike in File Writes
|
Sysmon EventID 11
|
N/A
|
Anomaly
|
Ryuk Ransomware, Rhysida Ransomware, Ransomware, SamSam Ransomware
|
2026-05-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5145, Windows Event Log Security 5140
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer
|
2026-05-13
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4727, Windows Event Log Security 4730, Windows Event Log Security 4737
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
T1027
|
Anomaly
|
Linux Living Off The Land
|
2026-05-13
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Hunting
|
Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Screen Capture in TEMP folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Crypto Stealer, APT37 Rustonotto and FadeStealer, VIP Keylogger, Braodo Stealer, StealC Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Windows Rundll32 with Non-Standard File Extension
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Living Off The Land, Gh0st RAT, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
BlackSuit Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Defender ASR or Threat Configuration Tamper
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
T1140
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Scattered Lapsus$ Hunters, Suspicious WMI Use
|
2026-05-13
|
|
Crowdstrike Medium Severity Alert
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Level RMM PowerShell Script Installer
|
Powershell Script Block Logging 4104
|
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Ransomware, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Crowdstrike RTR Script Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
Suspicious MSHTA Activity, Living Off The Land, Cobalt Strike, Malicious PowerShell
|
2026-05-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
XMRig, Windows Registry Abuse
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot
|
2026-05-13
|
|
Windows Binary Execution from an Archive
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Lotus Blossom Chrysalis Backdoor, LAMEHUG, PHP-CGI RCE Attack on Japanese Organizations, Winter Vivern, Active Directory Discovery, Rhysida Ransomware, Qakbot, CISA AA23-347A
|
2026-05-13
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
T1222.001
T1550
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.005
|
TTP
|
Ransomware
|
2026-05-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows IOBit Unlocker Extension DLL Registration via Regsvr32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A
|
2026-05-13
|
|
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
|
Cisco Network Visibility Module Flow Data
|
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Proxy Execution of .NET Utilities via Scripts
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
T1219
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
TTP
|
Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 4662
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Living Off The Land, Compromised Windows Host, Cobalt Strike, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Suspicious Regsvr32 Activity, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows DNS Query Request To TinyUrl
|
Sysmon EventID 22
|
T1105
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
T1134.004
T1543
|
Anomaly
|
Remcos, VIP Keylogger, XWorm, NjRAT, 0bj3ctivity Stealer, Unusual Processes, ShrinkLocker, MuddyWater, Data Destruction, WhisperGate, FIN7, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Medusa Ransomware, Ransomware, Ryuk Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, Storm-0501 Ransomware, Termite Ransomware, SamSam Ransomware
|
2026-05-13
|
|
Windows Hosts File Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Medusa Ransomware, XWorm, Braodo Stealer, AsyncRAT, Salat Stealer, Hermetic Wiper, MoonPeak, PXA Stealer, MuddyWater, Data Destruction, Hellcat Ransomware, IcedID, Malicious PowerShell
|
2026-06-08
|
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
APT37 Rustonotto and FadeStealer, Winter Vivern, Water Gamayun, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer, Earth Alux, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1059.001
T1592
|
Anomaly
|
Malicious Inno Setup Loader, Scattered Spider, Industroyer2, VIP Keylogger, AsyncRAT, Hermetic Wiper, MoonPeak, Qakbot, Quasar RAT, BlankGrabber Stealer, Data Destruction, LockBit Ransomware, Axios Supply Chain Post Compromise, Malicious PowerShell
|
2026-05-13
|
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
T1553.003
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Medusa Ransomware, Salat Stealer, MoonPeak, Hermetic Wiper, Data Destruction, IcedID, Malicious PowerShell
|
2026-06-08
|
|
Windows RDP Bitmap Cache File Creation
|
Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Gh0st RAT, Brute Ratel C4, Snake Malware, Flax Typhoon, PlugX, Qakbot, CISA AA23-347A, Clop Ransomware, Tuoni, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1543.003
|
TTP
|
BlackByte Ransomware, Compromised Windows Host, Cobalt Strike, Graceful Wipe Out Attack
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Non Allowlisted Image Use
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
T1218
|
Hunting
|
Lumma Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Azorult, IcedID
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-05-13
|
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Crypto Stealer, Ransomware, MoonPeak, Ryuk Ransomware, NetSupport RMM Tool Abuse, Scheduled Tasks, Medusa Ransomware, DarkCrystal RAT, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, Lokibot, XWorm, CISA AA23-347A, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Azorult, Quasar RAT
|
2026-05-13
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass, Hellcat Ransomware
|
2026-05-13
|
|
Processes Tapping Keyboard Events
|
Osquery Results
|
N/A
|
TTP
|
APT37 Rustonotto and FadeStealer, ColdRoot MacOS RAT
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware
|
2026-05-13
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
T1003.008
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host
|
2026-05-13
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2026-05-13
|
|
WSReset UAC Bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
|
TTP
|
MoonPeak, Living Off The Land, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows RMM Tool Execution
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
NetSupport RMM Tool Abuse, Suspicious User Agents, Remote Monitoring and Management Software
|
2026-05-13
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
T1552.002
|
TTP
|
Windows Registry Abuse, BlackMatter Ransomware
|
2026-05-13
|
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Compromised Windows Host, Domain Trust Discovery, Active Directory Discovery
|
2026-05-13
|
|
Windows Remote Management Execute Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Gh0st RAT, Prestige Ransomware, Scattered Lapsus$ Hunters, Graceful Wipe Out Attack
|
2026-05-13
|
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2026-05-13
|
|
Curl Execution with Percent Encoded URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
T1027
T1105
|
Anomaly
|
Living Off The Land, Compromised Windows Host, Ingress Tool Transfer
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer, NOBELIUM Group
|
2026-05-13
|
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
T1114.001
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Net System Service Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1007
|
Hunting
|
Gh0st RAT, LAMEHUG
|
2026-05-13
|
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Compromised Windows Host, Credential Dumping, Rhysida Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Unusual Intelliform Storage Registry Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Lokibot, Quasar RAT
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
XMRig, BlackByte Ransomware, Ransomware
|
2026-05-13
|
|
Windows Sensitive Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
BlackSuit Ransomware, Volt Typhoon, Active Directory Discovery, Rhysida Ransomware, Microsoft WSUS CVE-2025-59287, IcedID
|
2026-05-13
|
|
Windows Office Product Spawned Child Process For Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, NjRAT, PlugX
|
2026-05-13
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027.005
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware
|
2026-05-13
|
|
Windows Suspicious Child Process of TieringEngineService.exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Windows Privilege Escalation, RedSun
|
2026-05-01
|
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Windows DLL Module Loaded in Temp Dir
|
Sysmon EventID 7
|
T1105
|
Hunting
|
Interlock Rat, Lokibot, SolarWinds WHD RCE Post Exploitation
|
2026-05-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Earth Alux, XWorm, APT29 Diplomatic Deceptions with WINELOADER, Salt Typhoon, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
MacOS Network Share Discovery
|
Osquery Results
|
T1135
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
T1027.013
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Crypto Stealer, APT37 Rustonotto and FadeStealer, Salat Stealer
|
2026-06-08
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1055
|
TTP
|
Trickbot, Hellcat Ransomware
|
2026-05-13
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-13
|
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Water Gamayun, Prestige Ransomware, Windows Post-Exploitation, Medusa Ransomware
|
2026-05-13
|
|
Windows File and Directory Permissions Enable Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Hunting
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Windows Process Execution From ProgramData
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
|
Hunting
|
APT37 Rustonotto and FadeStealer, Axios Supply Chain Post Compromise, XWorm, Salat Stealer, StealC Stealer, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, China-Nexus Threat Activity, SnappyBee
|
2026-06-08
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
T1685
|
Hunting
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default RDP File Creation By Non MSTSC Process
|
Sysmon EventID 1, Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
T1136.001
|
TTP
|
CISA AA22-257A, DHS Report TA18-074A, HAFNIUM Group, CISA AA24-241A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Advanced IP or Port Scanner Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Compromised Windows Host, Scattered Lapsus$ Hunters, Ryuk Ransomware
|
2026-05-13
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Cisco NVM - Susp Script From Archive Triggering Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1204.002
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, XWorm, AsyncRAT, Castle RAT, SolarWinds WHD RCE Post Exploitation, Quasar RAT, CISA AA23-347A, NetSupport RMM Tool Abuse, RedLine Stealer
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host, Handala Wiper, DarkGate Malware, Snake Keylogger, Void Manticore
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows TOR Client Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.003
|
Anomaly
|
Compromised Windows Host, Windows Post-Exploitation, Command And Control, Data Protection, Data Exfiltration
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Audit Policy Cleared via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
T1030
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host
|
2026-05-13
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
T1021
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Windows Registry Abuse, Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, China-Nexus Threat Activity, Gomir
|
2026-05-13
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Crypto Stealer, Void Manticore, Handala Wiper, DarkGate Malware
|
2026-05-13
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1059.001
T1059.003
T1204.001
|
TTP
|
Fake CAPTCHA Campaigns, Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Crypto Stealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Graceful Wipe Out Attack
|
2026-05-13
|
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Prestige Ransomware, Compromised Windows Host, Quasar RAT, NOBELIUM Group, Phemedrone Stealer, RedLine Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Suspicious VMWare Tools Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Anomaly
|
Amadey
|
2026-05-13
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
Anomaly
|
Crypto Stealer, Unusual Processes, Rhysida Ransomware, Salt Typhoon, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Insider Threat, Credential Dumping
|
2026-05-13
|
|
Cisco NVM - Outbound Connection to Suspicious Port
|
Cisco Network Visibility Module Flow Data
|
T1571
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
MacOS AMOS Stealer - Virtual Machine Check Activity
|
Osquery Results
|
T1059.002
|
Anomaly
|
AMOS Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Gomir
|
2026-05-13
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Docker Root Directory Mount
|
Sysmon for Linux EventID 1
|
T1611
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
Scattered Lapsus$ Hunters, AwfulShred, Data Destruction, Compromised Linux Host
|
2026-05-13
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548
|
TTP
|
Compromised Windows Host, Cobalt Strike, BlackByte Ransomware, CISA AA23-347A, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction, Compromised Linux Host
|
2026-05-13
|
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host, Volt Typhoon
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Office Product Spawned Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Windows Wmic CPU Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows OneDrive Share Mounted via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Windows Registry Entries Exported Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, CISA AA23-347A
|
2026-05-13
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 13
|
T1219
|
Anomaly
|
Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, Insider Threat, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Snake Keylogger, PXA Stealer, StealC Stealer, BlankGrabber Stealer
|
2026-05-13
|
|
Windows AppCertDLL Modification Via Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.009
|
Anomaly
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558.001
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Chrome Auto-Update Disabled via Registry
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Azorult, CISA AA23-347A, Windows Registry Abuse
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Winter Vivern, Water Gamayun, Active Directory Discovery
|
2026-05-13
|
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2026-05-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
XMRig, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Compromised Windows Host, CISA AA22-257A, Credential Dumping, HAFNIUM Group, Seashell Blizzard, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 14, Sysmon EventID 13
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A
|
2026-05-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1197
|
TTP
|
DarkSide Ransomware, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, Ingress Tool Transfer, Flax Typhoon, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, BITS Jobs
|
2026-05-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows SSH Proxy Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware
|
2026-05-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2026-05-13
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
Windows Drivers, Crypto Stealer, CISA AA22-264A
|
2026-05-13
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Windows Discovery Techniques, Ransomware
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult
|
2026-05-13
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Rhysida Ransomware
|
2026-05-13
|
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.003
|
Hunting
|
Remcos
|
2026-05-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
Windows Drivers, BlackByte Ransomware, Void Manticore
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
Revil Ransomware, Brute Ratel C4, Windows Registry Abuse, Ransomware, Black Basta Ransomware, Rhysida Ransomware, LockBit Ransomware, BlackMatter Ransomware, ZOVWiper
|
2026-05-13
|
|
Windows SpeechRuntime COM Hijacking DLL Load
|
Sysmon EventID 7
|
T1021.003
|
TTP
|
Compromised Windows Host, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Linux Add User Account
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1136.001
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
BlackSuit Ransomware, Medusa Ransomware, Active Directory Discovery, Rhysida Ransomware, CISA AA23-347A, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Linux Telnet Authentication Bypass
|
Sysmon for Linux EventID 1
|
T1548
|
TTP
|
Telnetd CVE-2026-24061
|
2026-05-13
|
|
Windows HTTP Network Communication From MSIExec
|
Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data
|
T1218.007
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, SolarWinds WHD RCE Post Exploitation, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
T1016
T1590.005
|
Anomaly
|
Castle RAT, Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Filtering Platform Policy Added to Block EDR Process
|
Sysmon EventID 13
|
T1685
|
TTP
|
Security Solution Tampering, Disabling Security Tools
|
2026-05-13
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Remcos, Spearphishing Attachments, DarkCrystal RAT, PlugX, NjRAT, AgentTesla, Qakbot, Azorult, MuddyWater, IcedID, Trickbot
|
2026-05-13
|
|
Windows Suspicious Burst of Password Changes
|
Windows Event Log Security 4723, Windows Event Log Security 4724
|
T1068
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-29
|
|
Windows PsTools Recon Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
T1046
T1082
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Cwd, Linux Auditd Path
|
T1548.003
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
Disk Wiper, Handala Wiper, Swift Slicer, Data Destruction, Void Manticore
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Sdclt UAC Bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Devtunnels Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
T1202
|
Anomaly
|
Fake CAPTCHA Campaigns, Lumma Stealer
|
2026-05-13
|
|
Linux Suspicious Namespace Creation
|
Linux Auditd Syscall, Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-12
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
T1685
|
Anomaly
|
Double Zero Destructor, Scattered Lapsus$ Hunters, Data Destruction
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
MacOS Hidden Files and Directories
|
Osquery Results
|
T1564.001
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.015
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
T1505.001
|
Anomaly
|
SQL Server Abuse, Hellcat Ransomware
|
2026-05-13
|
|
Windows Chrome Enable Extension Loading via Command-Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
Malicious Inno Setup Loader, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Persistence Techniques, Scheduled Tasks, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
Malicious Inno Setup Loader, Crypto Stealer, Compromised Windows Host, VIP Keylogger, Windows Defense Evasion Tactics, Azorult, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
T1685
|
TTP
|
XMRig, Windows Registry Abuse, Warzone RAT, Azorult
|
2026-05-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CISA AA23-347A, Medusa Ransomware
|
2026-05-13
|
|
Windows Audit Policy Restored via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows User Disabled Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, XWorm, Gozi Malware, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Salt Typhoon, China-Nexus Threat Activity, SnappyBee, RedLine Stealer
|
2026-05-13
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
Compromised Windows Host, CISA AA22-257A, BlackByte Ransomware, HAFNIUM Group, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003
|
TTP
|
Compromised Windows Host, CISA AA22-320A, Scattered Spider, Volt Typhoon, Flax Typhoon, Credential Dumping, CISA AA23-347A, Sandworm Tools
|
2026-05-13
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
XMRig, Compromised Windows Host, Water Gamayun
|
2026-05-13
|
|
Windows Audit Policy Excluded Category via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.008
T1204.002
|
TTP
|
APT37 Rustonotto and FadeStealer, Remcos, Water Gamayun, Unusual Processes, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger
|
2026-05-13
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, Windows Error Reporting Service Elevation of Privilege Vulnerability, Medusa Ransomware, Ransomware, CISA AA22-257A, Castle RAT, Winter Vivern, 0bj3ctivity Stealer, Salt Typhoon, Ryuk Ransomware, Windows Persistence Techniques, China-Nexus Threat Activity, SystemBC
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Industroyer2, Active Directory Discovery, CISA AA23-347A, Data Destruction, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Excessive Usage of NSLOOKUP App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048
|
Anomaly
|
Data Exfiltration, Dynamic DNS, Command And Control, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Malicious Inno Setup Loader, Scheduled Tasks, Lokibot, Winter Vivern, MoonPeak, CISA AA23-347A
|
2026-05-13
|
|
Windows Cabinet File Extraction Via Expand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Suspicious Child Process Spawned From WebServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.003
|
Anomaly
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability, Compromised Windows Host, WS FTP Server Critical Vulnerabilities, Medusa Ransomware, Citrix ShareFile RCE CVE-2023-24489, CISA AA22-257A, BlackByte Ransomware, Flax Typhoon, Microsoft SharePoint Vulnerabilities, HAFNIUM Group, GhostRedirector IIS Module and Rungan Backdoor, CISA AA22-264A, Microsoft WSUS CVE-2025-59287, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Cisco Isovalent - Access To Cloud Metadata Service
|
Cisco Isovalent Process Connect
|
T1552.005
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows NirSoft Tool Bundle File Created
|
Sysmon EventID 11
|
T1588.002
|
Anomaly
|
WhisperGate, Data Destruction, Unusual Processes
|
2026-05-13
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
Snake Keylogger, RedLine Stealer, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, FIN7, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, AgentTesla, CISA AA23-347A, Remcos, 3CX Supply Chain Attack, Azorult, Quasar RAT, Phemedrone Stealer
|
2026-06-08
|
|
Windows Potential Cloudflared Tunnel Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2026-05-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
Credential Dumping, HAFNIUM Group, Hermetic Wiper, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Data Destruction, Malicious PowerShell, SystemBC
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Crypto Stealer, Compromised User Account
|
2026-05-13
|
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
|
TTP
|
DHS Report TA18-074A, Compromised Windows Host
|
2026-05-13
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1485
|
TTP
|
Masquerading - Rename System Utilities, Void Manticore, Scattered Spider
|
2026-05-13
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 14, Sysmon EventID 12, Sysmon EventID 13
|
T1112
T1689
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Interlock Ransomware
|
2026-05-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Defense Evasion Tactics, Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Revil Ransomware, Ransomware, Salat Stealer, CISA AA24-241A, BlankGrabber Stealer
|
2026-06-08
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
ValleyRAT, Remcos, Compromised Windows Host, CISA AA22-320A, Crypto Stealer, XWorm, Windows Defense Evasion Tactics, Salat Stealer, AgentTesla, Data Destruction, WhisperGate, NetSupport RMM Tool Abuse
|
2026-06-08
|
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Cleo File Transfer Software, Medusa Ransomware, Active Directory Discovery, Rhysida Ransomware, Qakbot, Storm-0501 Ransomware, Ryuk Ransomware, IcedID, Domain Trust Discovery
|
2026-05-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
Lokibot, NjRAT
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, Ransomware, XMRig, Rhysida Ransomware, Azorult, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos, Compromised Linux Host
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
PromptLock, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla
|
2026-05-13
|
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Volt Typhoon, Active Directory Discovery, Interlock Ransomware, Qakbot, IcedID
|
2026-05-13
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
Anomaly
|
Medusa Ransomware, BlackByte Ransomware, PlugX, NjRAT, Windows Defense Evasion Tactics, Salat Stealer, Azorult
|
2026-06-08
|
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Cobalt Strike PowerShell Loader
|
Powershell Script Block Logging 4104
|
T1059.001
T1608
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon
|
2026-05-13
|
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
DarkCrystal RAT, Compromised Windows Host
|
2026-05-13
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
|
TTP
|
Cactus Ransomware, CISA AA22-257A, Credential Dumping, Seashell Blizzard, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
XMRig, Azorult
|
2026-05-13
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics, CISA AA23-347A, Suspicious Windows Registry Activities, Windows Registry Abuse
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Hunting
|
Salt Typhoon, China-Nexus Threat Activity, Collection and Staging, CISA AA22-277A
|
2026-05-13
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Powershell Defender Threat Actions Set to Allow
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Salat Stealer
|
2026-05-12
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
WhisperGate, BlackByte Ransomware, Data Destruction
|
2026-05-13
|
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1220
|
TTP
|
Compromised Windows Host, Suspicious WMI Use, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Lokibot, Cactus Ransomware, Credential Dumping, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Remcos, APT37 Rustonotto and FadeStealer, Spearphishing Attachments, Meduza Stealer, PXA Stealer, Amadey
|
2026-05-13
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
T1685.001
|
Anomaly
|
Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A, IIS Components
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments
|
2026-05-13
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
ValleyRAT, Water Gamayun
|
2026-05-13
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Malicious Inno Setup Loader, Braodo Stealer, StealC Stealer, 0bj3ctivity Stealer, Meduza Stealer, MoonPeak, Amadey, DarkGate Malware, CISA AA23-347A, BlankGrabber Stealer, Phemedrone Stealer, RedLine Stealer
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-05-13
|
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
T1021.004
|
TTP
|
VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1027
T1059.004
|
TTP
|
Linux Living Off The Land, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Gh0st RAT, Warzone RAT, BlackByte Ransomware, Meduza Stealer, Quasar RAT, Data Destruction, WhisperGate, Void Manticore
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
|
Hunting
|
Crypto Stealer, CISA AA22-320A, Scattered Spider, Volt Typhoon, Microsoft SharePoint Vulnerabilities, DarkCrystal RAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Qakbot, SolarWinds WHD RCE Post Exploitation, Microsoft WSUS CVE-2025-59287, NOBELIUM Group, Data Destruction, WhisperGate, Lumma Stealer, Sandworm Tools, Malicious PowerShell
|
2026-05-13
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Ransomware
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Crypto Stealer, XMRig, NjRAT, AgentTesla, CISA AA22-264A, Azorult, BlankGrabber Stealer, CISA AA22-277A
|
2026-05-13
|
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.002
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Ryuk Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
T1105
|
Hunting
|
NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host
|
2026-05-13
|
|
Windows Firewall Rule Deletion
|
Windows Event Log Security 4948
|
T1686
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-13
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
T1686
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp, Scattered Lapsus$ Hunters, Compromised Windows Host
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
APT37 Rustonotto and FadeStealer, PlugX, NjRAT, Salt Typhoon, Chaos Ransomware, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Spearphishing Attachments, Gozi Malware, Qakbot, Amadey, BlankGrabber Stealer, IcedID
|
2026-05-13
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Salat Stealer, Azorult, CISA AA23-347A, BlankGrabber Stealer, IcedID
|
2026-06-08
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
T1550.003
|
TTP
|
BlackSuit Ransomware, Active Directory Kerberos Attacks, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-05-13
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1134, Windows Event Log Defender 1132, Windows Event Log Defender 1122, Windows Event Log Defender 1126, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
T1685
|
Hunting
|
Windows Defense Evasion Tactics, RedLine Stealer
|
2026-05-13
|
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1592
|
Hunting
|
Remcos
|
2026-05-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-05-13
|
|
Eventvwr UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Living Off The Land, ValleyRAT, Windows Registry Abuse, Windows Defense Evasion Tactics, IcedID
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Windows BootKits, BlackLotus Campaign, Sandworm Tools
|
2026-05-13
|
|
Windows SIP Provider Inventory
|
|
T1553.003
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
Unusual Processes
|
2026-05-13
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
T1036
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper
|
2026-05-13
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Suspicious Defender Engine or Signature Files Created
|
Sysmon EventID 11
|
T1068
|
Anomaly
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Qakbot, Earth Alux
|
2026-05-13
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Default Rdp File Unhidden
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
Backdoor Pingpong, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, AwfulShred, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
TTP
|
RoguePlanet, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, Water Gamayun, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, Prestige Ransomware, Earth Alux, Warzone RAT, DarkCrystal RAT, PlugX, StealC Stealer, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, Malicious Inno Setup Loader, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, Interlock Rat, XWorm, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, Phemedrone Stealer, SesameOp
|
2026-06-11
|
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1105
|
TTP
|
Compromised Windows Host, PromptLock, NPM Supply Chain Compromise, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Windows Shell or Script Execution From IIS Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
T1548
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Persistence Techniques
|
2026-05-13
|
|
CrowdStrike Falcon Stream Alerts
|
CrowdStrike Falcon Stream Alert
|
N/A
|
Anomaly
|
Critical Alerts
|
2026-05-13
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Disable Internet Explorer Addons
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1176.001
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, CISA AA23-347A, Ransomware
|
2026-05-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows XLL File Creation Outside of Typical Location
|
Sysmon EventID 11
|
T1059
T1129
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Medusa Ransomware, Volt Typhoon, PlugX, Active Directory Discovery, Qakbot, CISA AA23-347A, CISA AA22-277A
|
2026-05-13
|
|
Windows Office Product Dropped Cab or Inf File
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1059
T1105
|
TTP
|
Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Remcos, Compromised Windows Host
|
2026-05-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Crowdstrike Admin With Duplicate Password
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Compromised Windows Host, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Chrome Extension Allowed Registry Modification
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2026-05-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Salt Typhoon, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
T1003.004
|
TTP
|
CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
MacOS LOLbin
|
Osquery Results
|
T1059.004
|
TTP
|
Living Off The Land, Axios Supply Chain Post Compromise, Hellcat Ransomware
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows FFmpeg Audio and Video Device Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1125
|
Anomaly
|
Salat Stealer
|
2026-05-20
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Living Off The Land, Qakbot, Salt Typhoon, Suspicious Regsvr32 Activity, Derusbi, IcedID, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Outlook RCE CVE-2024-21378, Hellcat Ransomware
|
2026-05-13
|
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
Anomaly
|
NetSupport RMM Tool Abuse, Prestige Ransomware, Windows Post-Exploitation, DarkGate Malware
|
2026-05-13
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
Living Off The Land, Castle RAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.009
|
TTP
|
Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
Anomaly
|
RoguePlanet, Gh0st RAT, Remcos, Lokibot, Axios Supply Chain Post Compromise, PromptLock, Ransomware, XWorm, NjRAT, Salat Stealer, AgentTesla, Qakbot, PathWiper, Ryuk Ransomware, Trickbot, SesameOp
|
2026-06-08
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Lokibot, BlackSuit Ransomware, Credential Dumping, Detect Zerologon Attack, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
T1548.001
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows RDP Server Registry Entry Created
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
Anomaly
|
BlackSuit Ransomware, CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
File Download or Read to Pipe Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Compromised Windows Host, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon
|
2026-05-13
|
|
Windows LAPS Password Gathering Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1003
T1552
|
Anomaly
|
Credential Dumping, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Brute Ratel C4, PathWiper
|
2026-05-13
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
T1685
|
TTP
|
ValleyRAT, Remcos, Warzone RAT, XWorm, Windows Defense Evasion Tactics, Salat Stealer, Qakbot, Azorult, NetSupport RMM Tool Abuse
|
2026-06-08
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows RDP Client Launched with Admin Session
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques
|
2026-05-13
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
T1592
|
TTP
|
Prestige Ransomware, Windows Post-Exploitation, Ransomware, XWorm, Hermetic Wiper, MoonPeak, Qakbot, Quasar RAT, Data Destruction, Malicious PowerShell
|
2026-05-13
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4744, Windows Event Log Security 4790, Windows Event Log Security 4731, Windows Event Log Security 4727, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4749, Windows Event Log Security 4756, Windows Event Log Security 4783
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows SubInAcl Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host
|
2026-05-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
ProxyNotShell, BlackByte Ransomware, Scattered Spider, ProxyShell
|
2026-05-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Industroyer2, Data Destruction, Active Directory Discovery
|
2026-05-13
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102, Windows Event Log System 104
|
T1685.005
|
TTP
|
Compromised Windows Host, Ransomware, Salat Stealer, ShrinkLocker, CISA AA22-264A, Windows Log Manipulation, Clop Ransomware
|
2026-06-08
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
T1558.003
T1558.004
|
TTP
|
BlackSuit Ransomware, Active Directory Privilege Escalation, Active Directory Kerberos Attacks, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-05-13
|
|
Windows Suspicious Defender Update Activity in INetCache
|
Sysmon EventID 23, Sysmon EventID 11
|
T1068
T1105
|
Anomaly
|
BlueHammer, Windows Persistence Techniques
|
2026-04-27
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Windows Registry Abuse, RedLine Stealer
|
2026-05-13
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
TTP
|
NjRAT, BlankGrabber Stealer
|
2026-05-13
|
|
MacOS plutil
|
Osquery Results
|
T1647
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Crypto Stealer, Brute Ratel C4, PlugX
|
2026-05-13
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
|
Hunting
|
APT37 Rustonotto and FadeStealer, Brute Ratel C4
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Systeminfo Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor, LAMEHUG, BlankGrabber Stealer
|
2026-05-13
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Unusually Long Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
Anomaly
|
Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Unusual Processes, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.005
|
TTP
|
Prestige Ransomware, Windows Post-Exploitation, Hidden Cobra Malware, DarkGate Malware, CISA AA22-277A
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Scheduled Tasks, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Compromised Windows Host, Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
|
TTP
|
Credential Dumping, VanHelsing Ransomware
|
2026-05-13
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
T1070
|
TTP
|
WhisperGate, Data Destruction, Clop Ransomware, Remcos
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Winter Vivern, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Crowdstrike Admin Weak Password Policy
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1008
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Gh0st RAT
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Azorult
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
T1550
T1649
|
TTP
|
Windows Certificate Services, Compromised Windows Host
|
2026-05-13
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
|
Hunting
|
Interlock Rat, Castle RAT, Salt Typhoon, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
Suspicious MSHTA Activity, Suspicious Zoom Child Processes, NOBELIUM Group, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 1, Sysmon EventID 13
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
Remcos, Brute Ratel C4, Warzone RAT, Gozi Malware, Qakbot, AgentTesla, Azorult, IcedID
|
2026-05-13
|
|
MacOS LoginHook Persistence
|
Osquery Results
|
T1037.002
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Interlock Rat
|
2026-05-13
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
T1685
|
Hunting
|
Scattered Lapsus$ Hunters, AwfulShred, Data Destruction
|
2026-05-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Network Connection From Program In Suspect Location
|
Sysmon EventID 3
|
T1011
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Azorult
|
2026-05-13
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
Hunting
|
Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1543.003
|
TTP
|
Windows Drivers, CISA AA22-320A
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
BlackByte Ransomware, Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter
|
2026-05-13
|
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
T1218.014
|
TTP
|
Living Off The Land, XML Runner Loader, Water Gamayun, Active Directory Lateral Movement
|
2026-05-13
|
|
Potential Telegram API Request Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1041
T1102.002
|
Anomaly
|
XMRig, Water Gamayun, 0bj3ctivity Stealer, BlankGrabber Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Revil Ransomware, Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
T1548.001
|
Hunting
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4742
|
T1210
|
Hunting
|
Detect Zerologon Attack
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Linux Auditd Copy Fail Privilege Escalation
|
Linux Auditd Syscall
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-13
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
T1070.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, IcedID, Suspicious Rundll32 Activity, Unusual Processes
|
2026-05-13
|
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Credential Dumping, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
XWorm, AsyncRAT, VIP Keylogger
|
2026-05-13
|
|
Suspicious WAV file in Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1113
|
TTP
|
Remcos
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
CISA AA22-257A, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation
|
2026-05-13
|
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831
|
2026-05-13
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
StealC Stealer, RedLine Stealer, Meduza Stealer
|
2026-05-13
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
T1036
|
TTP
|
PlugX, Collection and Staging
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
DarkSide Ransomware, Revil Ransomware, Cactus Ransomware, Ransomware, VanHelsing Ransomware, DarkGate Malware
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Industroyer2, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Gomir
|
2026-05-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
T1112
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows VSSVC Process Accessing Defender Engine
|
Sysmon EventID 10
|
T1068
|
TTP
|
Windows Privilege Escalation, RedSun
|
2026-05-01
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
T1218.005
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
MetaSploit
|
2026-05-13
|
|
Windows Registry Entries Restored Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows WinRAR Launched Outside Default Installation Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
BlackSuit Ransomware, Graceful Wipe Out Attack, NOBELIUM Group, IcedID, Domain Trust Discovery
|
2026-05-13
|
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Living Off The Land, Prestige Ransomware, Volt Typhoon, Credential Dumping, HAFNIUM Group, Rhysida Ransomware, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
T1105
|
TTP
|
Crypto Stealer, XMRig, Water Gamayun, 0bj3ctivity Stealer, Snake Keylogger, Phemedrone Stealer
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Earth Alux, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Network Connection Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Prestige Ransomware, Azorult, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
|
Anomaly
|
Scheduled Tasks, Medusa Ransomware, Industroyer2, CISA AA22-257A, XMRig, Qakbot, Data Destruction
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Malicious Inno Setup Loader, Lokibot, NailaoLocker Ransomware, XWorm, PlugX, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Derusbi, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
Compromised Windows Host, Ransomware, Scattered Lapsus$ Hunters, LockBit Ransomware, Hellcat Ransomware, BlackMatter Ransomware, Termite Ransomware
|
2026-05-13
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
T1553.005
|
TTP
|
Quasar RAT, Warzone RAT
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-06-04
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation
|
2026-05-13
|
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
Interlock Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
Lokibot, VIP Keylogger, 0bj3ctivity Stealer, StealC Stealer, Meduza Stealer, Snake Keylogger
|
2026-05-13
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, Hellcat Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows RDP Login Session Was Established
|
Windows Event Log Security 4624
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Windows Registry Abuse, Medusa Ransomware, PlugX, NjRAT, Azorult, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Discovery
|
2026-05-13
|
|
Windows Svchost.exe Parent Process Anomaly
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
Anomaly
|
Qakbot, Earth Alux
|
2026-05-13
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Qakbot, Compromised Windows Host
|
2026-05-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Credential Dumping, Windows Registry Abuse, CISA AA22-320A
|
2026-05-13
|
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Hunting
|
Malicious Inno Setup Loader, Collection and Staging
|
2026-05-13
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
TTP
|
Remcos, FIN7
|
2026-05-13
|
|
Windows Gdrive Binary Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Hunting
|
XWorm, DarkCrystal RAT, NjRAT, MoonPeak, Quasar RAT, DarkGate Malware, MuddyWater, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA24-241A
|
2026-05-13
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
T1592
|
Anomaly
|
Hermetic Wiper, Data Destruction, Malicious PowerShell
|
2026-05-13
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1574.006
|
TTP
|
Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
|
TTP
|
DarkSide Ransomware, Compromised Windows Host, Windows Registry Abuse, Industroyer2, CISA AA22-257A, Volt Typhoon, Credential Dumping, Seashell Blizzard, CISA AA23-347A, Data Destruction
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows File Download Via CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1105
|
TTP
|
DarkSide Ransomware, Living Off The Land, Compromised Windows Host, Ingress Tool Transfer, Forest Blizzard, Flax Typhoon, Cisco Network Visibility Module Analytics, CISA AA22-277A, ProxyNotShell
|
2026-05-13
|
|
Windows SQLCMD Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497.003
|
Anomaly
|
0bj3ctivity Stealer, Snake Keylogger, VIP Keylogger
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Prestige Ransomware, Ransomware, Ryuk Ransomware, Chaos Ransomware, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1140
|
TTP
|
Living Off The Land, Forest Blizzard, Deobfuscate-Decode Files or Information, APT29 Diplomatic Deceptions with WINELOADER, GhostRedirector IIS Module and Rungan Backdoor, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Gh0st RAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, BlackSuit Ransomware, Ransomware, DHS Report TA18-074A, Braodo Stealer, AsyncRAT, Suspicious Windows Registry Activities, Castle RAT, MoonPeak, Amadey, Snake Keylogger, Derusbi, NetSupport RMM Tool Abuse, IcedID, RedLine Stealer, Warzone RAT, Cactus Ransomware, Suspicious MSHTA Activity, DarkCrystal RAT, NjRAT, Salt Typhoon, Chaos Ransomware, DarkGate Malware, Windows Persistence Techniques, MuddyWater, China-Nexus Threat Activity, SnappyBee, ValleyRAT, Lokibot, Windows Registry Abuse, WinDealer RAT, XWorm, Salat Stealer, 0bj3ctivity Stealer, Qakbot, CISA AA23-347A, Axios Supply Chain Post Compromise, SystemBC, Remcos, APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Emotet Malware DHS Report TA18-201A
|
2026-06-08
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Prestige Ransomware, Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services, Water Gamayun, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Cwd, Linux Auditd Path
|
T1546.004
|
TTP
|
Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.001
|
TTP
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Cisco Network Visibility Module Analytics, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Castle RAT, 0bj3ctivity Stealer, Ryuk Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Linux System Network Discovery
|
Osquery Results, Sysmon for Linux EventID 1
|
T1016
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Network Discovery, Data Destruction, Industroyer2
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Hellcat Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows SpeechRuntime Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Ransomware
|
2026-05-13
|
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Black Basta Ransomware, Ingress Tool Transfer, NPM Supply Chain Compromise, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, Cisco Network Visibility Module Analytics, IcedID, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, Crypto Stealer, CISA AA22-320A
|
2026-05-13
|
|
Windows Wmic DiskDrive Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1036
T1055
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
T1133
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, Log4Shell CVE-2021-44228, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, HAFNIUM Group, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Microsoft SharePoint Vulnerabilities, CISA AA22-257A, Flax Typhoon, CISA AA22-264A, ProxyNotShell, ProxyShell, Cleo File Transfer Software, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Data Destruction
|
2026-05-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Docker Shell Execution
|
Sysmon for Linux EventID 1
|
T1059.013
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Privilege Escalation Attempt Via MSI Rollback
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
T1560
|
Anomaly
|
APT37 Rustonotto and FadeStealer, CISA AA23-347A
|
2026-05-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Shutdown
|
Linux Auditd Daemon End
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.007
|
Anomaly
|
Gh0st RAT, Medusa Ransomware, Volt Typhoon, Gozi Malware, Water Gamayun, Rhysida Ransomware, Qakbot, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, DarkGate Malware, BlankGrabber Stealer, CISA AA22-277A, FIN7, Tuoni
|
2026-05-13
|
|
Windows Office Product Spawned Uncommon Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Trickbot, Remcos, Compromised Windows Host, APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Warzone RAT, DarkCrystal RAT, NjRAT, PlugX, AgentTesla, Azorult, Qakbot, CVE-2023-21716 Word RTF Heap Corruption, MuddyWater, IcedID, FIN7
|
2026-05-13
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Gozi Malware, Compromised Windows Host, Active Directory Privilege Escalation
|
2026-05-13
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Remcos, Windows Registry Abuse, Windows Defense Evasion Tactics, Suspicious Windows Registry Activities, AgentTesla, Azorult
|
2026-05-13
|
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
TTP
|
Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, BlackSuit Ransomware, LAMEHUG, Medusa Ransomware, Gozi Malware, Interlock Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques, BlankGrabber Stealer, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
|
TTP
|
CISA AA22-320A, Active Directory Kerberos Attacks, CISA AA23-347A, Scattered Lapsus$ Hunters, Sandworm Tools
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Hermetic Wiper, Data Destruction, Malicious PowerShell
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Windows Certificate Services, Hellcat Ransomware
|
2026-05-13
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2026-05-13
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
TTP
|
Living Off The Land, Compromised Windows Host, Unusual Processes
|
2026-05-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
Windows Service Abuse, Orangeworm Attack Group, NOBELIUM Group
|
2026-05-13
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
T1589.002
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Crypto Stealer, Azorult, Ransomware
|
2026-05-13
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.011
|
TTP
|
PrintNightmare CVE-2021-34527, Compromised Windows Host, BlackSuit Ransomware, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Hellcat Ransomware, Security Solution Tampering, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
|
Cisco Network Visibility Module Flow Data
|
T1220
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-13
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.011
|
TTP
|
Masquerading - Rename System Utilities, Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
T1218.003
|
Anomaly
|
Lokibot, VIP Keylogger, 0bj3ctivity Stealer, StealC Stealer, Quasar RAT
|
2026-05-13
|
|
DNS Exfiltration Using Nslookup App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048
|
TTP
|
Compromised Windows Host, Command And Control, Suspicious DNS Traffic, Data Exfiltration, Dynamic DNS
|
2026-05-13
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Compromised Linux Host
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
XWorm, DarkCrystal RAT, NjRAT, MoonPeak, Quasar RAT, DarkGate Malware, Scattered Lapsus$ Hunters, MuddyWater, Sandworm Tools, ZOVWiper
|
2026-05-13
|
|
Windows Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Azorult, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Trickbot, Disabling Security Tools
|
2026-05-13
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
DarkSide Ransomware, Medusa Ransomware, Black Basta Ransomware, Cactus Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Termite Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1207
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Living Off The Land, Qakbot, CISA AA23-347A, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity, Compromised Linux Host
|
2026-05-13
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-05-13
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Rootkit, Linux Privilege Escalation
|
2026-05-13
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Malicious Inno Setup Loader, Scheduled Tasks, Compromised Windows Host, Cactus Ransomware, Industroyer2, CISA AA22-257A, Active Directory Discovery, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.013
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, XWorm, NjRAT, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.004
|
TTP
|
Living Off The Land, Compromised Windows Host, Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Windows Certificate Services, Malicious PowerShell
|
2026-05-13
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Lokibot, Credential Dumping, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
|
TTP
|
DarkSide Ransomware, CISA AA22-320A, Medusa Ransomware, SamSam Ransomware, Cactus Ransomware, DHS Report TA18-074A, BlackByte Ransomware, Volt Typhoon, HAFNIUM Group, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, DarkGate Malware, Storm-0501 Ransomware, IcedID, Sandworm Tools, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Binary Launched Process with Null Argv
|
Linux Messages Syslog
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-12
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Crowdstrike High Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2026-05-13
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
Hunting
|
Lokibot, Credential Dumping, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Revil Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Revil Ransomware, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2026-05-13
|
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
T1219
|
Anomaly
|
Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Eventlog Cleared Via Wevtutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.005
|
Anomaly
|
Ransomware, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, CISA AA23-347A, Clop Ransomware
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, XWorm, NjRAT, Quasar RAT, Snake Keylogger, Chaos Ransomware
|
2026-05-13
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
T1685
|
TTP
|
Remcos, CISA AA22-320A, Warzone RAT, Windows Defense Evasion Tactics, Salat Stealer, AgentTesla, BlankGrabber Stealer, Data Destruction, WhisperGate, NetSupport RMM Tool Abuse
|
2026-06-08
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-05-13
|
|
Windows Sqlservr Spawning Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
T1685.005
|
Hunting
|
Clop Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters, Ransomware
|
2026-05-13
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
T1090
T1095
|
TTP
|
Linux Living Off The Land, Ingress Tool Transfer
|
2026-06-04
|
|
Linux Auditd AI CLI Permission Override Activated
|
Linux Auditd Proctitle
|
T1480
|
Anomaly
|
QuietVault
|
2026-05-13
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla, Snake Keylogger, Hellcat Ransomware
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127
|
Hunting
|
Living Off The Land, Cobalt Strike, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution, Masquerading - Rename System Utilities, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
NetSupport RMM Tool Abuse, Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
Qakbot, IcedID, Warzone RAT
|
2026-05-13
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686.001
|
TTP
|
Revil Ransomware, Medusa Ransomware, Ransomware, BlackByte Ransomware, NjRAT, Hellcat Ransomware
|
2026-05-13
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Potential System Network Configuration Discovery Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon
|
2026-05-13
|
|
Windows FFmpeg DirectShow Video Capture
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1125
|
Anomaly
|
Salat Stealer
|
2026-05-20
|
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.007
|
Anomaly
|
Water Gamayun, StealC Stealer, SolarWinds WHD RCE Post Exploitation, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Windows ComputerDefaults Spawning a Process
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Castle RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Remote Host Computer Management Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
TTP
|
FIN7
|
2026-05-13
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Azorult, BlackSuit Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.005
|
Anomaly
|
Sneaky Active Directory Persistence Tricks, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land, Handala Wiper, Hellcat Ransomware, Void Manticore
|
2026-05-13
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
Anomaly
|
Windows Error Reporting Service Elevation of Privilege Vulnerability, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Qakbot, DarkGate Malware, Suspicious Command-Line Executions
|
2026-05-13
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
Remcos, FIN7, AsyncRAT
|
2026-05-13
|
|
Windows Firewall Rule Modification
|
Windows Event Log Security 4947
|
T1686
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-13
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
T1553.003
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
TTP
|
Azorult
|
2026-05-13
|
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Crowdstrike User with Duplicate Password
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
T1553.004
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2026-05-13
|
|
Windows MsMpEng Writing to System32
|
Sysmon EventID 11, Sysmon EventID 15
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Drivers, Windows Privilege Escalation, RedSun
|
2026-04-27
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
T1218.010
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
Detect Baron Samedit CVE-2021-3156
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2026-05-13
|
|
Linux PF_ALG Registration Outside of Boot Window
|
Linux Messages Syslog
|
T1068
|
TTP
|
Linux Privilege Escalation
|
2026-05-11
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
Anomaly
|
ZOVWiper, APT37 Rustonotto and FadeStealer, DarkGate Malware
|
2026-05-13
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.005
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Ransomware
|
2026-05-13
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
T1555.004
|
Anomaly
|
Hellcat Ransomware, Meduza Stealer
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
RoguePlanet, Crypto Stealer, Brute Ratel C4, PromptLock, XMRig, AsyncRAT, Hermetic Wiper, MoonPeak, Amadey, Snake Keylogger, Derusbi, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, PromptFlux, Warzone RAT, DarkCrystal RAT, PlugX, NjRAT, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, WinDealer RAT, Interlock Rat, Salat Stealer, Meduza Stealer, Qakbot, AgentTesla, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, XML Runner Loader, Remcos, APT37 Rustonotto and FadeStealer, Volt Typhoon, BlackByte Ransomware, AcidPour, Azorult, Swift Slicer, Data Destruction, Double Zero Destructor, Handala Wiper, SesameOp
|
2026-06-11
|
|
Windows Devtunnels Image Loaded
|
Sysmon EventID 7
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
Hunting
|
NjRAT, ShrinkLocker
|
2026-05-13
|
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1219
|
Anomaly
|
Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, Interlock Ransomware, Insider Threat, GhostRedirector IIS Module and Rungan Backdoor, Storm-0501 Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA22-320A, Reverse Network Proxy, CISA AA24-241A
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Abort
|
Linux Auditd Daemon Abort
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Scheduled Tasks, CISA AA24-241A, Hermetic Wiper, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
DarkSide Ransomware, CISA AA22-257A, Credential Dumping, Detect Zerologon Attack, CISA AA22-264A, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Persistence Techniques
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Compromised Windows Host, Ransomware, Ryuk Ransomware, Storm-2460 CLFS Zero Day Exploitation, Void Manticore
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Windows Drivers, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.001
|
Hunting
|
Hermetic Wiper, Windows Privilege Escalation, Quasar RAT, Data Destruction
|
2026-05-13
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686.001
|
TTP
|
BlackByte Ransomware, Hellcat Ransomware, Ransomware
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
Hunting
|
Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.010
T1059.001
|
Anomaly
|
Compromised Windows Host, Deobfuscate-Decode Files or Information
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
CISA AA22-320A, Scattered Spider, Hermetic Wiper, CISA AA22-264A, CISA AA23-347A, Hellcat Ransomware, Data Destruction, Sandworm Tools, Malicious PowerShell
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Active Directory Lateral Movement Identified
|
|
T1210
|
Correlation
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, Living Off The Land, Lumma Stealer, MuddyWater
|
2026-05-13
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Qakbot, Azorult, CISA AA23-347A, IcedID
|
2026-05-13
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Cactus Ransomware, Black Basta Ransomware, Salat Stealer, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, IcedID
|
2026-06-08
|
|
Windows Wermgr Alternate Data Stream in Temp Dir
|
Sysmon EventID 15
|
T1564.004
|
Anomaly
|
RoguePlanet
|
2026-06-11
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
Hunting
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Suspicious Compiled HTML Activity
|
2026-05-13
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
T1686
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, RedLine Stealer
|
2026-05-13
|
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
TTP
|
Cloud Federated Credential Abuse, Living Off The Land, Compromised Windows Host, Windows Persistence Techniques, Windows Certificate Services, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Volt Typhoon, DHS Report TA18-074A, AsyncRAT, XWorm, DarkCrystal RAT, HAFNIUM Group, 0bj3ctivity Stealer, Salt Typhoon, BlankGrabber Stealer, MuddyWater, China-Nexus Threat Activity
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
T1592.001
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Cisco NVM - Installation of Typosquatted Python Package
|
Cisco Network Visibility Module Flow Data
|
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
T1090
T1102
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Scattered Lapsus$ Hunters, Active Directory Discovery
|
2026-05-13
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.002
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host
|
2026-05-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Rundll32 WebDAV Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048.003
|
Hunting
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, IcedID, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Rundll32 WebDav With Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
MacOS Gatekeeper Bypass
|
Osquery Results
|
T1553.001
|
Anomaly
|
MacOS Privilege Escalation, MacOS Persistence Techniques, MacOS Post-Exploitation
|
2026-05-13
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host
|
2026-05-13
|
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
|
Hunting
|
DarkSide Ransomware, Cactus Ransomware, Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
T1036.008
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
APT37 Rustonotto and FadeStealer, CISA AA22-320A, XMRig, BlackByte Ransomware, Interlock Ransomware, AgentTesla, Snake Keylogger
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Medusa Ransomware, Castle RAT, Qakbot, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
T1030
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
XWorm, Axios Supply Chain Post Compromise, Hellcat Ransomware
|
2026-05-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Scattered Lapsus$ Hunters, Malicious PowerShell, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Windows Defense Evasion Tactics, Disabling Security Tools
|
2026-05-13
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Wmic Memory Chip Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
T1113
|
TTP
|
Winter Vivern, APT37 Rustonotto and FadeStealer, Water Gamayun, BlankGrabber Stealer
|
2026-05-13
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Living Off The Land, Volt Typhoon, Suspicious WMI Use, CISA AA23-347A, Graceful Wipe Out Attack, IcedID
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5141, Windows Event Log Security 5137
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 7, Sysmon EventID 22
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-05-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
MacOS Keychains Dumped
|
Osquery Results
|
T1555.001
|
TTP
|
MacOS Privilege Escalation
|
2026-05-13
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer, XMRig, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, XWorm, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
Windows Privilege Escalation, BlackSuit Ransomware
|
2026-05-13
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1654
|
Anomaly
|
Windows Discovery Techniques, BlankGrabber Stealer
|
2026-05-13
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
Hunting
|
DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, HAFNIUM Group, Rhysida Ransomware, Salt Typhoon, VanHelsing Ransomware, DarkGate Malware, China-Nexus Threat Activity, Sandworm Tools, Active Directory Lateral Movement
|
2026-05-13
|
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Unusual Processes, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Archive Collected Data via Rar
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Salt Typhoon, China-Nexus Threat Activity, DarkGate Malware
|
2026-05-13
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
|
Hunting
|
Rhysida Ransomware, Credential Dumping, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse, Seashell Blizzard
|
2026-05-13
|
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
Anomaly
|
Water Gamayun, Windows System Binary Proxy Execution MSIExec, Medusa Ransomware, StealC Stealer
|
2026-05-13
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos client registry install entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Remcos, Windows Registry Abuse
|
2026-05-13
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Compromised Windows Host, Medusa Ransomware, BlackByte Ransomware, VanHelsing Ransomware, Clop Ransomware
|
2026-05-13
|
|
Windows File and Directory Permissions Remove Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Wmic Network Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1590.002
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2026-05-13
|
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
T1115
|
Anomaly
|
Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Sandworm Tools, Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
T1070
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
Crypto Stealer, APT37 Rustonotto and FadeStealer, PromptFlux, XWorm, Gozi Malware, NjRAT, Interlock Ransomware, Quasar RAT, Chaos Ransomware, BlankGrabber Stealer, RedLine Stealer
|
2026-05-13
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Spawned MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows BitLockerToGo Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
Hunting
|
Lumma Stealer
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Hellcat Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, XorDDos, Linux Rootkit
|
2026-05-13
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
Snake Keylogger, RedLine Stealer, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, FIN7, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, AgentTesla, CISA AA23-347A, Remcos, 3CX Supply Chain Attack, Quasar RAT, Phemedrone Stealer
|
2026-06-08
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, WS FTP Server Critical Vulnerabilities, IIS Components
|
2026-05-13
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.005
|
TTP
|
Ransomware, Scattered Spider, VoidLink Cloud-Native Linux Malware, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, CISA AA23-347A, Storm-0501 Ransomware, Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Default Cobalt Strike PowerShell Beacon
|
Powershell Script Block Logging 4104
|
T1059.001
T1204.002
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2026-05-13
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2026-05-13
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Suspicious WMI Use, Hellcat Ransomware
|
2026-05-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Windows Browser Process Launched with Unusual Flags
|
Sysmon EventID 1
|
T1185
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows AI Platform DNS Query
|
Sysmon EventID 22
|
T1071.004
|
Anomaly
|
LAMEHUG, PromptFlux, SesameOp
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Earth Alux, Warzone RAT, Water Gamayun, Qakbot, Graceful Wipe Out Attack
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Scattered Lapsus$ Hunters, Compromised Linux Host
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Cwd, Linux Auditd Path
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1203
T1218
|
TTP
|
Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Azure Storage Utility Execution Via CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.004
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Data Destruction, WhisperGate
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
T1649
|
TTP
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Gdrive Binary Activity
|
Sysmon for Linux EventID 1
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Detect Network Scanner Behavior
|
Sysmon EventID 3
|
T1595.001
T1595.002
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.014
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 12, Sysmon EventID 13
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, ShrinkLocker
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.009
|
Anomaly
|
Salt Typhoon, China-Nexus Threat Activity, DarkGate Malware
|
2026-05-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
T1686
|
Anomaly
|
Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools
|
2026-05-13
|
|
Windows Network Share Interaction Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1039
T1135
|
Hunting
|
Active Directory Privilege Escalation, Network Discovery, Active Directory Discovery
|
2026-05-13
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land
|
2026-05-13
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1220
|
TTP
|
FIN7, Suspicious WMI Use
|
2026-05-13
|
|
Windows Symlink Evaluation Change via Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
T1685
|
TTP
|
WhisperGate, Data Destruction
|
2026-05-13
|
|
MacOS Account Created
|
Osquery Results
|
T1136
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Active Directory Discovery, Hellcat Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
T1563.002
|
Hunting
|
Windows RDP Artifacts and Defense Evasion, BlackByte Ransomware, Interlock Ransomware, NetSupport RMM Tool Abuse, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
T1564.004
|
TTP
|
Windows Privilege Escalation, Windows Post-Exploitation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Industroyer2, Data Destruction, Active Directory Discovery
|
2026-05-13
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Salat Stealer
|
2026-06-08
|
|
Detect Remote Access Software Usage FileInfo
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1202
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1121, Windows Event Log Defender 1126
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
T1021.001
|
TTP
|
NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Command Obfuscation with Environment Variable Substrings
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.010
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558.003
|
TTP
|
Compromised Windows Host, Active Directory Kerberos Attacks, Hermetic Wiper, Data Destruction, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
MacOS Data Chunking
|
Osquery Results
|
T1030
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Create Local Account
|
Windows Event Log Security 4720
|
T1136.001
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A
|
2026-05-13
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
|
TTP
|
Lokibot, Credential Dumping, BlackSuit Ransomware
|
2026-05-13
|
|
Windows WBAdmin File Recovery From Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
T1548.002
|
TTP
|
ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, BlankGrabber Stealer, IcedID
|
2026-05-13
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1685.001
|
TTP
|
Windows Defense Evasion Tactics, IIS Components
|
2026-05-13
|
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
T1115
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, AsyncRAT, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, Castle RAT, AsyncRAT, Ryuk Ransomware, IcedID, Active Directory Lateral Movement, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, Winter Vivern, PlugX, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, ValleyRAT, Compromised Windows Host, Industroyer2, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, CISA AA23-347A, SystemBC, APT37 Rustonotto and FadeStealer, Remcos, Quasar RAT, Data Destruction
|
2026-05-13
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
Hunting
|
Active Directory Lateral Movement, Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware
|
2026-05-13
|
|
MacOS Kextload Usage
|
Osquery Results
|
T1543
|
TTP
|
MacOS Privilege Escalation, MacOS Persistence Techniques
|
2026-05-13
|
|
Windows MpCmdRun RemoveDefinitions Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2026-05-13
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
|
Anomaly
|
Cobalt Strike, BlackSuit Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, NOBELIUM Group
|
2026-05-13
|
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter
|
2026-05-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Brute Ratel C4, Earth Alux
|
2026-05-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
Gozi Malware, CISA AA22-320A, Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
T1685
|
TTP
|
Castle RAT, Braodo Stealer, Salat Stealer, BlankGrabber Stealer, Hellcat Ransomware, Scattered Lapsus$ Hunters
|
2026-06-08
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Rootkit, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-05-13
|
|
Cisco Isovalent - Kprobe Spike
|
Cisco Isovalent Process Kprobe
|
T1068
|
Hunting
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Admin Password Changed by Non-Admin
|
Windows Event Log Security 4723
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows Certutil Root Certificate Addition
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1587.003
|
TTP
|
Secret Blizzard
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1552.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Medusa Ransomware, Seashell Blizzard, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1588.002
|
TTP
|
Unusual Processes, Data Destruction, Ransomware, WhisperGate
|
2026-05-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Scattered Spider, BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, DarkGate Malware
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1133
T1190
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.004
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
Anomaly
|
MuddyWater, Snake Keylogger, Spearphishing Attachments
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, XWorm, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
Remcos, AsyncRAT
|
2026-05-13
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Hunting
|
Cactus Ransomware, Volt Typhoon, Qakbot, CISA AA23-347A, Suspicious WMI Use, IcedID
|
2026-05-13
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
T1564.006
|
TTP
|
Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.011
|
TTP
|
Compromised Windows Host, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
PowerShell Environment Variable Execution
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows Unusual FileZilla XML Config Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT
|
2026-05-13
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218.011
|
TTP
|
Gh0st RAT, Living Off The Land, IcedID
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Hermetic Wiper, Flax Typhoon, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Suspicious PlistBuddy Usage via OSquery
|
Osquery Results
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Create Local Administrator Account Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.001
|
Anomaly
|
Medusa Ransomware, CISA AA22-257A, DHS Report TA18-074A, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Compromised Windows Host, Winter Vivern, Hellcat Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
Disk Wiper, BlackByte Ransomware, NjRAT, Hermetic Wiper, CISA AA22-264A, PathWiper, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Caddy Wiper, Void Manticore
|
2026-05-13
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505.004
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
TTP
|
Compromised Windows Host, PlugX
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.003
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
T1537
|
Anomaly
|
Insider Threat, Information Sabotage, Hellcat Ransomware
|
2026-05-13
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
T1036
T1572
|
TTP
|
Linux Persistence Techniques, Flax Typhoon, Linux Privilege Escalation
|
2026-05-13
|
|
MacOS List Firewall Rules
|
Osquery Results
|
T1016
|
Anomaly
|
Network Discovery
|
2026-05-13
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-05-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Compromised Windows Host, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
BlackSuit Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
T1115
|
Anomaly
|
Linux Living Off The Land
|
2026-05-13
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
Crypto Stealer, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, DynoWiper, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger, Graceful Wipe Out Attack, Derusbi, IcedID, Trickbot, RedLine Stealer, Earth Alux, Warzone RAT, Cactus Ransomware, DarkCrystal RAT, PlugX, NjRAT, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, WinDealer RAT, Interlock Rat, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, XML Runner Loader, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, AcidPour, SesameOp
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Compromised Windows Host, Castle RAT, Windows Persistence Techniques, IcedID, Trickbot
|
2026-05-13
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Crowdstrike User Weak Password Policy
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Cisco Isovalent - Curl Execution With Insecure Flags
|
Cisco Isovalent Process Exec
|
T1105
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics, Data Destruction
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, VIP Keylogger, Snake Keylogger, BlankGrabber Stealer
|
2026-05-13
|
|
Detect RClone Command-Line Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1020
|
TTP
|
DarkSide Ransomware, Ransomware, Black Basta Ransomware, Cactus Ransomware, Storm-0501 Ransomware, Hellcat Ransomware, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Suspicious Linux Discovery Commands
|
Sysmon for Linux EventID 1
|
T1059.004
|
TTP
|
Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2026-05-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
T1112
|
Anomaly
|
Double Zero Destructor, Data Destruction
|
2026-05-13
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2026-05-13
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.004
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
XMRig
|
2026-05-13
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Data Destruction, WhisperGate
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, MoonPeak, Amadey, Snake Keylogger, RedLine Stealer, Earth Alux, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, Meduza Stealer, PXA Stealer, Quasar RAT, Phemedrone Stealer
|
2026-06-08
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1649
|
TTP
|
Windows Certificate Services, Compromised Windows Host, Ingress Tool Transfer
|
2026-05-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
T1685
|
TTP
|
Revil Ransomware, Windows Registry Abuse, Ransomware, Black Basta Ransomware, Cactus Ransomware, Windows Defense Evasion Tactics, Salat Stealer, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Azorult, Storm-0501 Ransomware, BlankGrabber Stealer, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, RedLine Stealer
|
2026-06-08
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, MoonPeak, Amadey, Snake Keylogger, RedLine Stealer, Earth Alux, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, Meduza Stealer, PXA Stealer, Quasar RAT, Phemedrone Stealer
|
2026-06-08
|
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1059.001
T1105
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Ingress Tool Transfer, Winter Vivern, HAFNIUM Group, StealC Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, NPM Supply Chain Compromise, XWorm, Malicious PowerShell, APT37 Rustonotto and FadeStealer, PHP-CGI RCE Attack on Japanese Organizations, SolarWinds WHD RCE Post Exploitation, Data Destruction, Phemedrone Stealer, Tuoni
|
2026-05-13
|
|
Windows PuTTY Suite Utility Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.004
|
Anomaly
|
Command And Control, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows User Deletion Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig, DarkGate Malware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Service Execution RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, Compromised Windows Host, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
T1685
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A
|
2026-05-13
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1218.011
|
Anomaly
|
Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Cloud Files Filter Loaded by Uncommon Process
|
Sysmon EventID 7
|
T1543.003
|
Anomaly
|
BlueHammer, RedSun
|
2026-05-18
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
Gh0st RAT, Crypto Stealer, AsyncRAT, Hermetic Wiper, IcedID, Log4Shell CVE-2021-44228, RedLine Stealer, Warzone RAT, DarkCrystal RAT, Winter Vivern, PlugX, StealC Stealer, NjRAT, Rhysida Ransomware, DarkGate Malware, Chaos Ransomware, Malicious Inno Setup Loader, Interlock Rat, 0bj3ctivity Stealer, Qakbot, CISA AA23-347A, WhisperGate, ProxyNotShell, Living Off The Land, Azorult, Quasar RAT, Data Destruction
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1003
T1036.005
T1595
|
TTP
|
Compromised Windows Host, Scattered Spider, XMRig, PHP-CGI RCE Attack on Japanese Organizations, Unusual Processes, CISA AA22-264A, Cisco Network Visibility Module Analytics, SamSam Ransomware
|
2026-05-13
|
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Compromised Windows Host, Warzone RAT, PlugX, AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7
|
2026-05-13
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Compromised Windows Host, XMRig, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Qakbot, Water Gamayun
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
Disk Wiper, BlackByte Ransomware, NjRAT, Hermetic Wiper, CISA AA22-264A, PathWiper, Data Destruction, Graceful Wipe Out Attack, Caddy Wiper, Void Manticore
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters, BlankGrabber Stealer
|
2026-05-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
IcedID Exfiltrated Archived File Creation
|
Sysmon EventID 11
|
T1560.001
|
Hunting
|
IcedID, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows WMI Reconnaissance Class Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2026-05-13
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
Scattered Lapsus$ Hunters, AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Debugger Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
Hunting
|
PlugX, DarkGate Malware
|
2026-05-13
|
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
DHS Report TA18-074A, AsyncRAT, MoonPeak, Amadey, NetSupport RMM Tool Abuse, Trickbot, RedLine Stealer, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, DarkCrystal RAT, Winter Vivern, NjRAT, PlugX, Rhysida Ransomware, Salt Typhoon, NOBELIUM Group, Windows Persistence Techniques, China-Nexus Threat Activity, ValleyRAT, Lokibot, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, AgentTesla, Qakbot, CISA AA23-347A, Sandworm Tools, Living Off The Land, APT37 Rustonotto and FadeStealer, Remcos, Scattered Spider, ShrinkLocker, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Azorult, Phemedrone Stealer
|
2026-05-13
|
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2026-05-13
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Compromised Windows Host, Ransomware
|
2026-05-13
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows File Collection Via Copy Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1119
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
Gh0st RAT, Brute Ratel C4, AsyncRAT, GhostRedirector IIS Module and Rungan Backdoor, Derusbi, PlugX, Salt Typhoon, DarkGate Malware, PathWiper, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, ValleyRAT, Lokibot, WinDealer RAT, Salat Stealer, Meduza Stealer, CISA AA23-347A, Tuoni
|
2026-06-08
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Void Manticore, Chaos Ransomware, Ransomware
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Earth Alux, Warzone RAT, NjRAT, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse, CISA AA23-347A, Ransomware
|
2026-05-13
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Spider
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Windows Registry Abuse
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Cobalt Strike, Earth Alux, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
T1136.001
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Non-System Process Querying Definition Update
|
Sysmon EventID 22
|
T1068
T1071.001
|
Anomaly
|
BlueHammer, Windows Privilege Escalation, RedSun
|
2026-04-27
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Qakbot, Water Gamayun
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
XMRig, BlackByte Ransomware, Crypto Stealer, Ransomware
|
2026-05-13
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Firewall Rule Added
|
Windows Event Log Security 4946
|
T1686
|
Anomaly
|
Medusa Ransomware, NetSupport RMM Tool Abuse, Salat Stealer, ShrinkLocker
|
2026-06-08
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
BlackSuit Ransomware, AsyncRAT, Amadey, IcedID, Prestige Ransomware, Scheduled Tasks, DarkCrystal RAT, Winter Vivern, PlugX, Windows Persistence Techniques, Malicious Inno Setup Loader, ValleyRAT, Industroyer2, CISA AA22-257A, Qakbot, Sandworm Tools, SystemBC, Remcos, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Data Destruction
|
2026-05-13
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Data Destruction, Hellcat Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Water Gamayun, Qakbot, Compromised Windows Host
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Qakbot
|
2026-05-13
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Hunting
|
IcedID, Azorult
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
T1105
|
Anomaly
|
XorDDos, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer
|
2026-05-13
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Compromised Windows Host, Cobalt Strike, BlackByte Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-05-13
|
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Hunting
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
T1564.003
|
Anomaly
|
Forest Blizzard, Browser Hijacking
|
2026-05-13
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Suspicious Regsvcs Regasm Activity, Living Off The Land, Void Manticore, Handala Wiper
|
2026-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.004
T1572
|
TTP
|
CISA AA22-257A
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Compromised Windows Host, Snake Malware
|
2026-05-13
|
|
Windows Visual Basic Commandline Compiler DNSQuery
|
Sysmon EventID 22
|
T1071.004
|
TTP
|
Lokibot
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016.001
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery, Qakbot, CISA AA22-277A
|
2026-05-13
|
|
Cisco Isovalent - Pods Running Offensive Tools
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PowerShell Process With Malicious String
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger, Winter Vivern, AsyncRAT, 0bj3ctivity Stealer, Hermetic Wiper, AgentTesla, Data Destruction, Hellcat Ransomware, Axios Supply Chain Post Compromise, Malicious PowerShell
|
2026-05-13
|
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Windows Discovery Techniques, Ransomware
|
2026-05-13
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Medusa Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, DarkCrystal RAT, Void Manticore, DynoWiper, Interlock Ransomware, Swift Slicer, Handala Wiper, Data Destruction, WhisperGate, Clop Ransomware, Sandworm Tools, ZOVWiper
|
2026-05-13
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
T1548
|
TTP
|
MoonPeak, Windows Registry Abuse, Ransomware, Azorult
|
2026-05-13
|
|
Windows PowerShell Script From WindowsApps Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2026-05-13
|
|
Windows Netspy Network Scanner Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
T1595
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Theme File Creation in Unusual Location
|
Sysmon EventID 11
|
T1021.002
T1187
T1557.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Prestige Ransomware, Medusa Ransomware, Ransomware, Ryuk Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Clop Ransomware, LockBit Ransomware, Termite Ransomware, SamSam Ransomware
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, Volt Typhoon, HAFNIUM Group, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, DarkGate Malware, IcedID, Sandworm Tools, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, Scattered Lapsus$ Hunters, Scattered Spider
|
2026-05-13
|
|
Windows Chromium Process Loaded Extension via Command-Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon
|
2026-05-13
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
T1620
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Microsoft Defender ATP Alerts
|
MS Defender ATP Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2026-05-13
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505.004
|
Anomaly
|
IIS Components
|
2026-05-13
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
|
TTP
|
Scattered Spider, Compromised Windows Host, Ransomware
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
Windows Certificate Services, CISA AA23-347A, Sandworm Tools
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
T1003.008
|
Anomaly
|
Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
Compromised Linux Host, AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows System Remote Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Living Off The Land, Credential Dumping, Compromised Windows Host, Volt Typhoon
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Water Gamayun, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
TTP
|
DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
NjRAT, PXA Stealer, BlankGrabber Stealer, Crypto Stealer
|
2026-05-13
|
|
Windows MSTSC RDP Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Medusa Ransomware
|
2026-05-13
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Windows Defense Evasion Tactics, FIN7, Qakbot, Azorult, CISA AA23-347A, Netsh Abuse, Microsoft WSUS CVE-2025-59287, Sandworm Tools, Disabling Security Tools
|
2026-05-13
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
Anomaly
|
Living Off The Land, Remcos, AsyncRAT, Hermetic Wiper, Suspicious Regsvr32 Activity, Data Destruction
|
2026-06-09
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Windows Drivers, Void Manticore
|
2026-05-13
|
|
Windows File Association Modification via Ftype
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Anomaly
|
Windows File Extension and Association Abuse
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.002
|
TTP
|
Living Off The Land, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
|
Hunting
|
Living Off The Land, Credential Dumping
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Remcos, Brute Ratel C4, APT37 Rustonotto and FadeStealer, Warzone RAT, Spearphishing Attachments, Gozi Malware, Qakbot, AgentTesla, Azorult, Amadey, IcedID
|
2026-05-13
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Azorult, Scattered Lapsus$ Hunters, Compromised Windows Host
|
2026-05-13
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Ransomware, Salt Typhoon, Suspicious WMI Use, CISA AA23-347A, China-Nexus Threat Activity, Void Manticore, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Archived Collected Data In TEMP Folder
|
Sysmon EventID 11
|
T1560
|
Anomaly
|
Braodo Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data
|
T1218.004
|
Anomaly
|
Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Active Directory Kerberos Attacks, Volt Typhoon
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Malicious PowerShell, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
T1036.004
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2026-05-13
|
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Living Off The Land, Prestige Ransomware, Compromised Windows Host, Volt Typhoon, CISA AA22-257A, Industroyer2, Flax Typhoon, Credential Dumping, HAFNIUM Group, CISA AA22-264A, Data Destruction, Scattered Lapsus$ Hunters, Hellcat Ransomware, Suspicious Rundll32 Activity
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, CISA AA23-347A, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Linux Malformed Auth Entry
|
Linux Secure
|
T1068
|
Anomaly
|
Linux Privilege Escalation
|
2026-05-06
|
|
Windows Process Accessing Windows Recall Directory
|
Windows Event Log Security 4663
|
T1059
T1119
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Salat Stealer
|
2026-06-08
|
|
File with Samsam Extension
|
Sysmon EventID 11
|
N/A
|
TTP
|
Hellcat Ransomware, SamSam Ransomware
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2026-05-13
|
|
SilentCleanup UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
MoonPeak, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual File Creation in Confluence Directory
|
Sysmon EventID 11
|
T1190
T1608.001
T1608.002
|
Anomaly
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Windows Computer Account Changed to Domain Controller
|
Windows Event Log Security 4742
|
T1136.002
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A
|
2026-05-13
|
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1105
|
TTP
|
Data Exfiltration, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8005, NTLM Operational 8004, NTLM Operational 8006
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.005
|
TTP
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, XWorm, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Lumma Stealer
|
2026-05-13
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
T1021.002
|
TTP
|
Prestige Ransomware, Compromised Windows Host, BlackSuit Ransomware, Industroyer2, Hermetic Wiper, VanHelsing Ransomware, Data Destruction, Graceful Wipe Out Attack, IcedID, Trickbot, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
T1548.003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host
|
2026-05-13
|
|
Windows Product Key Registry Query
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
T1548.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Crypto Stealer, Medusa Ransomware, NailaoLocker Ransomware, BlackByte Ransomware, Rhysida Ransomware, Interlock Ransomware, Snake Keylogger, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, Termite Ransomware
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Detect Certipy File Modifications
|
Sysmon EventID 11
|
T1560
T1649
|
TTP
|
Windows Certificate Services, Data Exfiltration, Ingress Tool Transfer
|
2026-05-13
|
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
T1113
|
TTP
|
Remcos, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Cloud Federated Credential Abuse, Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Data Destruction, Windows Privilege Escalation
|
2026-05-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Gh0st RAT, Crypto Stealer, Windows Registry Abuse, Brute Ratel C4, PlugX, Suspicious Windows Registry Activities, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Derusbi, Windows Persistence Techniques, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ESX Admins Group Creation via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A
|
2026-05-13
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
AsyncRAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Medusa Ransomware, Winter Vivern, NjRAT, MuddyWater, VIP Keylogger, XWorm, Salat Stealer, 0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, APT37 Rustonotto and FadeStealer, Data Destruction
|
2026-06-08
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2026-05-13
|
|
MacOS Log Removal
|
Osquery Results
|
T1070
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Winter Vivern, Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Hunting
|
Azorult
|
2026-05-13
|
|
Windows User Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Sandworm Tools, Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Microsoft Defender Incident Alerts
|
MS365 Defender Incident Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Crypto Stealer, Azorult, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-05-13
|
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Hermetic Wiper, Interlock Ransomware, CISA AA23-347A, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell
|
2026-05-13
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Malicious Inno Setup Loader, Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
T1005
|
TTP
|
Lokibot, IcedID
|
2026-05-13
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Malicious Inno Setup Loader, Lokibot, StealC Stealer
|
2026-05-13
|
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1588.002
|
Hunting
|
WhisperGate, Data Destruction
|
2026-05-13
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows Potential Web Shell Creation For VMware Workspace ONE
|
Sysmon EventID 11
|
T1505.003
|
Anomaly
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques, Ransomware
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Start
|
Linux Auditd Daemon Start
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Gh0st RAT, Crypto Stealer, Brute Ratel C4, Snake Malware, APT37 Rustonotto and FadeStealer, Flax Typhoon, PlugX, Qakbot, Salt Typhoon, CISA AA23-347A, Derusbi, Clop Ransomware, China-Nexus Threat Activity, Active Directory Lateral Movement
|
2026-05-13
|
|
Cisco NVM - Rclone Execution With Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1567.002
|
Anomaly
|
Scattered Lapsus$ Hunters, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1134, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1122, Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
TTP
|
Compromised Windows Host, NjRAT, Medusa Ransomware
|
2026-05-13
|
|
Crowdstrike Medium Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows WinPEAS PowerShell Script Execution
|
Powershell Script Block Logging 4104
|
T1007
T1016
T1033
T1082
T1590
T1592.002
T1592.004
T1615
|
TTP
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1003
T1219
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Scattered Lapsus$ Hunters, Active Directory Discovery
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Suspicious WMI Use, Cactus Ransomware, Volt Typhoon
|
2026-05-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2026-05-13
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Malicious Inno Setup Loader, Earth Alux, Scattered Spider, VIP Keylogger, Braodo Stealer, Salat Stealer, StealC Stealer, 0bj3ctivity Stealer, Meduza Stealer, MoonPeak, Salt Typhoon, PXA Stealer, Quasar RAT, Snake Keylogger, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee
|
2026-06-08
|
|
Local LLM Framework DNS Query
|
Sysmon EventID 22
|
T1590
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
CISA AA22-320A, BlackSuit Ransomware, BlackByte Ransomware, Windows Drivers, AgentTesla
|
2026-05-13
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2026-05-13
|
|
Cisco Isovalent - Potential Escape to Host
|
Cisco Isovalent Process Exec
|
T1611
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.012
|
Hunting
|
Unusual Processes
|
2026-05-13
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, CISA AA23-347A, Ransomware
|
2026-05-13
|
|
Linux Medusa Rootkit
|
Sysmon for Linux EventID 11
|
T1014
T1589.001
|
TTP
|
Medusa Rootkit, China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware
|
2026-05-13
|
|
Windows CrowdStrike Agent Registry Key Removal
|
Sysmon EventID 12
|
T1685
|
Anomaly
|
Windows Defense Evasion Tactics, Security Solution Tampering
|
2026-05-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Cloud Files Filter Log Created by Non-System Process
|
Sysmon EventID 11
|
T1068
|
TTP
|
Windows Privilege Escalation, RedSun
|
2026-05-01
|
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows EDRSilencer Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.006
|
TTP
|
CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Audit Policy Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Suspicious SQLite3 LSQuarantine Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1074
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Cleo File Transfer Software, HAFNIUM Group
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2026-05-13
|
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1598.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Interlock Ransomware, Spearphishing Attachments
|
2026-05-13
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics, SolarWinds WHD RCE Post Exploitation, Azorult, CISA AA22-264A, CISA AA23-347A, Ryuk Ransomware, RedLine Stealer
|
2026-05-13
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell Script TabExpansion Direct Call
|
Powershell Script Block Logging 4104
|
T1059.001
T1129
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Hunting
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, HAFNIUM Group, Hermetic Wiper, AgentTesla, Data Destruction, Log4Shell CVE-2021-44228, Malicious PowerShell
|
2026-06-04
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
Anomaly
|
Living Off The Land, Remcos, AsyncRAT, Qakbot, Suspicious Regsvr32 Activity, IcedID
|
2026-06-09
|
