Endpoint Detections

Name Data Source Technique Type Analytic Story Date
Windows AD add Self to Group Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware 2026-06-01
Windows PowerShell Add Module to Global Assembly Cache Powershell Script Block Logging 4104 T1505.004 TTP IIS Components 2026-05-13
Windows Group Discovery Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 T1069.002 Hunting SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Prestige Ransomware, Azorult, Cleo File Transfer Software, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery, Graceful Wipe Out Attack, Windows Discovery Techniques 2026-05-13
CMLUA Or CMSTPLUA UAC Bypass Sysmon EventID 7 T1218.003 TTP DarkSide Ransomware, Ransomware, LockBit Ransomware, ValleyRAT 2026-05-13
Windows PowerShell Invoke-Sqlcmd Execution Powershell Script Block Logging 4104 T1059.001 T1059.003 Hunting SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Potato Privilege Escalation Tool Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP Windows Privilege Escalation 2026-05-13
Steal or Forge Authentication Certificates Behavior Identified T1649 Correlation Windows Certificate Services 2026-05-13
Windows InstallUtil URL in Command Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1218.004 TTP Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land, Cisco Network Visibility Module Analytics 2026-05-13
Windows New Service Security Descriptor Set Via Sc.EXE Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1564 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
PaperCut NG Suspicious Behavior Debug Log T1133 T1190 Hunting PaperCut MF NG Vulnerability 2026-05-13
Windows Excel Spawning Microsoft Project Application Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 Anomaly PathWiper 2026-05-13
Deleting Shadow Copies Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Chaos Ransomware, SamSam Ransomware, Black Basta Ransomware, Void Manticore, LockBit Ransomware, Clop Ransomware, Medusa Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, Termite Ransomware, Prestige Ransomware, CISA AA22-264A, DarkGate Malware, VanHelsing Ransomware, Compromised Windows Host, Cactus Ransomware, Windows Log Manipulation 2026-05-13
Java Writing JSP File Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 T1133 T1190 TTP SysAid On-Prem Software CVE-2023-47246 Vulnerability, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SAP NetWeaver Exploitation 2026-05-13
Windows Rasautou DLL Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055.001 T1218 TTP Hellcat Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Service Restarted Linux Auditd Proctitle T1053.006 Anomaly Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Credentials from Password Stores Deletion Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1555 TTP DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host 2026-05-13
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd File Permission Modification Via Chmod Linux Auditd Proctitle T1222.002 Anomaly Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, XorDDos, Linux Living Off The Land, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
USN Journal Deletion Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070 TTP Ransomware, Windows Log Manipulation 2026-05-13
Mshta spawning Rundll32 OR Regsvr32 Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.005 TTP IcedID, APT37 Rustonotto and FadeStealer, Living Off The Land, Trickbot 2026-05-13
Logon Script Event Trigger Execution Sysmon EventID 13 T1037.001 TTP Data Destruction, VIP Keylogger, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Execution of File with Multiple Extensions Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 TTP Masquerading - Rename System Utilities, AsyncRAT, Windows File Extension and Association Abuse, DarkGate Malware 2026-05-13
MSBuild Suspicious Spawned By Script Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1127.001 TTP Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild 2026-05-13
Windows Anomalous Registry Value Length in Environment Key Sysmon EventID 13 T1112 Anomaly VIP Keylogger 2026-05-13
PowerShell 4104 Hunting Powershell Script Block Logging 4104 T1059.001 Hunting Braodo Stealer, Cleo File Transfer Software, Flax Typhoon, SystemBC, Salat Stealer, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, Water Gamayun, Rhysida Ransomware, XWorm, DarkGate Malware, Hellcat Ransomware, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Phantom Stealer, CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Cactus Ransomware, Scattered Spider, Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Lumma Stealer, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer 2026-06-25
Windows Password Policy Discovery with Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1201 Hunting Active Directory Discovery 2026-05-13
Windows Potential Cloudflared Network Connection Sysmon EventID 3 T1572 Hunting Reverse Network Proxy 2026-05-13
Linux Auditd Find Credentials From Password Stores Linux Auditd Execve T1555.005 TTP Linux Privilege Escalation, Scattered Lapsus$ Hunters, Linux Living Off The Land, Hellcat Ransomware, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows WMI Process And Service List Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Linux Auditd Add User Account Linux Auditd Proctitle T1136.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve T1547.006 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Reg exe Manipulating Windows Services Registry Keys Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574.011 TTP Windows Persistence Techniques, Windows Service Abuse, Living Off The Land 2026-05-13
Windows Gather Victim Identity SAM Info Sysmon EventID 7 T1589.001 Hunting Brute Ratel C4 2026-05-13
Windows Local Administrator Credential Stuffing Windows Event Log Security 4624, Windows Event Log Security 4625 T1110.004 TTP Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Suspicious Copy on System32 Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 Anomaly AsyncRAT, IcedID, Sandworm Tools, Water Gamayun, Qakbot, Unusual Processes, Volt Typhoon, Compromised Windows Host 2026-05-13
Spike in File Writes Sysmon EventID 11 N/A Anomaly SamSam Ransomware, Ryuk Ransomware, Ransomware, Rhysida Ransomware 2026-05-13
Windows PowerShell WMI Win32 ScheduledJob Powershell Script Block Logging 4104 T1059.001 TTP Active Directory Lateral Movement 2026-05-13
Detect RTLO In Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.002 TTP Spearphishing Attachments 2026-05-13
Detect RTLO In File Name Sysmon EventID 11 T1036.002 TTP Spearphishing Attachments 2026-05-13
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 T1574.006 TTP Linux Privilege Escalation, Salt Typhoon, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Windows Administrative Shares Accessed On Multiple Hosts Windows Event Log Security 5140, Windows Event Log Security 5145 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows Impair Defense Disable Controlled Folder Access Sysmon EventID 13 T1685 TTP Windows Registry Abuse, BlankGrabber Stealer, Windows Defense Evasion Tactics 2026-05-13
Windows MSIExec DLLRegisterServer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.007 TTP Windows System Binary Proxy Execution MSIExec, Water Gamayun 2026-05-13
Windows ESX Admins Group Creation Security Event Windows Event Log Security 4727, Windows Event Log Security 4737, Windows Event Log Security 4730 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2026-05-13
Windows TeamCity Payload Execution from Temp Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 T1190 T1505.003 TTP JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2026-05-13
Linux Obfuscated Files or Information Base64 Decode Sysmon for Linux EventID 1 T1027 Anomaly Linux Living Off The Land 2026-05-13
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 T1548.003 Hunting Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, Linux Persistence Techniques 2026-05-13
Windows Screen Capture in TEMP folder Sysmon EventID 11 T1113 TTP VIP Keylogger, Braodo Stealer, Crypto Stealer, StealC Stealer, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Rundll32 with Non-Standard File Extension Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 Anomaly Gh0st RAT, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows AD Privileged Object Access Activity Windows Event Log Security 4662 T1087.002 TTP Active Directory Discovery, BlackSuit Ransomware 2026-05-13
Windows Defender ASR or Threat Configuration Tamper Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Base64 Decode Files Linux Auditd Execve T1140 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
PowerShell Invoke WmiExec Usage Powershell Script Block Logging 4104 T1047 TTP Suspicious WMI Use, Scattered Lapsus$ Hunters 2026-05-13
Crowdstrike Medium Severity Alert T1110 Anomaly Compromised Windows Host 2026-05-13
Windows Level RMM PowerShell Script Installer Powershell Script Block Logging 4104 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Detect Empire with PowerShell Script Block Logging Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction 2026-05-13
ICACLS Grant Command Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222 Anomaly XMRig, Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Windows Crowdstrike RTR Script Execution CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 Anomaly Cobalt Strike, Malicious PowerShell, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Powershell Load Module in Meterpreter Powershell Script Block Logging 4104 T1059.001 TTP MetaSploit 2026-05-13
Windows Chromium Process Launched with Logging Disabled Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 Anomaly Browser Hijacking 2026-05-13
Disable Windows App Hotkeys Sysmon EventID 13 T1112 T1685 TTP XMRig, Windows Registry Abuse 2026-05-13
GetWmiObject Ds Group with PowerShell Script Block Powershell Script Block Logging 4104 T1069.002 TTP Active Directory Discovery 2026-05-13
Windows Explorer.exe Spawning PowerShell or Cmd Windows Event Log Security 4688, Sysmon EventID 1 T1059.001 T1204.002 Hunting ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Suspicious Rundll32 StartW Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP Cobalt Strike, Hellcat Ransomware, Trickbot, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, BlackByte Ransomware 2026-05-13
Windows Binary Execution from an Archive CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 Anomaly Spearphishing Attachments 2026-05-13
Linux Visudo Utility Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows PowerView Kerberos Service Ticket Request Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Kerberos Attacks, Rhysida Ransomware 2026-05-13
Clop Ransomware Known Service Name Windows Event Log System 7045 T1543 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
System User Discovery With Whoami Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting PHP-CGI RCE Attack on Japanese Organizations, CISA AA23-347A, Rhysida Ransomware, Qakbot, Lotus Blossom Chrysalis Backdoor, Active Directory Discovery, LAMEHUG, Winter Vivern 2026-05-13
Windows Odbcconf Load Response File Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.008 TTP Living Off The Land 2026-05-13
Windows Impair Defense Disable Win Defender Signature Retirement Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Windows Audit Policy Auditing Option Disabled via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Windows AD Suspicious Attribute Modification Windows Event Log Security 5136 T1222.001 T1550 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Spoolsv Writing a DLL - Sysmon Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Execute Javascript With Jscript COM CLSID Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.005 TTP Ransomware 2026-05-13
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Impair Defense Define Win Defender Threat Action Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows IOBit Unlocker Extension DLL Registration via Regsvr32 Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.010 TTP Compromised Windows Host 2026-05-13
Windows Modify Registry Do Not Connect To Win Update Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows DnsAdmins New Member Added Windows Event Log Security 4732 T1098 TTP Active Directory Privilege Escalation 2026-05-13
Windows Drivers Loaded by Signature Sysmon EventID 6 T1014 T1068 Hunting Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A 2026-05-13
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download Cisco Network Visibility Module Flow Data T1218.005 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Disabling SystemRestore In Registry Sysmon EventID 13 T1490 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Windows Proxy Execution of .NET Utilities via Scripts Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218 Anomaly VIP Keylogger 2026-05-13
Windows Remote Access Software RMS Registry Sysmon EventID 13 T1219 TTP Azorult 2026-05-13
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 T1135 Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Suspicious msbuild path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 T1127.001 TTP Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware 2026-05-13
Windows ConsoleHost History File Deletion Sysmon EventID 26, Sysmon EventID 23 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Linux DD File Overwrite Sysmon for Linux EventID 1 T1485 TTP Data Destruction, Industroyer2 2026-05-13
Remote Process Instantiation via WMI and PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows Kerberos Coercion via DNS Windows Event Log Security 4662, Windows Event Log Security 5137, Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Detect Regsvr32 Application Control Bypass Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.010 TTP Cobalt Strike, BlackByte Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Living Off The Land, Compromised Windows Host, Graceful Wipe Out Attack, Suspicious Regsvr32 Activity 2026-05-13
Windows Entra User Management Via Azure CLI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1078.004 T1098 T1136 Anomaly Azure Active Directory Persistence 2026-05-13
Windows DNS Query Request To TinyUrl Sysmon EventID 22 T1105 Anomaly Malicious Inno Setup Loader 2026-05-13
Wscript Or Cscript Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 T1134.004 T1543 Anomaly WhisperGate, MuddyWater, Data Destruction, ShrinkLocker, Axios Supply Chain Post Compromise, FIN7, VIP Keylogger, XWorm, Unusual Processes, Remcos, 0bj3ctivity Stealer, NjRAT 2026-05-13
Windows Outlook Dialogs Disabled from Unusual Process Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Common Ransomware Notes Sysmon EventID 11 T1485 Hunting Chaos Ransomware, SamSam Ransomware, Black Basta Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Ransomware, Rhysida Ransomware, Termite Ransomware, Storm-0501 Ransomware, Ryuk Ransomware, Hellcat Ransomware, NailaoLocker Ransomware 2026-05-13
Windows Hosts File Access Windows Event Log Security 4663 T1012 Anomaly Gh0st RAT, BlankGrabber Stealer 2026-05-13
Powershell Processing Stream Of Data Powershell Script Block Logging 4104 T1059.001 Anomaly MuddyWater, Malicious PowerShell, Data Destruction, MoonPeak, Medusa Ransomware, AsyncRAT, IcedID, PXA Stealer, Hermetic Wiper, XWorm, Braodo Stealer, Salat Stealer, Hellcat Ransomware 2026-06-29
Windows Exfiltration Over C2 Via Invoke RestMethod Powershell Script Block Logging 4104 T1041 TTP Water Gamayun, Microsoft WSUS CVE-2025-59287, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Winter Vivern 2026-05-13
Print Spooler Adding A Printer Driver Windows Event Log Printservice 316 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-05-13
Rundll32 Control RunDLL Hunt Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 Hunting Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows Process Injection into Commonly Abused Processes Sysmon EventID 10 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer 2026-05-13
Recon Using WMI Class Powershell Script Block Logging 4104 T1059.001 T1592 Anomaly Quasar RAT, Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, MoonPeak, LockBit Ransomware, AsyncRAT, BlankGrabber Stealer, VIP Keylogger, Qakbot, Hermetic Wiper, Industroyer2, Scattered Spider, Malicious Inno Setup Loader 2026-05-13
Domain Controller Discovery with Wmic Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 Hunting Active Directory Discovery 2026-05-13
Windows Domain Account Discovery Via Get-NetComputer Powershell Script Block Logging 4104 T1087.002 Anomaly CISA AA23-347A 2026-05-13
Windows Remote Assistance Spawning Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Compromised Windows Host, Unusual Processes 2026-05-13
Windows AD SID History Attribute Modified Windows Event Log Security 5136 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Wmic Group Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Windows Steal or Forge Kerberos Tickets Klist Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1558 Hunting Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows SIP WinVerifyTrust Failed Trust Validation Windows Event Log CAPI2 81 T1553.003 Anomaly Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Modify Registry WuServer Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Powershell Using memory As Backing Store Powershell Script Block Logging 4104 T1059.001 TTP Data Destruction, MoonPeak, Malicious PowerShell, Medusa Ransomware, IcedID, Hermetic Wiper, Salat Stealer 2026-06-08
Windows RDP Bitmap Cache File Creation Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Chromium process Launched with Disable Popup Blocking Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 Anomaly Browser Hijacking 2026-05-13
Windows WSUS Spawning Shell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1190 T1505.003 TTP Microsoft WSUS CVE-2025-59287 2026-05-13
Windows Service Created with Suspicious Service Name Windows Event Log System 7045 T1569.002 Anomaly Gh0st RAT, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, Tuoni, PlugX, Brute Ratel C4, Active Directory Lateral Movement 2026-05-13
Windows Credentials from Web Browsers Saved in TEMP Folder Sysmon EventID 11 T1555.003 TTP Braodo Stealer, Scattered Lapsus$ Hunters 2026-05-13
Windows Process With NamedPipe CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 Anomaly Windows Defense Evasion Tactics 2026-05-13
Malicious Powershell Executed As A Service Windows Event Log System 7045 T1569.002 TTP Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell 2026-05-13
CMD Echo Pipe - Escalation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 T1543.003 TTP Cobalt Strike, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack 2026-05-13
User Discovery With Env Vars PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting Active Directory Discovery 2026-05-13
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Cisco Isovalent - Non Allowlisted Image Use Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows BitLockerToGo with Network Activity Sysmon EventID 22 T1218 Hunting Lumma Stealer, Hellcat Ransomware 2026-05-13
Disable Defender BlockAtFirstSeen Feature Sysmon EventID 13 T1685 TTP CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, IcedID, Windows Registry Abuse, Azorult 2026-05-13
Linux Account Manipulation Of SSH Config and Keys Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly Hellcat Ransomware, AcidRain 2026-05-13
Windows Proxy Via Netsh Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 T1574.001 TTP APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows GrimResource - MMC Process Accessing APDS DLL Windows Event Log Security 4663 T1059.007 T1218.014 TTP Compromised Windows Host 2026-05-13
MacOS - Re-opened Applications Sysmon EventID 1 N/A TTP ColdRoot MacOS RAT 2026-05-13
Suspicious Scheduled Task from Public Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 Anomaly Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Living Off The Land, Lokibot, XWorm, DarkCrystal RAT, Ryuk Ransomware, Windows Persistence Techniques, NetSupport RMM Tool Abuse, CISA AA24-241A, Medusa Ransomware, Azorult, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer 2026-05-13
MOVEit Empty Key Fingerprint Authentication Attempt T1190 Hunting MOVEit Transfer Authentication Bypass, Hellcat Ransomware 2026-05-13
Processes Tapping Keyboard Events Osquery Results N/A TTP APT37 Rustonotto and FadeStealer, ColdRoot MacOS RAT 2026-05-13
Powershell Execute COM Object Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction 2026-05-13
Linux Auditd Possible Access To Credential Files Linux Auditd Proctitle T1003.008 Anomaly Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Unload Sysmon Filter Driver Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP Disabling Security Tools, CISA AA23-347A 2026-05-13
WSReset UAC Bypass Sysmon EventID 13, Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, MoonPeak, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows RMM Tool Execution Sysmon EventID 1 T1219 Anomaly Suspicious User Agents, NetSupport RMM Tool Abuse, Remote Monitoring and Management Software 2026-05-13
Elevated Group Discovery with PowerView Powershell Script Block Logging 4104 T1069.002 Hunting Active Directory Discovery 2026-05-13
Linux Doas Tool Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Auto Admin Logon Registry Entry Sysmon EventID 13 T1552.002 TTP BlackMatter Ransomware, Windows Registry Abuse 2026-05-13
DSQuery Domain Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1482 TTP Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery 2026-05-13
Windows Remote Management Execute Shell Windows Event Log Security 4688, Sysmon EventID 1 T1021.006 Anomaly Crypto Stealer 2026-05-13
Windows Service Stop Attempt Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1489 Hunting Prestige Ransomware, Scattered Lapsus$ Hunters, Graceful Wipe Out Attack, Gh0st RAT 2026-05-13
System User Discovery With Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting Active Directory Discovery, Medusa Ransomware 2026-05-13
Spoolsv Suspicious Process Access Sysmon EventID 10 T1068 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
MS Exchange Mailbox Replication service writing Active Server Pages Sysmon EventID 1, Sysmon EventID 11 T1133 T1190 T1505.003 TTP Ransomware, ProxyShell, BlackByte Ransomware 2026-05-13
Curl Execution with Percent Encoded URL Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1 T1027 T1105 Anomaly Ingress Tool Transfer, Compromised Windows Host, Living Off The Land 2026-05-13
Windows Command and Scripting Interpreter Path Traversal Exec Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Detect Rundll32 Inline HTA Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.005 TTP APT37 Rustonotto and FadeStealer, NOBELIUM Group, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Mailsniper Invoke functions Powershell Script Block Logging 4104 T1114.001 TTP Data Exfiltration 2026-05-13
Windows Modify Registry DisAllow Windows App Sysmon EventID 13 T1112 TTP Azorult 2026-05-13
Windows Net System Service Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1007 Hunting Gh0st RAT, LAMEHUG 2026-05-13
SecretDumps Offline NTDS Dumping Tool Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.003 TTP Rhysida Ransomware, Storm-0501 Ransomware, Credential Dumping, Compromised Windows Host, Graceful Wipe Out Attack 2026-05-13
Impacket Lateral Movement Commandline Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
GetWmiObject DS User with PowerShell Script Block Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows Unusual Intelliform Storage Registry Access Windows Event Log Security 4663 T1552.001 Anomaly Quasar RAT, Lokibot 2026-05-13
Windows Excessive Service Stop Attempt Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1489 TTP XMRig, Ransomware, BlackByte Ransomware 2026-05-13
Windows Sensitive Group Discovery With Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 Anomaly BlackSuit Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Volt Typhoon, Active Directory Discovery 2026-05-13
Windows Office Product Spawned Child Process For Download Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, PlugX, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Powershell Enable SMB1Protocol Feature Powershell Script Block Logging 4104 T1027.005 TTP Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction 2026-05-13
Windows Suspicious Child Process of TieringEngineService.exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
GetLocalUser with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery 2026-05-13
Suspicious microsoft workflow compiler usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1127 TTP Trusted Developer Utilities Proxy Execution, Living Off The Land 2026-05-13
Windows DLL Module Loaded in Temp Dir Sysmon EventID 7 T1105 Hunting Lokibot, SolarWinds WHD RCE Post Exploitation, Interlock Rat 2026-05-13
Windows Modify Registry EnableLinkedConnections Sysmon EventID 13 T1112 TTP BlackByte Ransomware 2026-05-13
Windows MSIX Package Interaction Windows Event Log AppXPackaging 171 T1204.002 Hunting MSIX Package Abuse 2026-05-13
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve T1574.006 TTP Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 T1547 T1574.001 Anomaly Salt Typhoon, Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Kerberos Pre-Authentication Flag Disabled with PowerShell Powershell Script Block Logging 4104 T1558.004 TTP Active Directory Kerberos Attacks 2026-05-13
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 T1546.004 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
MacOS Network Share Discovery Osquery Results T1135 Anomaly MacOS Post-Exploitation 2026-05-13
Windows Impair Defense Override SmartScreen Prompt Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Overide Win Defender Phishing Filter Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Cisco Isovalent - Cron Job Creation Cisco Isovalent Process Exec T1053.003 T1053.007 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Child Processes of Spoolsv exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Windows System Script Proxy Execution Syncappvpublishingserver Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1216 T1218 TTP Living Off The Land 2026-05-13
Disabled Kerberos Pre-Authentication Discovery With PowerView Powershell Script Block Logging 4104 T1558.004 TTP Active Directory Kerberos Attacks, Interlock Ransomware 2026-05-13
Windows Obfuscated Files or Information via RAR SFX Sysmon EventID 11 T1027.013 Anomaly APT37 Rustonotto and FadeStealer, Crypto Stealer, GhostRedirector IIS Module and Rungan Backdoor, Salat Stealer 2026-06-08
Remote Process Instantiation via WinRM and Winrs Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1055 TTP Hellcat Ransomware, Trickbot 2026-05-13
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows New Custom Security Descriptor Set On EventLog Channel Sysmon EventID 13 T1685.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware 2026-05-13
Windows System Network Config Discovery Display DNS Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1016 Anomaly Prestige Ransomware, Water Gamayun, Windows Post-Exploitation, Medusa Ransomware 2026-05-13
Windows File and Directory Permissions Enable Inheritance Windows Event Log Security 4688, Sysmon EventID 1 T1222.001 Hunting NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Windows Process Execution From ProgramData Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.005 Hunting Salt Typhoon, Axios Supply Chain Post Compromise, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, XWorm, StealC Stealer, Salat Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, SnappyBee 2026-06-08
Windows Impair Defense Delete Win Defender Context Menu Sysmon EventID 13 T1685 Hunting Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Default RDP File Creation By Non MSTSC Process Sysmon EventID 1, Sysmon EventID 11 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows AD Short Lived Domain Account ServicePrincipalName Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Detect New Local Admin account Windows Event Log Security 4732, Windows Event Log Security 4720 T1136.001 TTP CISA AA24-241A, HAFNIUM Group, DHS Report TA18-074A, Scattered Lapsus$ Hunters, CISA AA22-257A 2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Powershell Script Block Logging 4104 T1201 Hunting Active Directory Discovery 2026-05-13
Windows Odbcconf Load DLL Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.008 TTP Living Off The Land 2026-05-13
Advanced IP or Port Scanner Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1046 T1135 Anomaly Windows Defense Evasion Tactics 2026-05-13
Linux Auditd At Application Execution Linux Auditd Syscall T1053.002 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Security Account Manager Stopped Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1489 TTP Ryuk Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Windows Impair Defenses Disable HVCI Sysmon EventID 13 T1685 TTP Windows Registry Abuse, BlackLotus Campaign, Windows Defense Evasion Tactics 2026-05-13
Cisco NVM - Susp Script From Archive Triggering Network Activity Cisco Network Visibility Module Flow Data T1059.005 T1204.002 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Scheduled Task with Highest Privileges Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Quasar RAT, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, AsyncRAT, Scheduled Tasks, RedLine Stealer, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Castle RAT 2026-05-13
Windows InProcServer32 New Outlook Form Sysmon EventID 13 T1112 T1566 Anomaly Outlook RCE CVE-2024-21378 2026-05-13
Detect Regasm Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.009 TTP Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Snake Keylogger, DarkGate Malware, Compromised Windows Host 2026-05-13
Short Lived Scheduled Task Windows Event Log Security 4699, Windows Event Log Security 4698 T1053.005 TTP CISA AA23-347A, Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Windows AD Cross Domain SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Disabling Firewall with Netsh Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly BlackByte Ransomware, Windows Defense Evasion Tactics 2026-05-13
Windows TOR Client Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1090.003 Anomaly Data Exfiltration, Command And Control, Data Protection, Compromised Windows Host, Windows Post-Exploitation 2026-05-13
GetNetTcpconnection with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1049 Hunting Active Directory Discovery 2026-05-13
Windows Audit Policy Cleared via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Compatibility Telemetry Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Linux Auditd Execve T1030 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Enable RDP In Other Port Number Sysmon EventID 13 T1021 TTP Interlock Ransomware, Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch, Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 T1053.006 Anomaly Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, China-Nexus Threat Activity, Gomir, Linux Persistence Techniques 2026-05-13
Windows AutoIt3 Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 TTP DarkGate Malware, Void Manticore, Handala Wiper, Crypto Stealer 2026-05-13
Windows Diskshadow Proxy Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218 TTP Living Off The Land 2026-05-13
Windows PowerShell FakeCAPTCHA Clipboard Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1059.001 T1059.003 T1204.001 TTP Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Fake CAPTCHA Campaigns 2026-05-13
Linux Auditd Sysmon Service Stop Linux Auditd Service Stop T1489 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Office Product Spawned Rundll32 With No DLL Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Prestige Ransomware, Compromised Windows Host, Crypto Stealer, Spearphishing Attachments, Graceful Wipe Out Attack 2026-05-13
Domain Group Discovery With Wmic Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 Hunting Active Directory Discovery 2026-05-13
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Schtasks scheduling job on remote system Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Quasar RAT, Scheduled Tasks, Living Off The Land, RedLine Stealer, Prestige Ransomware, NOBELIUM Group, Compromised Windows Host, Active Directory Lateral Movement, Phemedrone Stealer 2026-05-13
Windows PowerShell Export Certificate Powershell Script Block Logging 4104 T1552.004 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows MSIExec Spawn WinDBG Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.007 TTP DarkGate Malware, Compromised Windows Host 2026-05-13
Windows Modify Registry Disable WinDefender Notifications Sysmon EventID 13 T1112 TTP SolarWinds WHD RCE Post Exploitation, RedLine Stealer, CISA AA23-347A 2026-05-13
Cisco Isovalent - Shell Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows Suspicious VMWare Tools Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 TTP China-Nexus Threat Activity, ESXi Post Compromise 2026-05-13
Windows AppX Deployment Full Trust Package Installation Windows Event Log AppXDeployment-Server 400 T1204.002 T1553.005 Hunting MSIX Package Abuse 2026-05-13
Outbound Network Connection from Java Using Default Ports Sysmon EventID 1, Sysmon EventID 3 T1133 T1190 TTP Log4Shell CVE-2021-44228 2026-05-13
Windows Powershell RemoteSigned File Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 Anomaly Amadey 2026-05-13
Detect Rare Executables Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204 Anomaly Salt Typhoon, Rhysida Ransomware, Unusual Processes, Crypto Stealer, China-Nexus Threat Activity, SnappyBee 2026-05-13
Potential password in username Linux Secure T1078.003 T1552.001 Hunting Credential Dumping, Insider Threat 2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port Cisco Network Visibility Module Flow Data T1571 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
MacOS AMOS Stealer - Virtual Machine Check Activity Osquery Results T1059.002 Anomaly Hellcat Ransomware, AMOS Stealer 2026-05-13
Linux Service Started Or Enabled Sysmon for Linux EventID 1 T1053.006 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Gomir, Linux Persistence Techniques 2026-05-13
SLUI Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 TTP DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Linux Docker Root Directory Mount Sysmon for Linux EventID 1 T1611 TTP Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Hardware Addition Swapoff Linux Auditd Execve T1200 Anomaly AwfulShred, Data Destruction, Scattered Lapsus$ Hunters, Compromised Linux Host 2026-05-13
Windows Impair Defense Delete Win Defender Profile Registry Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows AD Object Owner Updated Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Services Escalate Exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548 TTP Cobalt Strike, CISA AA23-347A, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Linux Auditd Shred Overwrite Command Linux Auditd Proctitle T1485 TTP Linux Privilege Escalation, Data Destruction, AwfulShred, Industroyer2, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Creation of Shadow Copy Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.003 TTP Credential Dumping, Volt Typhoon, Compromised Windows Host 2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Path, Linux Auditd Cwd T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Office Product Spawned Control Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 TTP Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host 2026-05-13
Windows Wmic CPU Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Windows OneDrive Share Mounted via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1567.002 Anomaly Data Exfiltration 2026-05-13
Windows Registry Entries Exported Via Reg Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1012 Hunting CISA AA23-347A, Windows Post-Exploitation, Prestige Ransomware 2026-05-13
Detect Remote Access Software Usage Registry Sysmon EventID 13 T1219 Anomaly Command And Control, CISA AA24-241A, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Non Discord App Access Discord LevelDB Windows Event Log Security 4663 T1012 Anomaly Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Snake Keylogger, StealC Stealer 2026-06-25
Windows AppCertDLL Modification Via Command Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.009 Anomaly Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Kerberos Service Ticket Request Using RC4 Encryption Windows Event Log Security 4769 T1558.001 TTP Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation 2026-05-13
Print Spooler Failed to Load a Plug-in Windows Event Log Printservice 4909, Windows Event Log Printservice 808 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Chrome Auto-Update Disabled via Registry Sysmon EventID 13 T1185 Anomaly Browser Hijacking 2026-05-13
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Disable Defender Enhanced Notification Sysmon EventID 13 T1685 TTP IcedID, Azorult, Windows Registry Abuse, CISA AA23-347A 2026-05-13
GetWmiObject User Account with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery, Water Gamayun, Winter Vivern 2026-05-13
PowerShell Get LocalGroup Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 Hunting Active Directory Discovery 2026-05-13
Windows Multiple NTLM Null Domain Authentications NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004 T1110.003 TTP Active Directory Password Spraying 2026-05-13
GetCurrent User with PowerShell Script Block Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2026-05-13
Modify ACL permission To Files Or Folder Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig, Crypto Stealer 2026-05-13
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 T1053.005 T1059.001 Anomaly Scheduled Tasks, Scattered Spider 2026-05-13
Windows Global Object Access Audit List Cleared Via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Dump LSASS via procdump Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.001 TTP HAFNIUM Group, Storm-2460 CLFS Zero Day Exploitation, Seashell Blizzard, Credential Dumping, Compromised Windows Host, CISA AA22-257A 2026-05-13
Windows Modify Registry to Add or Modify Firewall Rule Sysmon EventID 13, Sysmon EventID 14 T1112 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A 2026-05-13
BITSAdmin Download File Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1105 T1197 TTP GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, BITS Jobs, Scattered Spider, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Account Discovery With NetUser PreauthNotRequire Powershell Script Block Logging 4104 T1087 Hunting CISA AA23-347A 2026-05-13
Windows SSH Proxy Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1105 T1572 Anomaly Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Windows Modify Registry DisableSecuritySettings Sysmon EventID 13 T1112 TTP DarkGate Malware, CISA AA23-347A 2026-05-13
Windows System File on Disk Sysmon EventID 11 T1068 Hunting CISA AA22-264A, Windows Drivers, Crypto Stealer 2026-05-13
Detect SharpHound File Modifications Sysmon EventID 11 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Ransomware, BlackSuit Ransomware, Windows Discovery Techniques 2026-05-13
Disable Show Hidden Files Sysmon EventID 13 T1112 T1564.001 T1685 Anomaly Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Rundll32 Apply User Settings Changes Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 Anomaly Rhysida Ransomware 2026-05-13
Possible Browser Pass View Parameter Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1555.003 Hunting Remcos 2026-05-13
Network Traffic to Active Directory Web Services Protocol Sysmon EventID 3 T1069.001 T1069.002 T1087.001 T1087.002 T1482 Hunting Windows Discovery Techniques 2026-05-13
Windows AD Domain Root ACL Deletion Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Vulnerable Driver Loaded Sysmon EventID 6 T1543.003 Hunting Void Manticore, Windows Drivers, BlackByte Ransomware 2026-05-13
Modification Of Wallpaper Sysmon EventID 13 T1491 TTP Black Basta Ransomware, LockBit Ransomware, Windows Registry Abuse, Ransomware, Rhysida Ransomware, ZOVWiper, BlackMatter Ransomware, Brute Ratel C4, Revil Ransomware 2026-05-13
Windows SpeechRuntime COM Hijacking DLL Load Sysmon EventID 7 T1021.003 TTP Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows System Time Discovery W32tm Delay Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1124 Anomaly DarkCrystal RAT 2026-05-13
Linux Add User Account Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1136.001 Hunting Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Linux Persistence Techniques 2026-05-13
Domain Controller Discovery with Nltest Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 TTP BlackSuit Ransomware, CISA AA23-347A, Medusa Ransomware, Rhysida Ransomware, NetSupport RMM Tool Abuse, Active Directory Discovery 2026-05-13
Linux Telnet Authentication Bypass Sysmon for Linux EventID 1 T1548 TTP Telnetd CVE-2026-24061 2026-05-13
Windows HTTP Network Communication From MSIExec Sysmon EventID 1, Cisco Network Visibility Module Flow Data, Sysmon EventID 3 T1218.007 Anomaly Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Windows System Binary Proxy Execution MSIExec, APT37 Rustonotto and FadeStealer 2026-05-13
Cisco NVM - Suspicious Network Connection to IP Lookup Service API Cisco Network Visibility Module Flow Data T1016 T1590.005 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, Castle RAT 2026-05-13
Linux Doas Conf File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Filtering Platform Policy Added to Block EDR Process Sysmon EventID 13 T1685 TTP Disabling Security Tools, Security Solution Tampering 2026-05-13
Windows Office Product Loading VBE7 DLL Sysmon EventID 7 T1566.001 Anomaly MuddyWater, AgentTesla, Trickbot, IcedID, Qakbot, Azorult, DarkCrystal RAT, Remcos, PlugX, Spearphishing Attachments, NjRAT 2026-05-13
Windows Suspicious Burst of Password Changes Windows Event Log Security 4723, Windows Event Log Security 4724 T1068 TTP BlueHammer, Windows Privilege Escalation 2026-04-29
Windows PsTools Recon Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 T1046 T1082 Anomaly Compromised Windows Host 2026-05-13
Linux Auditd Doas Conf File Creation Linux Auditd Path, Linux Auditd Cwd T1548.003 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Data Destruction Recursive Exec Files Deletion Sysmon EventID 26, Sysmon EventID 23 T1485 TTP Data Destruction, Void Manticore, Handala Wiper, Disk Wiper, Swift Slicer 2026-05-13
Windows Service Creation on Remote Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 TTP Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Active Directory Lateral Movement, SnappyBee 2026-05-13
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows PowerView SPN Discovery Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Kerberos Attacks, Interlock Ransomware, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Windows AD Domain Controller Promotion Windows Event Log Security 4742 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Sdclt UAC Bypass Sysmon EventID 13, Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Devtunnels Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1090 Anomaly Reverse Network Proxy 2026-05-13
Linux Deletion Of Cron Jobs Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidPour, Data Destruction, AcidRain 2026-05-13
Windows RunMRU Command Execution Sysmon EventID 13 T1202 Anomaly Lumma Stealer, Fake CAPTCHA Campaigns 2026-05-13
Linux Suspicious Namespace Creation Linux Auditd Syscall, Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation 2026-05-12
Windows Office Product Loading Taskschd DLL Sysmon EventID 7 T1566.001 Anomaly Spearphishing Attachments 2026-05-13
GetCurrent User with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting Active Directory Discovery 2026-05-13
Powershell Get LocalGroup Discovery with Script Block Logging Powershell Script Block Logging 4104 T1069.001 Hunting Active Directory Discovery 2026-05-13
Svchost LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Terminating Lsass Process Sysmon EventID 10 T1685 Anomaly Data Destruction, Double Zero Destructor, Scattered Lapsus$ Hunters 2026-05-13
Windows Impair Defense Disable Win Defender App Guard Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
MacOS Hidden Files and Directories Osquery Results T1564.001 Anomaly MacOS Persistence Techniques 2026-05-13
Windows COM Hijacking InprocServer32 Modification Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.015 TTP Compromised Windows Host, Living Off The Land 2026-05-13
Windows Impair Defense Disable Win Defender Report Infection Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows SQL Server Startup Procedure Windows Event Log Application 17135 T1505.001 Anomaly SQL Server Abuse, Hellcat Ransomware 2026-05-13
Windows Chrome Enable Extension Loading via Command-Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1185 Anomaly Browser Hijacking 2026-05-13
LOLBAS With Network Traffic Sysmon EventID 3 T1105 T1218 T1567 TTP GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, NetSupport RMM Tool Abuse, Hellcat Ransomware, Malicious Inno Setup Loader 2026-05-13
Windows Account Discovery for Sam Account Name Powershell Script Block Logging 4104 T1087 Anomaly CISA AA23-347A 2026-05-13
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques 2026-05-13
Windows Impair Defense Disable Realtime Signature Delivery Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Hiding Files And Directories With Attrib exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222.001 TTP VIP Keylogger, Azorult, Windows Persistence Techniques, Compromised Windows Host, Crypto Stealer, Malicious Inno Setup Loader, Windows Defense Evasion Tactics 2026-05-13
Windows Command and Scripting Interpreter Hunting Path Traversal Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2026-05-13
Hide User Account From Sign-In Screen Sysmon EventID 13 T1685 TTP Azorult, XMRig, Windows Registry Abuse, Warzone RAT 2026-05-13
Windows Modify Registry Disable Restricted Admin Sysmon EventID 13 T1112 TTP CISA AA23-347A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Audit Policy Restored via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Information Discovery Fsutil Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows User Disabled Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1531 Anomaly XMRig 2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Modify Registry ValleyRat PWN Reg Entry Sysmon EventID 13 T1112 TTP ValleyRAT 2026-05-13
Detect mshta inline hta execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.005 TTP Suspicious MSHTA Activity, BlankGrabber Stealer, Gozi Malware, Living Off The Land, XWorm, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Unusual Count Of Users Remotely Failed To Auth From Host Windows Event Log Security 4625 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Suspicious React or Next.js Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1059.003 T1190 TTP React2Shell 2026-05-13
Windows Query Registry Browser List Application Windows Event Log Security 4663 T1012 Anomaly China-Nexus Threat Activity, Salt Typhoon, RedLine Stealer, SnappyBee 2026-05-13
Excessive number of service control start as disabled Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Whoami User Discovery Linux Auditd Syscall T1033 Anomaly Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Detect Exchange Web Shell Sysmon EventID 11 T1133 T1190 T1505.003 TTP GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, ProxyShell, Seashell Blizzard, Compromised Windows Host, ProxyNotShell, CISA AA22-257A, BlackByte Ransomware 2026-05-13
Linux Node Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Mimikatz Binary Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003 TTP CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Flax Typhoon, Credential Dumping, Volt Typhoon, Compromised Windows Host, Scattered Spider 2026-05-13
Enumerate Users Local Group Using Telegram Windows Event Log Security 4798 T1087 TTP XMRig, Water Gamayun, Compromised Windows Host 2026-05-13
Windows Audit Policy Excluded Category via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Driver Inventory T1068 Hunting Windows Drivers 2026-05-13
Suspicious Process Executed From Container File Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.008 T1204.002 TTP GhostRedirector IIS Module and Rungan Backdoor, Amadey, Water Gamayun, Unusual Processes, Snake Keylogger, Remcos, APT37 Rustonotto and FadeStealer 2026-05-13
Clop Common Exec Parameter Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 T1053.005 TTP Salt Typhoon, Medusa Ransomware, Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, SystemBC, China-Nexus Threat Activity, 0bj3ctivity Stealer, CISA AA22-257A, Winter Vivern, Castle RAT 2026-05-13
PowerShell Start-BitsTransfer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1197 TTP BITS Jobs, Gozi Malware 2026-05-13
AdsiSearcher Account Discovery Powershell Script Block Logging 4104 T1087.002 TTP Data Destruction, CISA AA23-347A, Scattered Lapsus$ Hunters, Industroyer2, Active Directory Discovery 2026-05-13
Excessive Usage of NSLOOKUP App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1048 Anomaly Data Exfiltration, Command And Control, Dynamic DNS, Suspicious DNS Traffic 2026-05-13
Windows Scheduled Task Created Via XML Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 Anomaly MoonPeak, CISA AA23-347A, Scheduled Tasks, Lokibot, Malicious Inno Setup Loader, Winter Vivern 2026-05-13
Windows Cabinet File Extraction Via Expand Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1105 TTP NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Suspicious Child Process Spawned From WebServer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1505.003 Anomaly Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, WS FTP Server Critical Vulnerabilities, ProxyShell, Microsoft WSUS CVE-2025-59287, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, CISA AA22-264A, Compromised Windows Host, Microsoft SharePoint Vulnerabilities, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, CISA AA22-257A, BlackByte Ransomware 2026-05-13
Cisco Isovalent - Access To Cloud Metadata Service Cisco Isovalent Process Connect T1552.005 Anomaly Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows NirSoft Tool Bundle File Created Sysmon EventID 11 T1588.002 Anomaly WhisperGate, Data Destruction, Unusual Processes 2026-05-13
Non Firefox Process Access Firefox Profile Dir Windows Event Log Security 4663 T1555.003 Anomaly Quasar RAT, Lokibot, Snake Keylogger, Remcos, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, RedLine Stealer, DarkGate Malware, StealC Stealer, Warzone RAT, AgentTesla, VIP Keylogger, Phantom Stealer, Azorult, 3CX Supply Chain Attack, Malicious Inno Setup Loader, Salt Typhoon, CISA AA23-347A, FIN7, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-06-25
Windows Potential Cloudflared Tunnel Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1572 Anomaly Reverse Network Proxy 2026-05-13
Network Share Discovery Via Dir Command Windows Event Log Security 5140 T1135 Hunting IcedID 2026-05-13
Set Default PowerShell Execution Policy To Unrestricted or Bypass Sysmon EventID 13 T1059.001 TTP Malicious PowerShell, Data Destruction, SolarWinds WHD RCE Post Exploitation, HAFNIUM Group, Hermetic Wiper, DarkGate Malware, Credential Dumping, SystemBC 2026-05-13
Notepad with no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2026-05-13
Detect Password Spray Attack Behavior On User Windows Event Log Security 4624, Windows Event Log Security 4625 T1110.003 TTP Compromised User Account, Crypto Stealer 2026-05-13
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2026-05-13
Single Letter Process On Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 TTP DHS Report TA18-074A, Compromised Windows Host 2026-05-13
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Steal Authentication Certificates Export Certificate Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1649 Anomaly Windows Certificate Services 2026-05-13
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Increase in User Modification Activity Windows Event Log Security 4720 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Sdelete Application Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070.004 T1485 TTP Masquerading - Rename System Utilities, Void Manticore, Scattered Spider 2026-05-13
Windows Downdate Registry Activity Sysmon EventID 13, Sysmon EventID 12, Sysmon EventID 14 T1112 T1689 Anomaly Windows Persistence Techniques 2026-05-13
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Powershell Script Block Logging 4104 T1558.004 TTP Active Directory Kerberos Attacks, Interlock Ransomware, BlackSuit Ransomware, CISA AA23-347A 2026-05-13
Windows Disable Change Password Through Registry Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows Event Log Security 4776 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows AD Self DACL Assignment Windows Event Log Security 5136 T1098 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Powershell Disable Security Monitoring Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP BlankGrabber Stealer, CISA AA24-241A, Ransomware, Salat Stealer, Revil Ransomware 2026-06-08
Add or Set Windows Defender Exclusion Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP WhisperGate, Data Destruction, AgentTesla, CISA AA22-320A, XWorm, Remcos, Compromised Windows Host, Crypto Stealer, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, ValleyRAT 2026-06-08
NLTest Domain Trust Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1482 TTP Medusa Ransomware, IcedID, Qakbot, Rhysida Ransomware, Storm-0501 Ransomware, Cleo File Transfer Software, Ryuk Ransomware, Active Directory Discovery, Domain Trust Discovery 2026-05-13
Windows Executable in Loaded Modules Sysmon EventID 7 T1129 TTP Lokibot, NjRAT 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Excessive Usage Of Net App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1531 Anomaly XMRig, Ransomware, Rhysida Ransomware, Prestige Ransomware, Azorult, Windows Post-Exploitation, Graceful Wipe Out Attack 2026-05-13
Linux Service Restarted Sysmon for Linux EventID 1 T1053.006 Anomaly Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Linux Persistence Techniques 2026-05-13
ConnectWise ScreenConnect Path Traversal Windows SACL Windows Event Log Security 4663 T1190 TTP ConnectWise ScreenConnect Vulnerabilities, Compromised Windows Host, Seashell Blizzard 2026-05-13
Linux Auditd Kernel Module Enumeration Linux Auditd Syscall T1014 T1082 Anomaly XorDDos, Linux Rootkit, Compromised Linux Host 2026-05-13
Cisco NVM - Curl Execution With Insecure Flags Cisco Network Visibility Module Flow Data T1197 Anomaly PromptLock, Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics 2026-05-13
Windows Odbcconf Hunting Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.008 Hunting Living Off The Land 2026-05-13
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla 2026-05-13
Network Connection Discovery With Arp Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1049 Hunting Interlock Ransomware, IcedID, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery 2026-05-13
Windows Computer Account Created by Computer Account Windows Event Log Security 4741 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks 2026-05-13
Firewall Allowed Program Enable Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1686 Anomaly Medusa Ransomware, Azorult, NjRAT, PlugX, Salat Stealer, BlackByte Ransomware, Windows Defense Evasion Tactics 2026-06-08
Elevated Group Discovery With Wmic Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 TTP Active Directory Discovery 2026-05-13
Windows Cobalt Strike PowerShell Loader Powershell Script Block Logging 4104 T1059.001 T1608 TTP Cobalt Strike 2026-05-13
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Windows Event Log Security 4768 T1110.003 TTP Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows System User Discovery Via Quser Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer 2026-05-13
Windows File Without Extension In Critical Folder Sysmon EventID 11 T1485 TTP Data Destruction, Hermetic Wiper 2026-05-13
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 TTP DarkCrystal RAT, Compromised Windows Host 2026-05-13
Creation of lsass Dump with Taskmgr Sysmon EventID 11 T1003.001 TTP Seashell Blizzard, Credential Dumping, Scattered Lapsus$ Hunters, Cactus Ransomware, CISA AA22-257A 2026-05-13
NET Profiler UAC bypass Sysmon EventID 13 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Excessive Attempt To Disable Services Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1489 Anomaly Azorult, XMRig 2026-05-13
Disable UAC Remote Restriction Sysmon EventID 13 T1548.002 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Shell Process from CrushFTP Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1059.003 T1190 T1505 TTP CrushFTP Vulnerabilities 2026-05-13
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 T1053 TTP ValleyRAT 2026-05-13
Windows Default Group Policy Object Modified with GPME Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Detect Renamed WinRAR Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1560.001 Hunting China-Nexus Threat Activity, Salt Typhoon, Collection and Staging, CISA AA22-277A 2026-05-13
Windows AD Dangerous User ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Get ADUserResultantPasswordPolicy with Powershell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1201 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Powershell Defender Threat Actions Set to Allow Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 TTP Salat Stealer 2026-05-12
Windows Impair Defense Disable Win Defender Scan On Update Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Excessive File Deletion In WinDefender Folder Sysmon EventID 26, Sysmon EventID 23 T1485 TTP WhisperGate, Data Destruction, BlackByte Ransomware 2026-05-13
WMIC XSL Execution via URL Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1220 TTP Suspicious WMI Use, Compromised Windows Host, Cisco Network Visibility Module Analytics 2026-05-13
Windows AD DSRM Account Changes Sysmon EventID 13 T1098 TTP Windows Persistence Techniques, Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Access LSASS Memory for Dump Creation Sysmon EventID 10 T1003.001 TTP CISA AA23-347A, Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, Cactus Ransomware 2026-05-13
Detect Outlook exe writing a zip file Sysmon EventID 1, Sysmon EventID 11 T1566.001 Anomaly Amadey, PXA Stealer, Remcos, Meduza Stealer, Spearphishing Attachments, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Disable Windows Event Logging Disable HTTP Logging Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1505.004 T1685.001 Anomaly IIS Components, Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows RDPClient Connection Sequence Events Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 T1133 Anomaly Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Windows Event Log Security 4698 T1053 TTP Water Gamayun, ValleyRAT 2026-05-13
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Windows Event Log Security 4776 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Modify Registry Regedit Silent Reg Import Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1112 Anomaly Azorult 2026-05-13
Windows Credentials from Password Stores Chrome Extension Access Windows Event Log Security 4663 T1012 Anomaly MoonPeak, BlankGrabber Stealer, CISA AA23-347A, Phantom Stealer, Amadey, RedLine Stealer, Braodo Stealer, DarkGate Malware, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer, Malicious Inno Setup Loader, Phemedrone Stealer 2026-06-25
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Windows Modify Registry With MD5 Reg Key Name Sysmon EventID 13 T1112 TTP NjRAT 2026-05-13
7zip CommandLine To SMB Share Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1560.001 Hunting Ransomware 2026-05-13
Windows Process Execution From RDP Share Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 T1021.004 TTP Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
Linux Decode Base64 to Shell Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1027 T1059.004 TTP Cisco Isovalent Suspicious Activity, Linux Living Off The Land 2026-05-13
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497.003 Anomaly Quasar RAT, WhisperGate, Data Destruction, Void Manticore, Gh0st RAT, Meduza Stealer, Warzone RAT, BlackByte Ransomware 2026-05-13
Windows Known Abused DLL Created Sysmon EventID 11 T1574.001 Anomaly Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Malicious PowerShell Process - Encoded Command Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1027 Hunting WhisperGate, Data Destruction, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, CISA AA22-320A, GhostRedirector IIS Module and Rungan Backdoor, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Hermetic Wiper, DarkCrystal RAT, Volt Typhoon, NOBELIUM Group, Crypto Stealer, Microsoft SharePoint Vulnerabilities, Lumma Stealer, Scattered Spider 2026-05-13
Recursive Delete of Directory In Batch CMD Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070.004 TTP Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Event Triggered Image File Execution Options Injection Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2026-05-13
Excessive Usage Of Taskkill Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly XMRig, AgentTesla, CISA AA22-277A, BlankGrabber Stealer, CISA AA22-264A, Azorult, Crypto Stealer, NjRAT 2026-05-13
Windows Credentials in Registry Reg Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1552.002 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows AD Domain Replication ACL Addition Windows Event Log Security 5136 T1484 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Scheduled Task with Suspicious Command Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700 T1053.005 TTP Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Seashell Blizzard, Ryuk Ransomware, Windows Persistence Techniques, APT37 Rustonotto and FadeStealer 2026-05-13
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 T1218.014 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 T1105 Hunting Axios Supply Chain Post Compromise, NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land 2026-05-13
Linux Auditd Find Ssh Private Keys Linux Auditd Execve T1552.004 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Hellcat Ransomware, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Firewall Rule Deletion Windows Event Log Security 4948 T1686 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware 2026-05-13
Linux Auditd Disable Or Modify System Firewall Linux Auditd Service Stop T1686 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Doas Tool Execution Linux Auditd Syscall T1548.003 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Kerberos Local Successful Logon Windows Event Log Security 4624 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Windows Replication Through Removable Media Sysmon EventID 11 T1091 TTP Chaos Ransomware, Salt Typhoon, Derusbi, PlugX, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Process Creating LNK file in Suspicious Location Sysmon EventID 11 T1566.002 Anomaly BlankGrabber Stealer, IcedID, Amadey, Gozi Malware, Qakbot, Spearphishing Attachments, APT37 Rustonotto and FadeStealer 2026-05-13
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Cisco Secure Endpoint Unblock File Via Sfc Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows Vulnerable 3CX Software Sysmon EventID 1 T1195.002 TTP 3CX Supply Chain Attack 2026-05-13
Disable Defender Submit Samples Consent Feature Sysmon EventID 13 T1685 TTP BlankGrabber Stealer, CISA AA23-347A, IcedID, Windows Registry Abuse, Azorult, Salat Stealer 2026-06-08
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 T1550.003 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper 2026-05-13
Web Servers Executing Suspicious Processes Sysmon EventID 1 T1082 TTP Apache Struts Vulnerability 2026-05-13
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows Defender ASR Audit Events Windows Event Log Defender 1126, Windows Event Log Defender 1122, Windows Event Log Defender 1132, Windows Event Log Defender 1134, Windows Event Log Defender 1125 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 T1218 T1553.005 TTP MSIX Package Abuse 2026-05-13
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows Service Create SliverC2 Windows Event Log System 7045 T1569.002 TTP BishopFox Sliver Adversary Emulation Framework, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Windows Event For Service Disabled Windows Event Log System 7040 T1685 Hunting RedLine Stealer, Windows Defense Evasion Tactics 2026-05-13
System Info Gathering Using Dxdiag Application Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1592 Hunting Remcos 2026-05-13
Drop IcedID License dat Sysmon EventID 11 T1204.002 Hunting IcedID 2026-05-13
Eventvwr UAC Bypass Sysmon EventID 13 T1548.002 TTP IcedID, Windows Registry Abuse, Living Off The Land, Windows Defense Evasion Tactics, ValleyRAT 2026-05-13
Windows Suspicious File in EFI Volume Sysmon EventID 11 T1490 T1542.001 TTP Sandworm Tools, Windows BootKits, BlackLotus Campaign 2026-05-13
Windows SIP Provider Inventory T1553.003 Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2026-05-13
Windows Registry Payload Injection Sysmon EventID 13 T1027.011 TTP Unusual Processes 2026-05-13
Windows NetSupport RMM DLL Loaded By Uncommon Process Sysmon EventID 7 T1036 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Process Writing File to World Writable Path Sysmon EventID 11 T1218.005 Hunting PathWiper, PHP-CGI RCE Attack on Japanese Organizations, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows Impair Defense Disable PUA Protection Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd File Permissions Modification Via Chattr Linux Auditd Execve T1222.002 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Suspicious Defender Engine or Signature Files Created Sysmon EventID 11 T1068 Anomaly BlueHammer, Windows Privilege Escalation 2026-04-27
Windows DLL Side-Loading In Calc Sysmon EventID 7 T1574.001 TTP Earth Alux, Qakbot 2026-05-13
Windows AD GPO Deleted Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Default Rdp File Unhidden Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 T1037.004 Anomaly Linux Privilege Escalation, Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Wermgr Process Spawned CMD Or Powershell Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 TTP Qakbot, Trickbot 2026-05-13
Linux Deletion Of Services Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, AwfulShred, Data Destruction, AcidRain 2026-05-13
Windows Suspicious Process File Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.005 T1543 TTP Quasar RAT, Swift Slicer, Qakbot, Lokibot, SesameOp, Prestige Ransomware, Remcos, SystemBC, Brute Ratel C4, BlackByte Ransomware, Phemedrone Stealer, Graceful Wipe Out Attack, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Water Gamayun, Earth Alux, Rhysida Ransomware, RedLine Stealer, XWorm, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, RoguePlanet, Volt Typhoon, Double Zero Destructor, PlugX, Industroyer2, China-Nexus Threat Activity, NailaoLocker Ransomware, SnappyBee, ValleyRAT 2026-06-25
Windows Curl Upload to Remote Destination Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1105 TTP PromptLock, Axios Supply Chain Post Compromise, Cisco Network Visibility Module Analytics, NPM Supply Chain Compromise, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Compromised Windows Host 2026-05-13
Windows Shell or Script Execution From IIS Directory CrowdStrike ProcessRollup2, Sysmon EventID 1 T1190 T1505.004 Anomaly ProxyNotShell, ProxyShell 2026-05-13
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Print Processor Registry Autostart Sysmon EventID 13 T1547.012 TTP Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
CrowdStrike Falcon Stream Alerts CrowdStrike Falcon Stream Alert N/A Anomaly Critical Alerts 2026-05-13
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Disable Internet Explorer Addons Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1176.001 Anomaly Malicious Inno Setup Loader 2026-05-13
Disable ETW Through Registry Sysmon EventID 13 T1685 TTP Ransomware, CISA AA23-347A, Windows Registry Abuse 2026-05-13
Windows Modify Registry No Auto Update Sysmon EventID 13 T1112 Anomaly RedLine Stealer, CISA AA23-347A 2026-05-13
Windows XLL File Creation Outside of Typical Location Sysmon EventID 11 T1059 T1129 Anomaly Spearphishing Attachments 2026-05-13
Network Connection Discovery With Netstat Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1049 Hunting CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, PlugX, Active Directory Discovery 2026-05-13
Windows Office Product Dropped Cab or Inf File Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11 T1566.001 TTP Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Detect Password Spray Attack Behavior From Source Windows Event Log Security 4624, Windows Event Log Security 4625 T1110.003 TTP Compromised User Account 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Cisco Network Visibility Module Flow Data T1059 T1105 TTP BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
Detect Regsvcs Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.009 TTP Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
Winhlp32 Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Compromised Windows Host, Remcos 2026-05-13
Get DomainPolicy with Powershell Script Block Powershell Script Block Logging 4104 T1201 TTP Active Directory Discovery 2026-05-13
Crowdstrike Admin With Duplicate Password T1110 TTP Compromised Windows Host 2026-05-13
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows Local LLM Framework Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574 Anomaly Windows Persistence Techniques 2026-05-13
Windows Defender ASR Registry Modification Windows Event Log Defender 5007 T1112 Hunting Windows Attack Surface Reduction 2026-05-13
Windows Chrome Extension Allowed Registry Modification Sysmon EventID 13 T1185 Anomaly Browser Hijacking 2026-05-13
Windows Developer-Signed MSIX Package Installation Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 Anomaly MSIX Package Abuse 2026-05-13
Get-DomainTrust with PowerShell Script Block Powershell Script Block Logging 4104 T1482 TTP Active Directory Discovery 2026-05-13
Linux Deletion of SSL Certificate Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidPour, AcidRain 2026-05-13
Windows Get-AdComputer Unconstrained Delegation Discovery Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, Medusa Ransomware 2026-05-13
Windows SnappyBee Create Test Registry Sysmon EventID 13 T1112 TTP China-Nexus Threat Activity, Salt Typhoon, SnappyBee 2026-05-13
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Windows Event Log Security 4738 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2026-05-13
Windows LSA Secrets NoLMhash Registry Sysmon EventID 13 T1003.004 TTP Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
MacOS LOLbin Osquery Results T1059.004 TTP Axios Supply Chain Post Compromise, Hellcat Ransomware, Living Off The Land 2026-05-13
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Get ADUser with PowerShell Script Block Powershell Script Block Logging 4104 T1087.002 Hunting Active Directory Discovery, CISA AA23-347A 2026-05-13
Windows FFmpeg Audio and Video Device Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1125 Anomaly Salat Stealer 2026-05-20
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Auditd Service Stop Linux Auditd Service Stop T1489 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Suspicious Regsvr32 Register Suspicious Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.010 TTP Salt Typhoon, IcedID, Qakbot, Living Off The Land, Derusbi, China-Nexus Threat Activity, Suspicious Regsvr32 Activity 2026-05-13
Windows New InProcServer32 Added Sysmon EventID 13 T1112 Hunting Hellcat Ransomware, Outlook RCE CVE-2024-21378 2026-05-13
Windows Credentials from Password Stores Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1555 Anomaly Prestige Ransomware, DarkGate Malware, NetSupport RMM Tool Abuse, Windows Post-Exploitation 2026-05-13
Windows AD Dangerous Group ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows UAC Bypass Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 TTP Living Off The Land, Castle RAT, Windows Defense Evasion Tactics 2026-05-13
Detect Path Interception By Creation Of program exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574.009 TTP Windows Persistence Techniques, Scattered Lapsus$ Hunters 2026-05-13
Get ADDefaultDomainPasswordPolicy with Powershell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1201 Hunting Active Directory Discovery 2026-05-13
Windows Execute Arbitrary Commands with MSDT Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host 2026-05-13
Windows Process Execution in Temp Dir Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.005 T1543 Anomaly Gh0st RAT, PromptLock, Axios Supply Chain Post Compromise, AgentTesla, Trickbot, Ransomware, Qakbot, Lokibot, XWorm, SesameOp, RoguePlanet, Ryuk Ransomware, Remcos, Salat Stealer, PathWiper, NjRAT 2026-06-08
Detect Credential Dumping through LSASS access Sysmon EventID 10 T1003.001 TTP BlackSuit Ransomware, CISA AA23-347A, Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, Detect Zerologon Attack 2026-05-13
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve T1548.001 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows RDP Server Registry Entry Created Sysmon EventID 13 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Remote Create Service Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 Anomaly CISA AA23-347A, BlackSuit Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Guest Account Enabled Via Net.EXE Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1078.001 Anomaly Windows Persistence Techniques 2026-05-13
File Download or Read to Pipe Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1 T1105 TTP NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host, Linux Living Off The Land, Log4Shell CVE-2021-44228 2026-05-13
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 T1574.001 TTP Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Windows Event Log Security 4768 T1110.003 Anomaly Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows LAPS Password Gathering Via PowerShell Script Powershell Script Block Logging 4104 T1003 T1552 Anomaly Credential Dumping, Active Directory Privilege Escalation 2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 T1134.001 Anomaly Brute Ratel C4, PathWiper 2026-05-13
Linux Make Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Database File And Directory Discovery Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Defender Exclusion Registry Entry Sysmon EventID 13 T1685 TTP Qakbot, XWorm, Azorult, Remcos, NetSupport RMM Tool Abuse, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics, ValleyRAT 2026-06-08
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 T1069 T1078.002 TTP Active Directory Discovery, Rhysida Ransomware, Active Directory Privilege Escalation 2026-05-13
Windows RDP Client Launched with Admin Session Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Findstr GPP Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1552.006 TTP Active Directory Privilege Escalation 2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows AD Same Domain SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Compromised Windows Host 2026-05-13
Recon AVProduct Through Pwh or WMI Powershell Script Block Logging 4104 T1592 TTP Quasar RAT, Malicious PowerShell, Data Destruction, MoonPeak, Ransomware, Qakbot, Hermetic Wiper, XWorm, Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Privileged Group Modification Windows Event Log Security 4749, Windows Event Log Security 4744, Windows Event Log Security 4783, Windows Event Log Security 4756, Windows Event Log Security 4790, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4727, Windows Event Log Security 4731 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters 2026-05-13
Process Execution via WMI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 TTP Suspicious WMI Use 2026-05-13
Windows System User Privilege Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting CISA AA23-347A 2026-05-13
Windows SubInAcl Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows File Share Discovery With Powerview Powershell Script Block Logging 4104 T1135 TTP Active Directory Discovery, Active Directory Privilege Escalation 2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Path, Linux Auditd Cwd T1098.004 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Change File Association Command To Notepad Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.001 TTP Prestige Ransomware, Compromised Windows Host 2026-05-13
PetitPotam Suspicious Kerberos TGT Request Windows Event Log Security 4768 T1003 TTP PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks 2026-07-04
Windows MSExchange Management Mailbox Cmdlet Usage T1059.001 Anomaly ProxyNotShell, ProxyShell, BlackByte Ransomware, Scattered Spider 2026-05-13
Windows Linked Policies In ADSI Discovery Powershell Script Block Logging 4104 T1087.002 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2026-05-13
Windows Event Log Cleared Windows Event Log System 104, Windows Event Log Security 1102 T1685.005 TTP ShrinkLocker, Clop Ransomware, Ransomware, CISA AA22-264A, Compromised Windows Host, Salat Stealer, Windows Log Manipulation 2026-06-08
Windows Impair Defense Disable Win Defender Compute File Hashes Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Change Win Defender Quick Scan Interval Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Multiple Accounts Deleted Windows Event Log Security 4726 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Rubeus Command Line Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1550.003 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, ZOVWiper 2026-05-13
Windows Suspicious Defender Update Activity in INetCache Sysmon EventID 11, Sysmon EventID 23 T1068 T1105 Anomaly Windows Persistence Techniques, BlueHammer 2026-04-27
Disabling Defender Services Sysmon EventID 13 T1685 TTP IcedID, Windows Registry Abuse, RedLine Stealer 2026-05-13
Windows Time Based Evasion CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497.003 TTP BlankGrabber Stealer, NjRAT 2026-05-13
MacOS plutil Osquery Results T1647 TTP Living Off The Land 2026-05-13
Windows System Binary Proxy Execution Compiled HTML File Decompile Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.001 TTP APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity, Living Off The Land 2026-05-13
Windows PowerSploit GPP Discovery Powershell Script Block Logging 4104 T1552.006 TTP Active Directory Privilege Escalation 2026-05-13
Cisco NVM - Suspicious Network Connection From Process With No Args Cisco Network Visibility Module Flow Data T1055 T1218 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Service Deletion In Registry Sysmon EventID 13 T1489 Anomaly Brute Ratel C4, Crypto Stealer, PlugX 2026-05-13
Windows Input Capture Using Credential UI Dll Sysmon EventID 7 T1056.002 Hunting Brute Ratel C4, APT37 Rustonotto and FadeStealer 2026-05-13
Get-ForestTrust with PowerShell Script Block Powershell Script Block Logging 4104 T1059.001 T1482 TTP Active Directory Discovery 2026-05-13
Windows Wmic Systeminfo Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 Anomaly LAMEHUG, BlankGrabber Stealer, Lotus Blossom Chrysalis Backdoor 2026-05-13
Linux Find Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Chromium Process with Disabled Extensions Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 Anomaly Browser Hijacking 2026-05-13
Windows System Discovery Using ldap Nslookup Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Anomaly Qakbot 2026-05-13
Windows Modify Registry ProxyServer Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Linux Disable Services Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Windows IIS Components Add New Module Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1505.004 Anomaly IIS Components, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Unusually Long Command Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 N/A Anomaly Suspicious Command-Line Executions, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Unusual Processes 2026-05-13
Windows .Key File Creation in Root Directory Sysmon EventID 11 T1486 Anomaly Ransomware 2026-05-13
Create or delete windows shares using net exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070.005 TTP CISA AA22-277A, Hidden Cobra Malware, Prestige Ransomware, DarkGate Malware, Windows Post-Exploitation 2026-05-13
Windows Registry Delete Task SD Sysmon EventID 12 T1053.005 T1685 Anomaly Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks 2026-05-13
Excessive number of taskhost processes Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 Anomaly Meterpreter 2026-05-13
Conti Common Exec parameter Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204 TTP Ransomware, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Windows Bluetooth Service Installed From Uncommon Location Windows Event Log System 7045 T1036 T1543.003 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
Get-DomainTrust with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1482 TTP Active Directory Discovery 2026-05-13
Disable Registry Tool Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Outlook LoadMacroProviderOnBoot Persistence Sysmon EventID 13 T1112 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Linux Shred Overwrite Command Sysmon for Linux EventID 1 T1485 TTP Linux Privilege Escalation, Data Destruction, AwfulShred, Industroyer2, Linux Persistence Techniques 2026-05-13
Windows Impair Defense Disable Win Defender Network Protection Sysmon EventID 13 T1685 TTP Windows Registry Abuse, BlankGrabber Stealer, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Detect Copy of ShadowCopy with Script Block Logging Powershell Script Block Logging 4104 T1003.002 TTP Credential Dumping, VanHelsing Ransomware 2026-05-13
Process Deleting Its Process File Path Sysmon EventID 1 T1070 TTP WhisperGate, Data Destruction, Remcos, Clop Ransomware 2026-05-13
Schtasks used for forcing a reboot Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Ransomware, Windows Persistence Techniques, Scheduled Tasks 2026-05-13
Windows Exfiltration Over C2 Via Powershell UploadString Powershell Script Block Logging 4104 T1041 TTP APT37 Rustonotto and FadeStealer, Winter Vivern 2026-05-13
Windows PowerShell Script Block With Malicious String Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell 2026-05-13
Crowdstrike Admin Weak Password Policy T1110 TTP Compromised Windows Host 2026-05-13
Windows Outlook Macro Security Modified Sysmon EventID 13 T1008 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Routing and Remote Access Service Registry Key Change Sysmon EventID 13 T1112 Anomaly Gh0st RAT 2026-05-13
Windows Compatibility Telemetry Tampering Through Registry Sysmon EventID 13 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Windows Steal Authentication Certificates Export PfxCertificate Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Remote Services Allow Rdp In Firewall Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.001 Anomaly Azorult, Windows RDP Artifacts and Defense Evasion 2026-05-13
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2026-06-29
Windows Find Domain Organizational Units with GetDomainOU Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4768, Windows Event Log Security 4887 T1550 T1649 TTP Windows Certificate Services, Compromised Windows Host 2026-05-13
Windows Anonymous Pipe Activity Sysmon EventID 17, Sysmon EventID 18 T1559 Hunting Castle RAT, Salt Typhoon, SnappyBee, China-Nexus Threat Activity, Interlock Rat 2026-05-13
Linux Auditd Change File Owner To Root Linux Auditd Proctitle T1222.002 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Unusual NTLM Authentication Users By Destination NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Windows Find Interesting ACL with FindInterestingDomainAcl Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows Cached Domain Credentials Reg Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.005 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle T1548.003 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Exchange PowerShell Abuse via SSRF T1133 T1190 TTP Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware 2026-05-13
Windows Unusual Count Of Users Failed To Authenticate From Process Windows Event Log Security 4625 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Detect Prohibited Applications Spawning cmd exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 Hunting Suspicious Command-Line Executions, NOBELIUM Group, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2026-05-13
Windows Ldifde Directory Object Behavior Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 T1105 TTP Volt Typhoon 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Windows Process Executed From Removable Media Sysmon EventID 13, Sysmon EventID 1 T1025 T1091 T1200 Anomaly Data Protection, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Phishing Recent ISO Exec Registry Sysmon EventID 13 T1566.001 Hunting AgentTesla, IcedID, Gozi Malware, Qakbot, Azorult, Remcos, Brute Ratel C4, Warzone RAT 2026-05-13
MacOS LoginHook Persistence Osquery Results T1037.002 TTP MacOS Post-Exploitation 2026-05-13
Disabling FolderOptions Windows Feature Sysmon EventID 13 T1685 TTP Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Rundll32 Load DLL in Temp Dir Sysmon EventID 1 T1218.011 Anomaly Interlock Rat 2026-05-13
Linux Impair Defenses Process Kill Sysmon for Linux EventID 1 T1685 Hunting AwfulShred, Data Destruction, Scattered Lapsus$ Hunters 2026-05-13
Remote System Discovery with Adsisearcher Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Linux Change File Owner To Root Sysmon for Linux EventID 1 T1222.002 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux pkexec Privilege Escalation Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Network Connection From Program In Suspect Location Sysmon EventID 3 T1011 Anomaly Compromised Windows Host 2026-05-13
Windows Powershell Import Applocker Policy Powershell Script Block Logging 4104 T1059.001 T1685 Anomaly Azorult 2026-06-29
Detect mshta renamed Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.005 Hunting APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Windows Service Create Kernel Mode Driver Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 T1543.003 TTP Windows Drivers, CISA AA22-320A 2026-05-13
Windows Remote Image Load Sysmon EventID 7 T1059 T1068 T1129 T1203 Anomaly Ransomware, LockBit Ransomware, BlackByte Ransomware 2026-05-13
Windows SQL Server Configuration Option Hunt Windows Event Log Application 15457 T1505.001 Hunting SQL Server Abuse 2026-05-13
Windows Uncommon Remote Thread Creation In Browser Process Sysmon EventID 8 T1055.001 Anomaly IcedID, Qakbot, Living Off The Land 2026-06-29
Remote System Discovery with Wmic Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 TTP Active Directory Discovery 2026-05-13
Windows WinSCP Configuration Security Access Windows Event Log Security 4663 T1552.001 Anomaly Phantom Stealer 2026-06-24
Windows Suspicious Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP Cobalt Strike, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, APT37 Rustonotto and FadeStealer, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Remote System Discovery with Dsquery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, XorDDos, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Mmc LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1218.014 TTP Water Gamayun, Living Off The Land, XML Runner Loader, Active Directory Lateral Movement 2026-05-13
Potential Telegram API Request Via CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1041 T1102.002 Anomaly XMRig, BlankGrabber Stealer, Water Gamayun, 0bj3ctivity Stealer, Hellcat Ransomware 2026-05-13
Linux Dirty Frag Kernel Privilege Escalation Linux Auditd Syscall T1068 T1548.001 TTP Linux Privilege Escalation 2026-07-06
Wbemprox COM Object Execution Sysmon EventID 7 T1218.003 TTP Ransomware, LockBit Ransomware, Revil Ransomware 2026-05-13
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 T1548.001 Hunting Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, Linux Living Off The Land, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Windows Indirect Command Execution Via pcalua CrowdStrike ProcessRollup2, Sysmon EventID 1 T1202 TTP Living Off The Land 2026-05-13
Detect Computer Changed with Anonymous Account Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2026-05-13
Windows SharePoint Spinstall0 Webshell File Creation Sysmon EventID 11 T1190 T1505.003 TTP Microsoft SharePoint Vulnerabilities 2026-05-13
Disable Schedule Task Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly IcedID, Living Off The Land 2026-05-13
Linux Auditd Copy Fail Privilege Escalation Linux Auditd Syscall T1068 TTP Linux Privilege Escalation 2026-05-13
Linux Indicator Removal Service File Deletion Sysmon for Linux EventID 1 T1070.004 Anomaly AwfulShred, Data Destruction 2026-05-13
GetWmiObject Ds Group with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 Anomaly Active Directory Discovery 2026-05-13
RunDLL Loading DLL By Ordinal Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP IcedID, Suspicious Rundll32 Activity, Living Off The Land, Unusual Processes 2026-05-13
Windows Credential Dumping LSASS Memory Createdump Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.001 TTP Credential Dumping, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Windows Powershell Cryptography Namespace Powershell Script Block Logging 4104 T1059.001 Anomaly Phantom Stealer, XWorm, VIP Keylogger, AsyncRAT 2026-06-25
Suspicious WAV file in Appdata Folder Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11 T1113 TTP Remcos 2026-05-13
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 T1053.005 Hunting 0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
WinRAR Spawning Shell Application Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1105 TTP WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host 2026-05-13
Windows Query Registry UnInstall Program List Windows Event Log Security 4663 T1012 Anomaly RedLine Stealer, StealC Stealer, Meduza Stealer 2026-05-13
Suspicious writes to windows Recycle Bin Sysmon EventID 1, Sysmon EventID 11 T1036 TTP Collection and Staging, PlugX 2026-05-13
Delete ShadowCopy With PowerShell Powershell Script Block Logging 4104 T1490 TTP Ransomware, DarkSide Ransomware, DarkGate Malware, VanHelsing Ransomware, Cactus Ransomware, Revil Ransomware 2026-05-13
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Industroyer2, Gomir, Linux Persistence Techniques 2026-05-13
Windows Modify Registry Qakbot Binary Data Registry Sysmon EventID 13, Sysmon EventID 1 T1112 Anomaly Qakbot 2026-05-13
Windows VSSVC Process Accessing Defender Engine Sysmon EventID 10 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows Get-Variable.EXE Execution from WindowsApps Folder Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574.008 Anomaly Windows Persistence Techniques 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP PHP-CGI RCE Attack on Japanese Organizations, Malicious PowerShell, MoonPeak, Medusa Ransomware 2026-05-13
Windows Scheduled Task Created in a Group Policy Object Windows Event Log Security 5145 T1053.005 T1484.001 TTP Scheduled Tasks, Windows Persistence Techniques, Living Off The Land 2026-05-13
Windows Mshta Execution In Registry Sysmon EventID 13 T1218.005 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques 2026-05-13
Windows Apache Benchmark Binary Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 Anomaly MetaSploit 2026-05-13
Windows Registry Entries Restored Via Reg Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1012 Hunting Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows WinRAR Launched Outside Default Installation Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 Anomaly BlankGrabber Stealer 2026-05-13
Windows AdFind Exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 TTP BlackSuit Ransomware, IcedID, Domain Trust Discovery, NOBELIUM Group, Graceful Wipe Out Attack 2026-05-13
Ntdsutil Export NTDS Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.003 TTP HAFNIUM Group, Rhysida Ransomware, Living Off The Land, Prestige Ransomware, Credential Dumping, Volt Typhoon, NetSupport RMM Tool Abuse 2026-05-13
Download Files Using Telegram Sysmon EventID 15 T1105 TTP XMRig, Water Gamayun, Snake Keylogger, Crypto Stealer, 0bj3ctivity Stealer, Phemedrone Stealer 2026-05-13
LLM Model File Creation Sysmon EventID 11 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Get Local Admin with FindLocalAdminAccess Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Linux Suspicious React or Next.js Child Process Sysmon for Linux EventID 1 T1059.004 T1190 TTP React2Shell 2026-05-13
Windows Process Injection into Notepad Sysmon EventID 10 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer 2026-05-13
Disabling ControlPanel Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry AuthenticationLevelOverride Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows Network Connection Discovery Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1049 Hunting Azorult, Active Directory Discovery, Windows Post-Exploitation, Prestige Ransomware 2026-05-13
Windows Files and Dirs Access Rights Modification Via Icacls Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222.001 Anomaly Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 T1055 T1059.001 TTP Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction 2026-05-13
Schtasks Run Task On Demand Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053 Anomaly XMRig, Data Destruction, Medusa Ransomware, Scheduled Tasks, Qakbot, Industroyer2, CISA AA22-257A 2026-05-13
Linux Deletion Of Init Daemon Script Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, Data Destruction, AcidRain 2026-05-13
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 T1574.001 TTP Salt Typhoon, SolarWinds WHD RCE Post Exploitation, NailaoLocker Ransomware, XWorm, Lokibot, DarkGate Malware, Derusbi, PlugX, China-Nexus Threat Activity, Malicious Inno Setup Loader, SnappyBee 2026-05-13
Shim Database File Creation Sysmon EventID 11 T1546.011 TTP Windows Persistence Techniques 2026-05-13
Windows Security And Backup Services Stop Windows Event Log System 7036 T1490 TTP LockBit Ransomware, Ransomware, Termite Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters, BlackMatter Ransomware, Hellcat Ransomware 2026-05-13
Windows Mark Of The Web Bypass Sysmon EventID 23 T1553.005 TTP Quasar RAT, Warzone RAT 2026-05-13
Windows Potential AppDomainManager Hijack Artifacts Creation Sysmon EventID 11 T1574.014 Anomaly SesameOp 2026-05-13
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle T1548.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Domain Group Discovery With Dsquery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Windows Alternate DataStream - Process Execution Windows Event Log Security 4688, Sysmon EventID 1 T1564.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-06-04
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
GetDomainController with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 Hunting Active Directory Discovery 2026-05-13
Windows Service Initiation on Remote Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 TTP CISA AA23-347A, Active Directory Lateral Movement 2026-05-13
Domain Account Discovery with Wmic Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.002 TTP Active Directory Discovery, Interlock Ransomware 2026-05-13
Windows Unsecured Outlook Credentials Access In Registry Windows Event Log Security 4663 T1552 Anomaly Phantom Stealer, VIP Keylogger, Lokibot, Snake Keylogger, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer 2026-06-25
Suspicious Rundll32 no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP Cobalt Strike, BlackByte Ransomware, Hellcat Ransomware, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity, Graceful Wipe Out Attack 2026-05-13
Windows RDP Login Session Was Established Windows Event Log Security 4624 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters 2026-05-13
Detect Regsvcs with Network Connection Sysmon EventID 3 T1218.009 TTP Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 13 T1021.001 TTP Medusa Ransomware, Windows Registry Abuse, Azorult, Prohibited Traffic Allowed or Protocol Mismatch, PlugX, NjRAT 2026-05-13
Windows Disable Memory Crash Dump Sysmon EventID 13 T1485 TTP Ransomware, Data Destruction, Hermetic Wiper, Windows Registry Abuse 2026-05-13
Time Provider Persistence Registry Sysmon EventID 13 T1547.003 TTP Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Domain Group Discovery with Adsisearcher Powershell Script Block Logging 4104 T1069.002 TTP Active Directory Discovery, Scattered Lapsus$ Hunters 2026-05-13
Windows Svchost.exe Parent Process Anomaly Windows Event Log Security 4688, Sysmon EventID 1 T1036.009 Anomaly China-Nexus Threat Activity, SnappyBee 2026-05-13
User Discovery With Env Vars PowerShell Script Block Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2026-05-13
Windows DLL Side-Loading Process Child Of Calc Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574.001 Anomaly Earth Alux, Qakbot 2026-05-13
Windows Regsvr32 Renamed Binary Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.010 TTP Compromised Windows Host, Qakbot 2026-05-13
PowerShell Enable PowerShell Remoting Powershell Script Block Logging 4104 T1059.001 Anomaly Malicious PowerShell 2026-05-13
Enable WDigest UseLogonCredential Registry Sysmon EventID 13 T1003 T1112 TTP Credential Dumping, CISA AA22-320A, Windows Registry Abuse 2026-05-13
Detect Renamed 7-Zip Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1560.001 Hunting Collection and Staging, Malicious Inno Setup Loader 2026-05-13
Jscript Execution Using Cscript App CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.007 TTP Remcos, FIN7 2026-05-13
Windows Gdrive Binary Activity Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1567 TTP China-Nexus Threat Activity 2026-05-13
GetDomainComputer with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 TTP Active Directory Discovery 2026-05-13
Windows System Reboot CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1529 Hunting Quasar RAT, MuddyWater, MoonPeak, XWorm, DarkGate Malware, DarkCrystal RAT, Scattered Lapsus$ Hunters, NjRAT 2026-05-13
Spoolsv Writing a DLL Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Enable PowerShell Web Access Powershell Script Block Logging 4104 T1059.001 TTP Malicious PowerShell, CISA AA24-241A 2026-05-13
WMI Recon Running Process Or Services Powershell Script Block Logging 4104 T1592 Anomaly Malicious PowerShell, Data Destruction, Hermetic Wiper 2026-05-13
Suspicious Rundll32 PluginInit Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP IcedID 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation Log4Shell CVE-2021-44228, CISA AA22-320A 2026-05-13
Linux Auditd Preload Hijack Via Preload File Linux Auditd Path, Linux Auditd Cwd T1574.006 TTP Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Registry Dotnet ETW Disabled Via ENV Variable Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Deny Security Software With Applocker Sysmon EventID 13 T1685 TTP Azorult, Scattered Lapsus$ Hunters 2026-05-13
Windows Sensitive Registry Hive Dump Via CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.002 TTP Data Destruction, CISA AA23-347A, Windows Registry Abuse, Seashell Blizzard, DarkSide Ransomware, Credential Dumping, Volt Typhoon, Compromised Windows Host, Industroyer2, CISA AA22-257A 2026-05-13
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 13 T1053.005 Anomaly Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 Anomaly Qakbot 2026-05-13
Windows Disable LogOff Button Through Registry Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2026-05-13
Windows WinLogon with Public Network Connection Sysmon EventID 1, Sysmon EventID 3 T1542.003 Hunting BlackLotus Campaign 2026-05-13
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Windows Event Log Security 4768 T1110.003 TTP Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 T1021.002 T1087 T1135 TTP Compromised Windows Host, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows File Download Via CertUtil Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1105 TTP Cisco Network Visibility Module Analytics, CISA AA22-277A, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, Compromised Windows Host, ProxyNotShell 2026-05-13
Windows SQLCMD Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 Hunting SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Time Based Evasion via Choice Exec Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497.003 Anomaly Snake Keylogger, 0bj3ctivity Stealer, VIP Keylogger 2026-05-13
WBAdmin Delete System Backups Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Chaos Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Ryuk Ransomware, Storm-0501 Ransomware 2026-05-13
CertUtil With Decode Argument Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1140 TTP Deobfuscate-Decode Files or Information, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows AD Hidden OU Creation Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Disable Lock Workstation Feature Through Registry Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Registry Keys Used For Persistence Sysmon EventID 13 T1547.001 TTP Quasar RAT, Emotet Malware DHS Report TA18-201A, Ransomware, Qakbot, Lokibot, Braodo Stealer, Snake Keylogger, Remcos, SystemBC, Salat Stealer, WinDealer RAT, BlackByte Ransomware, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Interlock Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AsyncRAT, RedLine Stealer, XWorm, Suspicious Windows Registry Activities, DarkGate Malware, DarkCrystal RAT, Windows Persistence Techniques, Derusbi, NetSupport RMM Tool Abuse, Warzone RAT, Castle RAT, Gh0st RAT, BlackSuit Ransomware, Suspicious MSHTA Activity, Phantom Stealer, DHS Report TA18-074A, Sneaky Active Directory Persistence Tricks, Azorult, Cactus Ransomware, Chaos Ransomware, Salt Typhoon, MoonPeak, CISA AA23-347A, IcedID, Amadey, Windows Registry Abuse, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT 2026-06-25
Windows New Default File Association Value Set Sysmon EventID 13 T1546.001 Hunting Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Prestige Ransomware, Windows Persistence Techniques 2026-05-13
Windows PowerShell Export PfxCertificate Powershell Script Block Logging 4104 T1552.004 T1649 Anomaly Water Gamayun, Windows Certificate Services, Scattered Lapsus$ Hunters 2026-05-13
Linux Auditd Unix Shell Configuration Modification Linux Auditd Path, Linux Auditd Cwd T1546.004 TTP Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Detect HTML Help URL in Command Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1218.001 TTP Cisco Network Visibility Module Analytics, Suspicious Compiled HTML Activity, Living Off The Land, Compromised Windows Host, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Scheduled Task with Suspicious Name Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700 T1053.005 TTP Scheduled Tasks, Ransomware, Ryuk Ransomware, Windows Persistence Techniques, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT 2026-05-13
Linux System Network Discovery Osquery Results, Sysmon for Linux EventID 1 T1016 Anomaly Data Destruction, VoidLink Cloud-Native Linux Malware, Network Discovery, Industroyer2 2026-05-13
Suspicious GPUpdate no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows AD Privileged Account SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows SpeechRuntime Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 TTP Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Crowdstrike Multiple LOW Severity Alerts T1110 Anomaly Compromised Windows Host 2026-05-13
Uninstall App Using MsiExec Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.007 TTP Ransomware 2026-05-13
Windows Curl Download to Suspicious Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1105 TTP Black Basta Ransomware, Salt Typhoon, Cisco Network Visibility Module Analytics, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, IcedID, NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Impair Defense Change Win Defender Throttle Rate Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
ServicePrincipalNames Discovery with SetSPN Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1558.003 TTP Active Directory Discovery, Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Kerberos Attacks 2026-05-13
Windows Impair Defense Disable Defender Protocol Recognition Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
XMRIG Driver Loaded Sysmon EventID 6 T1543.003 TTP XMRig, Crypto Stealer, CISA AA22-320A 2026-05-13
Windows Wmic DiskDrive Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection Cisco Network Visibility Module Flow Data T1036 T1055 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows AD Replication Request Initiated by User Account Windows Event Log Security 4662, Windows Event Log Security 4624 T1003.006 TTP Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Web or Application Server Spawning a Shell Sysmon EventID 1, Sysmon for Linux EventID 1 T1133 T1190 TTP HAFNIUM Group, Flax Typhoon, Cleo File Transfer Software, WS FTP Server Critical Vulnerabilities, Log4Shell CVE-2021-44228, CISA AA22-257A, BlackByte Ransomware, Data Destruction, ProxyShell, Spring4Shell CVE-2022-22965, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, CISA AA22-264A, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, SAP NetWeaver Exploitation, Microsoft SharePoint Vulnerabilities 2026-05-13
Windows Outlook WebView Registry Modification Sysmon EventID 13 T1112 Anomaly Suspicious Windows Registry Activities 2026-05-13
Windows AD ServicePrincipalName Added To Domain Account Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Docker Shell Execution Sysmon for Linux EventID 1 T1059.013 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Impair Defense Disable Defender Firewall And Network Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics 2026-05-13
Windows Privilege Escalation Attempt Via MSI Rollback Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP Windows Privilege Escalation 2026-05-13
MOVEit Certificate Store Access Failure T1190 Hunting MOVEit Transfer Authentication Bypass 2026-05-13
Windows Archive Collected Data via Powershell Powershell Script Block Logging 4104 T1560 Anomaly CISA AA23-347A, APT37 Rustonotto and FadeStealer 2026-05-13
Windows PowerView Constrained Delegation Discovery Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall T1547.006 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Auditd Daemon Shutdown Linux Auditd Daemon End T1685.004 Anomaly Compromised Linux Host 2026-05-13
Unusual Number of Kerberos Service Tickets Requested Windows Event Log Security 4769 T1558.003 Anomaly Active Directory Kerberos Attacks 2026-05-13
Windows Cmdline Tool Execution From Non-Shell Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.007 Anomaly Gh0st RAT, BlankGrabber Stealer, CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, FIN7, Water Gamayun, Gozi Malware, SolarWinds WHD RCE Post Exploitation, Qakbot, Rhysida Ransomware, DarkGate Malware, Tuoni, Volt Typhoon 2026-05-13
Windows Office Product Spawned Uncommon Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 TTP MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, AgentTesla, FIN7, Trickbot, IcedID, Qakbot, CVE-2023-21716 Word RTF Heap Corruption, Azorult, DarkCrystal RAT, Compromised Windows Host, Remcos, PlugX, Spearphishing Attachments, Warzone RAT, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Windows Domain Admin Impersonation Indicator Windows Event Log Security 4627 T1558 TTP Active Directory Kerberos Attacks, Gozi Malware, Compromised Windows Host, Active Directory Privilege Escalation 2026-05-13
Disabling Remote User Account Control Sysmon EventID 13 T1548.002 TTP AgentTesla, Windows Registry Abuse, Suspicious Windows Registry Activities, Azorult, Remcos, Windows Defense Evasion Tactics 2026-05-13
System Information Discovery Detection Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 TTP Interlock Ransomware, BlackSuit Ransomware, BlankGrabber Stealer, SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Gozi Malware, Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, NetSupport RMM Tool Abuse, LAMEHUG, Windows Discovery Techniques 2026-05-13
GetDomainGroup with PowerShell Script Block Powershell Script Block Logging 4104 T1069.002 TTP Active Directory Discovery 2026-05-13
Windows PowerShell Invoke-RestMethod IP Information Collection Powershell Script Block Logging 4104 T1016 T1059.001 T1082 Anomaly Water Gamayun 2026-05-13
Windows EFI Bootloader File Modification Sysmon EventID 11 T1542.003 TTP Windows BootKits 2026-05-13
Windows Identify PowerShell Web Access IIS Pool Windows Event Log Security 4648 T1190 Hunting CISA AA24-241A 2026-05-13
Mimikatz PassTheTicket CommandLine Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1550.003 TTP Active Directory Kerberos Attacks, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Scattered Lapsus$ Hunters 2026-05-13
Unloading AMSI via Reflection Powershell Script Block Logging 4104 T1059.001 T1685 TTP Malicious PowerShell, Data Destruction, Hermetic Wiper 2026-05-13
ConnectWise ScreenConnect Path Traversal Sysmon EventID 11 T1190 TTP ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard 2026-05-13
Windows Chromium Browser Launched with Small Window Size Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 TTP Browser Hijacking 2026-05-13
Windows Steal Authentication Certificates CryptoAPI Windows Event Log CAPI2 70 T1649 Anomaly Windows Certificate Services, Hellcat Ransomware 2026-05-13
Windows DISM Install PowerShell Web Access Windows Event Log Security 4688, Sysmon EventID 1 T1548.002 TTP CISA AA24-241A 2026-05-13
Rundll32 Shimcache Flush Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1112 TTP Compromised Windows Host, Living Off The Land, Unusual Processes 2026-05-13
First Time Seen Running Windows Service Windows Event Log System 7036 T1569.002 Anomaly NOBELIUM Group, Windows Service Abuse, Orangeworm Attack Group 2026-05-13
Kerberos User Enumeration Windows Event Log Security 4768 T1589.002 Anomaly Active Directory Kerberos Attacks 2026-05-13
Windows BootLoader Inventory T1542.001 Hunting Windows BootKits, BlackLotus Campaign 2026-05-13
Excessive Usage Of SC Service Utility Sysmon EventID 1 T1569.002 Anomaly Azorult, Ransomware, Crypto Stealer 2026-05-13
Rundll32 with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1218.011 TTP Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, PrintNightmare CVE-2021-34527, Compromised Windows Host, Cactus Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack 2026-05-13
Windows Cisco Secure Endpoint Related Service Stopped Windows Event Log System 7036 T1490 Anomaly Hellcat Ransomware, Scattered Lapsus$ Hunters, Security Solution Tampering 2026-05-13
Cisco NVM - Suspicious Network Connection Initiated via MsXsl Cisco Network Visibility Module Flow Data T1220 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows AppX Deployment Package Installation Success Windows Event Log AppXDeployment-Server 854 T1204.002 Anomaly MSIX Package Abuse 2026-05-13
Windows New EventLog ChannelAccess Registry Value Set Sysmon EventID 13 T1685.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware 2026-05-13
Windows LOLBAS Executed As Renamed File Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 T1218.011 TTP Masquerading - Rename System Utilities, Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Export Certificate Windows Event Log CertificateServicesClient 1007 T1552.004 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Snake Malware File Modification Crmlog Sysmon EventID 11 T1027 TTP Snake Malware 2026-05-13
Windows Modify Registry UpdateServiceUrlAlternate Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows WPDBusEnum Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly Data Protection, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Unusual Process Load Mozilla NSS-Mozglue Module Sysmon EventID 7 T1218.003 Anomaly Quasar RAT, Phantom Stealer, VIP Keylogger, Lokibot, StealC Stealer, 0bj3ctivity Stealer 2026-06-25
DNS Exfiltration Using Nslookup App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1048 TTP Data Exfiltration, Command And Control, Compromised Windows Host, Dynamic DNS, Suspicious DNS Traffic 2026-05-13
Linux Auditd Data Destruction Command Linux Auditd Proctitle T1485 TTP AwfulShred, Data Destruction, Compromised Linux Host 2026-05-13
Windows System Shutdown CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1529 Anomaly Quasar RAT, MuddyWater, MoonPeak, Sandworm Tools, XWorm, DarkGate Malware, DarkCrystal RAT, Scattered Lapsus$ Hunters, ZOVWiper, NjRAT 2026-05-13
Windows Attempt To Stop Security Service Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP WhisperGate, Data Destruction, Trickbot, Azorult, Disabling Security Tools, Graceful Wipe Out Attack 2026-05-13
Detect HTML Help Using InfoTech Storage Handlers Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.001 TTP APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity, Living Off The Land 2026-05-13
Excessive distinct processes from Windows Temp Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 Anomaly Meterpreter 2026-05-13
Ransomware Notes bulk creation Sysmon EventID 11 T1486 Anomaly Chaos Ransomware, Black Basta Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Rhysida Ransomware, Termite Ransomware, DarkSide Ransomware, Cactus Ransomware, BlackMatter Ransomware, Hellcat Ransomware, NailaoLocker Ransomware 2026-05-13
Windows AD DCShadow Privileges ACL Addition Windows Event Log Security 5136 T1207 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD GPO Disabled Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Windows Event Log Security 4648 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Services LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 TTP CISA AA23-347A, Qakbot, Living Off The Land, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows AD Replication Request Initiated from Unsanctioned Location Windows Event Log Security 4662, Windows Event Log Security 4624 T1003.006 TTP Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows AD Short Lived Domain Controller SPN Attribute Windows Event Log Security 4624, Windows Event Log Security 5136 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Defacement Modify Transcodedwallpaper File Sysmon EventID 1, Sysmon EventID 11 T1491 Anomaly Brute Ratel C4 2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Njrat Fileless Storage via Registry Sysmon EventID 13 T1027.011 TTP NjRAT 2026-05-13
Windows Modify Registry Risk Behavior T1112 Correlation Windows Registry Abuse 2026-05-13
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Get DomainUser with PowerShell Script Block Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 T1053 TTP Data Destruction, Hellcat Ransomware, Scheduled Tasks, Compromised Windows Host, Industroyer2, Cactus Ransomware, Active Directory Discovery, CISA AA22-257A, Malicious Inno Setup Loader 2026-05-13
Windows Binary Proxy Execution Mavinject DLL Injection Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.013 TTP Living Off The Land 2026-05-13
Windows System LogOff Commandline Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1529 Anomaly DarkCrystal RAT, Scattered Lapsus$ Hunters, XWorm, NjRAT 2026-05-13
Windows InstallUtil Uninstall Option Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.004 TTP Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land 2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 T1542 T1688 Anomaly Compromised Windows Host 2026-05-13
Detect Certify With PowerShell Script Block Logging Powershell Script Block Logging 4104 T1059.001 T1649 TTP Malicious PowerShell, Windows Certificate Services 2026-05-13
Windows Non-System Account Targeting Lsass Sysmon EventID 10 T1003.001 TTP Credential Dumping, Lokibot, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Detect PsExec With accepteula Flag Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 TTP SamSam Ransomware, BlackByte Ransomware, Medusa Ransomware, CISA AA22-320A, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Storm-0501 Ransomware, Seashell Blizzard, DarkSide Ransomware, DarkGate Malware, Volt Typhoon, VanHelsing Ransomware, Cactus Ransomware, Active Directory Lateral Movement 2026-05-13
Linux Binary Launched Process with Null Argv Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-12
Windows TeamCity Plugin Installed Sysmon EventID 11 T1059 T1190 T1505.003 Anomaly JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2026-05-13
Linux Auditd System Network Configuration Discovery Linux Auditd Syscall T1016 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Crowdstrike High Identity Risk Severity T1110 TTP Compromised Windows Host 2026-05-13
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1 T1202 TTP Windows Post-Exploitation, Living Off The Land 2026-05-13
Windows MSIExec Unregister DLLRegisterServer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2026-05-13
Windows Hunting System Account Targeting Lsass Sysmon EventID 10 T1003.001 Hunting Credential Dumping, Lokibot, Scattered Lapsus$ Hunters, CISA AA23-347A 2026-05-13
Revil Registry Entry Sysmon EventID 13, Sysmon EventID 12 T1112 TTP Ransomware, Revil Ransomware, Windows Registry Abuse 2026-05-13
Suspicious DLLHost no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware, Cactus Ransomware 2026-05-13
GetAdGroup with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 Hunting Active Directory Discovery 2026-05-13
Detect Remote Access Software Usage File Sysmon EventID 11 T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Windows Eventlog Cleared Via Wevtutil Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.005 Anomaly ShrinkLocker, CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, Windows Log Manipulation 2026-05-13
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI Cisco Network Visibility Module Flow Data T1059.005 T1218.005 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
Windows User Execution Malicious URL Shortcut File Sysmon EventID 11 T1204.002 Anomaly Chaos Ransomware, Quasar RAT, XWorm, Snake Keylogger, APT37 Rustonotto and FadeStealer, NjRAT 2026-05-13
Powershell Windows Defender Exclusion Commands Powershell Script Block Logging 4104 T1685 Anomaly WhisperGate, Data Destruction, AgentTesla, BlankGrabber Stealer, CISA AA22-320A, Remcos, NetSupport RMM Tool Abuse, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics 2026-06-29
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 T1546.004 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Modify Registry Utilize ProgIDs Sysmon EventID 13 T1112 Anomaly ValleyRAT 2026-05-13
Windows Sqlservr Spawning Shell Windows Event Log Security 4688, Sysmon EventID 1 T1505.001 Hunting SQL Server Abuse 2026-05-13
Windows Mustang Panda USB Tool Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1020 T1204.002 T1574.001 TTP Compromised Windows Host 2026-05-13
Windows Event Logging Service Has Shutdown Windows Event Log Security 1100 T1685.005 Hunting Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters, Clop Ransomware 2026-05-13
Linux Proxy Socks Curl Sysmon for Linux EventID 1 T1090 T1095 TTP Ingress Tool Transfer, Linux Living Off The Land 2026-06-04
Linux Auditd AI CLI Permission Override Activated Linux Auditd Proctitle T1480 Anomaly QuietVault 2026-05-13
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly Snake Keylogger, Hellcat Ransomware, Phantom Stealer, AgentTesla 2026-06-25
GetNetTcpconnection with PowerShell Script Block Powershell Script Block Logging 4104 T1049 Hunting Active Directory Discovery 2026-05-13
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Suspicious microsoft workflow compiler rename Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 T1127 Hunting Cobalt Strike, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution, BlackByte Ransomware 2026-05-13
Windows Credentials from Password Stores Creation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1555 TTP DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host 2026-05-13
Create Remote Thread In Shell Application Sysmon EventID 8 T1055 TTP IcedID, Warzone RAT, Qakbot 2026-06-29
Allow Network Discovery In Firewall Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1686.001 TTP BlackByte Ransomware, Medusa Ransomware, Ransomware, Hellcat Ransomware, Revil Ransomware, NjRAT 2026-05-13
Windows Remote Services Allow Remote Assistance Sysmon EventID 13 T1021.001 Anomaly Azorult 2026-05-13
Windows Unusual NTLM Authentication Destinations By Source NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Disabling Task Manager Sysmon EventID 13 T1685 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Virtual Disk File And Directory Discovery Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows NorthStar C2 Agent Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 T1547.001 T1608 TTP Compromised Windows Host 2026-05-13
Potential System Network Configuration Discovery Activity Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1016 Anomaly Unusual Processes 2026-05-13
Windows DLL Search Order Hijacking with iscsicpl Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574.001 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows Event Log Security 4768 T1110.003 Anomaly Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows FFmpeg DirectShow Video Capture Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1125 Anomaly Salat Stealer 2026-05-20
Windows MSIExec Remote Download Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1218.007 Anomaly Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, Water Gamayun, Windows System Binary Proxy Execution MSIExec, StealC Stealer 2026-05-13
Windows ComputerDefaults Spawning a Process Sysmon EventID 1 T1548.002 TTP BlankGrabber Stealer, Castle RAT 2026-05-13
Screensaver Event Trigger Execution Sysmon EventID 13 T1546.002 TTP Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Windows Remote Host Computer Management Access Windows Event Log Security 4688, Sysmon EventID 1 T1021.006 Anomaly Medusa Ransomware 2026-05-13
Check Elevated CMD using whoami Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 TTP FIN7 2026-05-13
Windows Remote Services Rdp Enable Sysmon EventID 13 T1021.001 TTP Azorult, Windows RDP Artifacts and Defense Evasion, BlackSuit Ransomware, Medusa Ransomware 2026-05-13
Linux Deleting Critical Directory Using RM Command Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Windows Security Support Provider Reg Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1547.005 Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2026-05-13
Windows Registry BootExecute Modification Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2026-05-13
Detect Regasm with Network Connection Sysmon EventID 3 T1218.009 TTP Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Hellcat Ransomware 2026-05-13
System Processes Run From Unexpected Locations Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 Anomaly Ransomware, Qakbot, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability, Masquerading - Rename System Utilities, Suspicious Command-Line Executions, DarkGate Malware 2026-05-13
Vbscript Execution Using Wscript App CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.005 TTP Remcos, FIN7, AsyncRAT 2026-05-13
Windows Firewall Rule Modification Windows Event Log Security 4947 T1686 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware 2026-05-13
Windows Registry SIP Provider Modification Sysmon EventID 13 T1553.003 TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 17, Sysmon EventID 18 T1071 TTP Azorult 2026-05-13
Get DomainUser with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.002 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Windows Modify Registry MaxConnectionPerServer Sysmon EventID 13 T1112 Anomaly Warzone RAT 2026-05-13
Crowdstrike User with Duplicate Password T1110 Anomaly Compromised Windows Host 2026-05-13
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 T1055 TTP Trickbot 2026-07-01
Windows Registry Certificate Added Sysmon EventID 13 T1553.004 Anomaly Windows Registry Abuse, Windows Drivers 2026-05-13
Windows MsMpEng Writing to System32 Sysmon EventID 15, Sysmon EventID 11 T1068 T1543.003 TTP RedSun, Windows Drivers, BlueHammer, Windows Privilege Escalation 2026-04-27
Get ADUserResultantPasswordPolicy with Powershell Script Block Powershell Script Block Logging 4104 T1201 TTP Active Directory Discovery, CISA AA23-347A 2026-05-13
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Malicious InProcServer32 Modification Sysmon EventID 13, Sysmon EventID 12 T1112 T1218.010 TTP Remcos, Suspicious Regsvr32 Activity 2026-05-13
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Linux PF_ALG Registration Outside of Boot Window Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-11
Windows Indicator Removal Via Rmdir Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070 Anomaly DarkGate Malware, APT37 Rustonotto and FadeStealer, ZOVWiper 2026-05-13
Disable Logs Using WevtUtil Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.005 TTP Ransomware, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Windows Credentials Access via VaultCli Module Sysmon EventID 7 T1555.004 Anomaly Hellcat Ransomware, Meduza Stealer 2026-05-13
Windows Rundll32 Execution With Log.DLL Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
GitHub Workflow File Creation or Modification Sysmon for Linux EventID 11, Sysmon EventID 11 T1195 T1554 T1574.006 Hunting NPM Supply Chain Compromise 2026-05-13
Windows AD Domain Root ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Executables Or Script Creation In Temp Path Sysmon EventID 11 T1036 Anomaly AcidPour, Swift Slicer, Qakbot, Lokibot, SesameOp, Snake Keylogger, Remcos, Salat Stealer, Brute Ratel C4, WinDealer RAT, BlackByte Ransomware, Graceful Wipe Out Attack, NjRAT, Axios Supply Chain Post Compromise, Data Destruction, Void Manticore, LockBit Ransomware, Handala Wiper, AsyncRAT, Rhysida Ransomware, RedLine Stealer, PromptFlux, DarkGate Malware, DarkCrystal RAT, Derusbi, Meduza Stealer, Warzone RAT, WhisperGate, XMRig, AgentTesla, Trickbot, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, Amadey, IcedID, RoguePlanet, Volt Typhoon, Double Zero Destructor, Crypto Stealer, PlugX, Industroyer2, China-Nexus Threat Activity, XML Runner Loader, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT 2026-06-25
Windows Devtunnels Image Loaded Sysmon EventID 7 T1090 Anomaly Reverse Network Proxy 2026-05-13
Windows Modify Registry USeWuServer Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows Delete or Modify System Firewall Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1686 Hunting ShrinkLocker, NjRAT 2026-05-13
Detect Remote Access Software Usage Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Storm-0501 Ransomware, Insider Threat 2026-05-13
Windows Ngrok Reverse Proxy Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1090 T1102 T1572 Anomaly CISA AA24-241A, Reverse Network Proxy, CISA AA22-320A 2026-05-13
Windows Unusual NTLM Authentication Destinations By User NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Linux Auditd File And Directory Discovery Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Auditd Daemon Abort Linux Auditd Daemon Abort T1685.004 Anomaly Compromised Linux Host 2026-05-13
Windows Process Injection Wermgr Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement 2026-05-13
Windows Possible Credential Dumping Sysmon EventID 10 T1003.001 TTP CISA AA23-347A, CISA AA22-264A, DarkSide Ransomware, Credential Dumping, Scattered Lapsus$ Hunters, Detect Zerologon Attack, CISA AA22-257A 2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Cobalt Strike, BlackByte Ransomware, Cactus Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack 2026-05-13
Active Setup Registry Autostart Sysmon EventID 13 T1547.014 TTP Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
BCDEdit Failure Recovery Modification Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Void Manticore, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Ryuk Ransomware, Compromised Windows Host 2026-05-13
Windows Registry Modification for Safe Mode Persistence Sysmon EventID 13 T1547.001 TTP Ransomware, Windows Drivers, Windows Registry Abuse 2026-05-13
Runas Execution in CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1134.001 Hunting Quasar RAT, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Allow File And Printing Sharing In Firewall Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1686.001 TTP Ransomware, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Suspicious MSBuild Rename Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 T1127.001 Hunting Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware 2026-05-13
Windows PowerShell Process Implementing Manual Base64 Decoder Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1027.010 T1059.001 Anomaly Deobfuscate-Decode Files or Information, Compromised Windows Host 2026-05-13
Detect Mimikatz With PowerShell Script Block Logging Powershell Script Block Logging 4104 T1003 T1059.001 TTP Malicious PowerShell, Data Destruction, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Hermetic Wiper, CISA AA22-264A, Scattered Spider, Hellcat Ransomware 2026-05-13
Windows UAC Bypass Suspicious Escalation Behavior Sysmon EventID 1 T1548.002 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2026-05-13
Suspicious mshta child process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.005 TTP MuddyWater, Lumma Stealer, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
BITS Job Persistence Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1197 TTP BITS Jobs, Living Off The Land 2026-05-13
Disable Defender Spynet Reporting Sysmon EventID 13 T1685 TTP CISA AA23-347A, IcedID, Windows Registry Abuse, Qakbot, Azorult 2026-05-13
Disable Defender AntiVirus Registry Sysmon EventID 13 T1685 TTP Black Basta Ransomware, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, IcedID, Windows Registry Abuse, Cactus Ransomware, Salat Stealer 2026-06-08
Windows Wermgr Alternate Data Stream in Temp Dir Sysmon EventID 15 T1564.004 Anomaly RoguePlanet 2026-06-11
Detect HTML Help Renamed Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.001 Hunting APT37 Rustonotto and FadeStealer, Suspicious Compiled HTML Activity, Living Off The Land 2026-05-13
Linux Stdout Redirection To Dev Null File Sysmon for Linux EventID 1 T1686 Anomaly Data Destruction, Cyclops Blink, Industroyer2 2026-05-13
Windows Modify Registry Tamper Protection Sysmon EventID 13 T1112 TTP RedLine Stealer, Scattered Lapsus$ Hunters 2026-05-13
Certutil exe certificate extraction Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1649 TTP Cloud Federated Credential Abuse, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Windows Certificate Services 2026-05-13
Malicious PowerShell Process - Execution Policy Bypass Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 Anomaly MuddyWater, Salt Typhoon, BlankGrabber Stealer, AsyncRAT, HAFNIUM Group, DHS Report TA18-074A, XWorm, DarkCrystal RAT, Volt Typhoon, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer 2026-05-13
WMI Permanent Event Subscription - Sysmon Sysmon EventID 21 T1546.003 TTP Suspicious WMI Use 2026-05-13
Windows Gather Victim Host Information Camera Powershell Script Block Logging 4104 T1592.001 Anomaly DarkCrystal RAT 2026-05-13
Cisco NVM - Installation of Typosquatted Python Package Cisco Network Visibility Module Flow Data T1059 TTP Cisco Network Visibility Module Analytics 2026-05-13
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
GetAdGroup with PowerShell Script Block Powershell Script Block Logging 4104 T1069.002 Hunting Active Directory Discovery, Scattered Lapsus$ Hunters 2026-05-13
Control Loading from World Writable Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.002 TTP Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Living Off The Land 2026-05-13
GetDomainController with PowerShell Script Block Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Windows Rundll32 WebDAV Request Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1048.003 Hunting CVE-2023-23397 Outlook Elevation of Privilege 2026-05-13
Suspicious Rundll32 dllregisterserver Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP IcedID, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows RunMRU Registry Key or Value Deleted Sysmon EventID 12 T1112 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Disable Shutdown Button Through Registry Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2026-05-13
Linux System Reboot Via System Request Key Sysmon for Linux EventID 1 T1529 TTP AwfulShred, Data Destruction 2026-05-13
Windows Rundll32 WebDav With Network Connection Sysmon EventID 1, Sysmon EventID 3 T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2026-05-13
MacOS Gatekeeper Bypass Osquery Results T1553.001 Anomaly MacOS Persistence Techniques, MacOS Privilege Escalation, MacOS Post-Exploitation 2026-05-13
Linux Auditd Possible Access To Sudoers File Linux Auditd Path, Linux Auditd Cwd T1548.003 Anomaly Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Detect Renamed RClone Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1020 Hunting Black Basta Ransomware, DarkSide Ransomware, Ransomware, Cactus Ransomware 2026-05-13
Windows Steal Authentication Certificates CS Backup Windows Event Log Security 4876 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Executable Masquerading as Benign File Types Sysmon EventID 29 T1036.008 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Crowdstrike Privilege Escalation For Non-Admin User T1110 Anomaly Compromised Windows Host 2026-05-13
Windows Suspicious Driver Loaded Path Sysmon EventID 6 T1543.003 TTP XMRig, Interlock Ransomware, AgentTesla, CISA AA22-320A, Snake Keylogger, APT37 Rustonotto and FadeStealer, BlackByte Ransomware 2026-05-13
Windows Schtasks Create Run As System Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Scheduled Tasks, Qakbot, Windows Persistence Techniques, Castle RAT 2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux Auditd Syscall T1030 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Disabling Windows Local Security Authority Defences via Registry Sysmon EventID 13 T1556 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Cisco Isovalent - Nsenter Usage in Kubernetes Pod Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows Renamed Powershell Execution Sysmon EventID 1 T1036.003 TTP Axios Supply Chain Post Compromise, Hellcat Ransomware, XWorm 2026-05-13
PowerShell Invoke CIMMethod CIMSession Powershell Script Block Logging 4104 T1047 Anomaly Malicious PowerShell, Active Directory Lateral Movement, Scattered Lapsus$ Hunters 2026-05-13
Windows Modify Registry Suppress Win Defender Notif Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Suspicious Reg exe Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1112 Anomaly DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics 2026-05-13
Wermgr Process Create Executable File Sysmon EventID 11 T1027 TTP Trickbot 2026-05-13
Windows Wmic Memory Chip Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Windows Process With NetExec Command Line Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1550.003 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Windows Screen Capture Via Powershell Powershell Script Block Logging 4104 T1113 TTP Water Gamayun, BlankGrabber Stealer, APT37 Rustonotto and FadeStealer, Winter Vivern 2026-05-13
Remote WMI Command Attempt Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 TTP CISA AA23-347A, IcedID, Living Off The Land, Volt Typhoon, Suspicious WMI Use, Graceful Wipe Out Attack 2026-05-13
Windows Group Policy Object Created Windows Event Log Security 5137, Windows Event Log Security 5136 T1078.002 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows PowerShell IIS Components WebGlobalModule Usage Powershell Script Block Logging 4104 T1505.004 Anomaly IIS Components, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows AD Short Lived Server Object Windows Event Log Security 5137, Windows Event Log Security 5141 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Admon Group Policy Object Created Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Detection of tools built by NirSoft Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1072 Anomaly Emotet Malware DHS Report TA18-201A 2026-05-13
Sunburst Correlation DLL and Network Event Sysmon EventID 7, Sysmon EventID 22 T1203 TTP NOBELIUM Group 2026-05-13
Windows Modify Registry ProxyEnable Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
MacOS Keychains Dumped Osquery Results T1555.001 TTP MacOS Privilege Escalation 2026-05-13
Windows File and Directory Enable ReadOnly Permissions Windows Event Log Security 4688, Sysmon EventID 1 T1222.001 TTP NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Excessive Usage Of Cacls App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222 Anomaly XMRig, Prestige Ransomware, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer, Windows Post-Exploitation 2026-05-13
Credential Dumping via Copy Command from Shadow Copy Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.003 TTP Credential Dumping, Compromised Windows Host 2026-05-13
Interactive Session on Remote Endpoint with PowerShell Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Windows MSHTA Writing to World Writable Path Sysmon EventID 11 T1218.005 TTP Suspicious MSHTA Activity, XWorm, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows Defender ASR Rule Disabled Windows Event Log Defender 5007 T1112 TTP Windows Attack Surface Reduction 2026-05-13
Rundll32 Control RunDLL World Writable Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows AD Privileged Group Modification Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Cisco NVM - Suspicious Download From File Sharing Website Cisco Network Visibility Module Flow Data T1197 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer 2026-05-13
Linux Auditd Osquery Service Stop Linux Auditd Service Stop T1489 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Privilege Escalation System Process Without System Parent Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, Windows Privilege Escalation 2026-05-13
Windows EventLog Recon Activity Using Log Query Utilities Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1654 Anomaly BlankGrabber Stealer, Windows Discovery Techniques 2026-05-13
Detect Renamed PSExec Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1569.002 Hunting Salt Typhoon, SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Cactus Ransomware, China-Nexus Threat Activity, BlackByte Ransomware 2026-05-13
WinRM Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1190 TTP Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, CISA AA23-347A, Unusual Processes 2026-05-13
Windows Archive Collected Data via Rar Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1560.001 Anomaly China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Rapid Authentication On Multiple Hosts Windows Event Log Security 4624 T1003.002 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
SAM Database File Access Attempt Windows Event Log Security 4663 T1003.002 Hunting Credential Dumping, Rhysida Ransomware, Graceful Wipe Out Attack 2026-05-13
Windows Service Create RemComSvc Windows Event Log System 7045 T1543.003 Anomaly Active Directory Discovery 2026-05-13
Windows KrbRelayUp Service Creation Windows Event Log System 7045 T1543.003 TTP Local Privilege Escalation With KrbRelayUp, Compromised Windows Host 2026-05-13
Windows Process Injection In Non-Service SearchIndexer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Qakbot 2026-05-13
Windows SQL Server xp_cmdshell Config Change Windows Event Log Application 15457 T1505.001 TTP Seashell Blizzard, SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
GetAdComputer with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 Hunting Active Directory Discovery, Medusa Ransomware 2026-05-13
Windows MSIExec Spawn Discovery Command Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.007 Anomaly Windows System Binary Proxy Execution MSIExec, Water Gamayun, StealC Stealer, Medusa Ransomware 2026-05-13
Windows Impair Defense Configure App Install Control Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry DisableRemoteDesktopAntiAlias Sysmon EventID 13 T1112 TTP DarkGate Malware 2026-05-13
Remcos client registry install entry Sysmon EventID 13, Sysmon EventID 12 T1112 TTP Windows Registry Abuse, Remcos 2026-05-13
Resize ShadowStorage volume Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Clop Ransomware, Medusa Ransomware, VanHelsing Ransomware, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Windows File and Directory Permissions Remove Inheritance Windows Event Log Security 4688, Sysmon EventID 1 T1222.001 Anomaly Crypto Stealer 2026-05-13
Windows Wmic Network Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1082 Anomaly LAMEHUG 2026-05-13
Windows DNS Gather Network Info Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1590.002 Anomaly Sandworm Tools, Volt Typhoon 2026-05-13
Linux Auditd Clipboard Data Copy Linux Auditd Execve T1115 Anomaly Compromised Linux Host, Linux Living Off The Land 2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 17, Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
Permission Modification using Takeown App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222 Anomaly Sandworm Tools, Ransomware, Scattered Lapsus$ Hunters, Crypto Stealer 2026-05-13
Linux Indicator Removal Clear Cache Sysmon for Linux EventID 1 T1070 TTP AwfulShred, Data Destruction 2026-05-13
Get WMIObject Group Discovery with Script Block Logging Powershell Script Block Logging 4104 T1069.001 Hunting Active Directory Discovery 2026-05-13
Windows Boot or Logon Autostart Execution In Startup Folder Sysmon EventID 11 T1547.001 Anomaly Chaos Ransomware, Quasar RAT, Interlock Ransomware, BlankGrabber Stealer, Phantom Stealer, Gozi Malware, RedLine Stealer, XWorm, PromptFlux, Crypto Stealer, APT37 Rustonotto and FadeStealer, NjRAT 2026-06-25
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Office Product Spawned MSDT Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 TTP Spearphishing Attachments, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host 2026-05-13
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows BitLockerToGo Process Execution Windows Event Log Security 4688, Sysmon EventID 1 T1218 Hunting Lumma Stealer 2026-05-13
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell, Hellcat Ransomware 2026-05-13
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, XorDDos, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Non Chrome Process Accessing Chrome Default Dir Windows Event Log Security 4663 T1555.003 Anomaly Quasar RAT, Lokibot, Snake Keylogger, Remcos, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, RedLine Stealer, DarkGate Malware, StealC Stealer, Warzone RAT, AgentTesla, VIP Keylogger, Phantom Stealer, 3CX Supply Chain Attack, Malicious Inno Setup Loader, Salt Typhoon, CISA AA23-347A, FIN7, China-Nexus Threat Activity, SnappyBee 2026-06-25
Windows Office Product Loaded MSHTML Module Sysmon EventID 7 T1566.001 Anomaly Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability 2026-05-13
Windows Impair Defense Change Win Defender Health Check Intervals Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows IIS Components Get-WebGlobalModule Module Query Powershell Installed IIS Modules T1505.004 Hunting IIS Components, WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Suspicious wevtutil Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.005 TTP ShrinkLocker, CISA AA23-347A, Clop Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VoidLink Cloud-Native Linux Malware, Scattered Spider, Windows Log Manipulation, Storm-0501 Ransomware 2026-05-13
Windows Default Cobalt Strike PowerShell Beacon Powershell Script Block Logging 4104 T1059.001 T1204.002 TTP Cobalt Strike 2026-05-13
Windows Impair Defense Disable Win Defender Gen reports Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry Configure BitLocker Sysmon EventID 13 T1112 TTP ShrinkLocker 2026-05-13
Suspicious PlistBuddy Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.001 TTP Silver Sparrow 2026-05-13
Windows Admin Permission Discovery Sysmon EventID 11 T1069.001 Anomaly NjRAT 2026-05-13
Windows Important Audit Policy Disabled Windows Event Log Security 4719 T1685 TTP Windows Audit Policy Tampering 2026-05-13
Windows PowerShell Get CIMInstance Remote Computer Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement 2026-05-13
Windows Modify Registry on Smart Card Group Policy Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2026-05-13
Linux Auditd Private Keys and Certificate Enumeration Linux Auditd Execve T1552.004 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Auditd Service Started Linux Auditd Proctitle T1569.002 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Modify Registry Disable Toast Notifications Sysmon EventID 13 T1112 Anomaly Azorult 2026-05-13
Detect WMI Event Subscription Persistence Sysmon EventID 20 T1546.003 TTP Suspicious WMI Use, Hellcat Ransomware 2026-05-13
Windows Computer Account With SPN Windows Event Log Security 4741 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host 2026-05-13
Windows Browser Process Launched with Unusual Flags Sysmon EventID 1 T1185 Anomaly Phantom Stealer, Castle RAT 2026-06-25
Suspicious mshta spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.005 TTP APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity, Living Off The Land 2026-05-13
Windows AI Platform DNS Query Sysmon EventID 22 T1071.004 Anomaly LAMEHUG, SesameOp, PromptFlux 2026-05-13
Windows Process Injection Remote Thread Sysmon EventID 8 T1055.002 TTP Phantom Stealer, Water Gamayun, Earth Alux, Qakbot, Warzone RAT, Graceful Wipe Out Attack 2026-06-29
Linux Auditd Find Credentials From Password Managers Linux Auditd Execve T1555.005 TTP Linux Privilege Escalation, Scattered Lapsus$ Hunters, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Magic SysRq Key Abuse Linux Auditd Path, Linux Auditd Cwd T1059.004 T1489 T1499 T1529 TTP Compromised Linux Host 2026-05-13
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows Event Log Security 4776 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying 2026-05-13
Disable Security Logs Using MiniNt Registry Sysmon EventID 13 T1112 TTP Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Identify Protocol Handlers Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 Hunting Living Off The Land 2026-05-13
Windows SQL Server Extended Procedure DLL Loading Hunt Windows Event Log Application 8128 T1059.009 T1505.001 Hunting SQL Server Abuse 2026-05-13
Windows New Deny Permission Set On Service SD Via Sc.EXE Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1564 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows MSC EvilTwin Directory Path Manipulation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.005 T1203 T1218 TTP Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Azure Storage Utility Execution Via CLI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1567.002 Anomaly Data Exfiltration 2026-05-13
Windows InstallUtil in Non Standard Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 T1218.004 TTP WhisperGate, Data Destruction, Signed Binary Proxy Execution InstallUtil, Ransomware, Living Off The Land, Unusual Processes, Masquerading - Rename System Utilities 2026-05-13
Windows Steal Authentication Certificates - ESC1 Abuse Windows Event Log Security 4886, Windows Event Log Security 4887 T1649 TTP Windows Certificate Services 2026-05-13
Linux Gdrive Binary Activity Sysmon for Linux EventID 1 T1567 TTP China-Nexus Threat Activity 2026-05-13
Windows Detect Network Scanner Behavior Sysmon EventID 3 T1595.001 T1595.002 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Windows Execution of Microsoft MSC File In Suspicious Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.014 Anomaly XML Runner Loader 2026-05-13
Windows RDP Server Registry Deletion Sysmon EventID 13, Sysmon EventID 12 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Modify Registry Disable RDP Sysmon EventID 13 T1112 Anomaly ShrinkLocker, Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Post Exploitation Risk Behavior T1003 T1012 T1016 T1049 T1069 T1082 T1115 T1552 Correlation Windows Post-Exploitation 2026-05-13
Windows Unusual SysWOW64 Process Run System32 Executable Windows Event Log Security 4688, Sysmon EventID 1 T1036.009 Anomaly China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon 2026-05-13
Windows Modify Registry Auto Update Notif Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Revil Common Exec Parameter Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204 TTP Ransomware, Revil Ransomware 2026-05-13
Windows RDP Cache File Deletion Sysmon EventID 26, Sysmon EventID 23 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Linux Iptables Firewall Modification Sysmon for Linux EventID 1 T1686 Anomaly China-Nexus Threat Activity, Sandworm Tools, Cyclops Blink, Backdoor Pingpong 2026-05-13
Windows Network Share Interaction Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1039 T1135 Hunting Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2026-05-13
Detect Regsvcs with No Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
XSL Script Execution With WMIC Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1220 TTP Suspicious WMI Use, FIN7 2026-05-13
Windows Symlink Evaluation Change via Fsutil Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222.001 Anomaly Windows Post-Exploitation 2026-05-13
GetLocalUser with PowerShell Script Block Powershell Script Block Logging 4104 T1059.001 T1087.001 Hunting Active Directory Discovery, Malicious PowerShell 2026-05-13
Windows Audit Policy Disabled via Legacy Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Ingress Tool Transfer Using Explorer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1105 Anomaly DarkCrystal RAT 2026-05-13
Powershell Remove Windows Defender Directory Powershell Script Block Logging 4104 T1685 Anomaly WhisperGate, Data Destruction 2026-06-29
MacOS Account Created Osquery Results T1136 Anomaly MacOS Persistence Techniques 2026-05-13
ServicePrincipalNames Discovery with PowerShell Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Kerberos Attacks, Malicious PowerShell, Active Directory Privilege Escalation, Active Directory Discovery, Hellcat Ransomware 2026-05-13
Windows Multiple Accounts Disabled Windows Event Log Security 4725 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Proxy Via Registry Sysmon EventID 13 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows BitLocker Suspicious Command Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1486 T1490 TTP ShrinkLocker 2026-05-13
Windows RDP Connection Successful Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting Interlock Ransomware, Windows RDP Artifacts and Defense Evasion, NetSupport RMM Tool Abuse, Active Directory Lateral Movement, BlackByte Ransomware 2026-05-13
Windows SymbolicLink-Testing-Tools Utility Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222 T1564.004 TTP Windows Persistence Techniques, Windows Post-Exploitation, Windows Privilege Escalation 2026-05-13
Windows Impair Defenses Disable Win Defender Auto Logging Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Root Domain linked policies Discovery Powershell Script Block Logging 4104 T1087.002 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2026-05-13
Windows Impair Defense Disable Web Evaluation Sysmon EventID 13 T1685 TTP Salat Stealer, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-06-08
Detect Remote Access Software Usage FileInfo Sysmon EventID 1 T1219 Anomaly Command And Control, Interlock Ransomware, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Windows Universal Data Link File Creation Sysmon EventID 11 T1204.002 T1566.001 Anomaly Spearphishing Attachments 2026-05-13
Windows Indirect Command Execution Via Series Of Forfiles Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1202 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Defender ASR Block Events Windows Event Log Defender 1126, Windows Event Log Defender 1133, Windows Event Log Defender 1129, Windows Event Log Defender 1121, Windows Event Log Defender 1131 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2026-05-13
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 T1021.001 TTP NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 T1550 TTP Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters 2026-05-13
Windows Privilege Escalation Suspicious Process Elevation Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation 2026-05-13
Windows Command Obfuscation with Environment Variable Substrings Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1027.010 Anomaly Malicious PowerShell 2026-05-13
Linux Data Destruction Command Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction 2026-05-13
Kerberoasting spn request with RC4 encryption Windows Event Log Security 4769 T1558.003 TTP Active Directory Kerberos Attacks, Data Destruction, Hermetic Wiper, Windows Privilege Escalation, Compromised Windows Host 2026-05-13
Windows Alternate DataStream - Base64 Content Sysmon EventID 15 T1564.004 TTP APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics 2026-05-13
Windows Service Stop Win Updates Windows Event Log System 7040 T1489 Anomaly RedLine Stealer, CISA AA23-347A 2026-05-13
MacOS Data Chunking Osquery Results T1030 Anomaly MacOS Post-Exploitation 2026-05-13
Windows Create Local Account Windows Event Log Security 4720 T1136.001 Anomaly Scattered Lapsus$ Hunters, Active Directory Password Spraying, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Create Remote Thread into LSASS Sysmon EventID 8 T1003.001 TTP Credential Dumping, BlackSuit Ransomware, Lokibot 2026-06-29
Windows WBAdmin File Recovery From Backup Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 T1565.001 Anomaly Credential Dumping 2026-05-13
FodHelper UAC Bypass Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1112 T1548.002 TTP BlankGrabber Stealer, IcedID, Compromised Windows Host, ValleyRAT, Windows Defense Evasion Tactics 2026-05-13
Windows PowerShell Disable HTTP Logging Powershell Script Block Logging 4104 T1505.004 T1685.001 TTP IIS Components, Windows Defense Evasion Tactics 2026-05-13
Windows ClipBoard Data via Get-ClipBoard Powershell Script Block Logging 4104 T1115 Anomaly Prestige Ransomware, BlankGrabber Stealer, Windows Post-Exploitation 2026-06-29
Windows Spearphishing Attachment Onenote Spawn Mshta Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 TTP Spearphishing Attachments, Compromised Windows Host, APT37 Rustonotto and FadeStealer, AsyncRAT 2026-05-13
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 T1053.005 TTP Quasar RAT, Ransomware, Scheduled Tasks, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, XWorm, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, Winter Vivern, Castle RAT, Medusa Ransomware, Malicious Inno Setup Loader, Active Directory Lateral Movement, Salt Typhoon, CISA AA23-347A, IcedID, Industroyer2, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT 2026-05-13
Remote Desktop Process Running On System Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.001 Hunting Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Hidden Cobra Malware 2026-05-13
MacOS Kextload Usage Osquery Results T1543 TTP MacOS Persistence Techniques, MacOS Privilege Escalation 2026-05-13
Windows MpCmdRun RemoveDefinitions Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly BlankGrabber Stealer 2026-05-13
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 T1059 TTP Windows Persistence Techniques 2026-05-13
Windows Modify Registry Disable Windows Security Center Notif Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Windows Computer Account Requesting Kerberos Ticket Windows Event Log Security 4768 T1558 TTP Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks 2026-05-13
Rundll32 LockWorkStation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 Anomaly Ransomware 2026-05-13
Anomalous usage of 7zip Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1560.001 Anomaly Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, NOBELIUM Group, Graceful Wipe Out Attack 2026-05-13
Get-ForestTrust with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1482 TTP Active Directory Discovery 2026-05-13
Windows Processes Killed By Industroyer2 Malware Sysmon EventID 5 T1489 Anomaly Data Destruction, Industroyer2 2026-05-13
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP Cobalt Strike, BlackByte Ransomware, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, Storm-0501 Ransomware, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
GetAdComputer with PowerShell Script Block Powershell Script Block Logging 4104 T1018 Hunting Active Directory Discovery, Gozi Malware, Medusa Ransomware, CISA AA22-320A 2026-05-13
Hunting 3CXDesktopApp Software Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1195.002 Hunting 3CX Supply Chain Attack 2026-05-13
Windows Disable or Stop Browser Process Sysmon EventID 1 T1685 TTP BlankGrabber Stealer, Phantom Stealer, Braodo Stealer, Scattered Lapsus$ Hunters, Salat Stealer, Hellcat Ransomware, Castle RAT 2026-06-25
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Post-Exploitation, Linux Privilege Escalation, Compromised Linux Host, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Rootkit 2026-05-13
Process Writing DynamicWrapperX Sysmon EventID 11 T1059 T1559.001 Hunting Remcos 2026-05-13
Cisco Isovalent - Kprobe Spike Cisco Isovalent Process Kprobe T1068 Hunting Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Admin Password Changed by Non-Admin Windows Event Log Security 4723 T1068 T1543.003 TTP BlueHammer, Windows Privilege Escalation 2026-04-27
Windows Certutil Root Certificate Addition Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1587.003 TTP Secret Blizzard 2026-05-13
Short Lived Windows Accounts Windows Event Log System 4726, Windows Event Log System 4720 T1078.003 T1136.001 TTP Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process Sysmon EventID 23 T1068 T1218.007 TTP Windows Privilege Escalation 2026-05-13
Remote Process Instantiation via DCOM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.003 TTP Active Directory Lateral Movement 2026-05-13
Add DefaultUser And Password In Registry Sysmon EventID 13, Sysmon EventID 12 T1552.002 Anomaly BlackMatter Ransomware 2026-05-13
Scheduled Task Initiation on Remote Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Medusa Ransomware, Scheduled Tasks, Living Off The Land, Seashell Blizzard, Active Directory Lateral Movement 2026-05-13
Windows NirSoft AdvancedRun Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1588.002 TTP WhisperGate, Ransomware, Data Destruction, Unusual Processes 2026-05-13
Exchange PowerShell Module Usage Powershell Script Block Logging 4104 T1059.001 TTP CISA AA22-277A, ProxyShell, CISA AA22-264A, ProxyNotShell, Scattered Spider, BlackByte Ransomware 2026-05-13
Windows CAB File on Disk Sysmon EventID 11 T1566.001 Anomaly DarkGate Malware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows PaperCut NG Spawn Shell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 T1133 T1190 TTP PaperCut MF NG Vulnerability, Compromised Windows Host 2026-05-13
Windows Private Keys Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1552.004 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Phishing PDF File Executes URL Link Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1566.001 Anomaly Spearphishing Attachments, MuddyWater, Snake Keylogger 2026-05-13
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 T1574.001 Anomaly Brute Ratel C4, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm 2026-05-13
PowerShell PInvoke Process Injection API Chain Powershell Script Block Logging 4104 T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620 TTP Phantom Stealer, VIP Keylogger 2026-06-25
Loading Of Dynwrapx Module Sysmon EventID 7 T1055.001 TTP Remcos, AsyncRAT 2026-05-13
Windows WMI Process Call Create Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 Hunting CISA AA23-347A, IcedID, Qakbot, Volt Typhoon, Cactus Ransomware, Suspicious WMI Use 2026-05-13
Windows ConHost with Headless Argument Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1564.003 T1564.006 TTP Spearphishing Attachments, Compromised Windows Host 2026-05-13
Shim Database Installation With Suspicious Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.011 TTP Windows Persistence Techniques, Compromised Windows Host 2026-05-13
Windows Alternate DataStream - Executable Content Sysmon EventID 15 T1564.004 TTP Windows Defense Evasion Tactics 2026-05-13
PowerShell Environment Variable Execution Powershell Script Block Logging 4104 T1059.001 Anomaly VIP Keylogger 2026-06-29
Windows Modify Registry No Auto Reboot With Logon User Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows Unusual FileZilla XML Config Access Windows Event Log Security 4663 T1552.001 Anomaly Quasar RAT, Phantom Stealer 2026-06-25
Rundll32 Process Creating Exe Dll Files Sysmon EventID 11 T1218.011 TTP IcedID, Gh0st RAT, Living Off The Land 2026-05-13
Overwriting Accessibility Binaries Sysmon EventID 11 T1546.008 TTP Flax Typhoon, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Suspicious PlistBuddy Usage via OSquery Osquery Results T1543.001 TTP Silver Sparrow 2026-05-13
Windows Create Local Administrator Account Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1136.001 Anomaly CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, DHS Report TA18-074A, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters, CISA AA22-257A 2026-05-13
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Hellcat Ransomware, Winter Vivern 2026-05-13
Windows Raw Access To Master Boot Record Drive Sysmon EventID 9 T1561.002 TTP WhisperGate, Data Destruction, BlackByte Ransomware, Disk Wiper, Void Manticore, Hermetic Wiper, CISA AA22-264A, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, NjRAT 2026-05-13
Ryuk Wake on LAN Command Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 TTP Ryuk Ransomware, Hellcat Ransomware, Compromised Windows Host 2026-05-13
Windows IIS Components New Module Added Windows IIS 29 T1505.004 TTP IIS Components, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows Masquerading Msdtc Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036 TTP Compromised Windows Host, PlugX 2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 T1134.001 Hunting Brute Ratel C4 2026-05-13
Windows Modify Registry Auto Minor Updates Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows MOF Event Triggered Execution via WMI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.003 TTP Compromised Windows Host, Living Off The Land 2026-05-13
Windows RMM Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
High Frequency Copy Of Files In Network Share Windows Event Log Security 5145 T1537 Anomaly Hellcat Ransomware, Information Sabotage, Insider Threat 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Sysmon EventID 1 T1036 T1572 TTP Flax Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
MacOS List Firewall Rules Osquery Results T1016 Anomaly Network Discovery 2026-05-13
Detect AzureHound File Modifications Sysmon EventID 11 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Windows Discovery Techniques 2026-05-13
Windows Process Commandline Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1057 Hunting CISA AA23-347A 2026-05-13
Bcdedit Command Back To Normal Mode Boot Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Black Basta Ransomware, BlackMatter Ransomware 2026-05-13
GetWmiObject Ds Computer with PowerShell Script Block Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Windows Modify Registry Default Icon Setting Sysmon EventID 13 T1112 Anomaly LockBit Ransomware 2026-05-13
Windows Snake Malware Registry Modification wav OpenWithProgIds Sysmon EventID 13 T1112 TTP Snake Malware 2026-05-13
Disabling CMD Application Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics 2026-05-13
Windows TinyCC Shellcode Execution Windows Event Log Security 4688, Sysmon EventID 1 T1027 T1036 T1059.003 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Suspicious Computer Account Name Change Windows Event Log Security 4781 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Privilege Escalation 2026-05-13
Windows InstallUtil Credential Theft Sysmon EventID 7 T1218.004 TTP Signed Binary Proxy Execution InstallUtil 2026-05-13
Windows AD Abnormal Object Access Activity Windows Event Log Security 4662 T1087.002 Anomaly Active Directory Discovery, BlackSuit Ransomware 2026-05-13
Linux Clipboard Data Copy Sysmon for Linux EventID 1 T1115 Anomaly Linux Living Off The Land 2026-05-13
Cisco Isovalent - Late Process Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Executables Or Script Creation In Suspicious Path Sysmon EventID 11 T1036 Anomaly Quasar RAT, AcidPour, Swift Slicer, Qakbot, Lokibot, SesameOp, Snake Keylogger, Remcos, SystemBC, Brute Ratel C4, WinDealer RAT, BlackByte Ransomware, Graceful Wipe Out Attack, NjRAT, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Earth Alux, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, Derusbi, DynoWiper, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Cactus Ransomware, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, Volt Typhoon, Double Zero Destructor, Crypto Stealer, PlugX, Industroyer2, China-Nexus Threat Activity, XML Runner Loader, NailaoLocker Ransomware, SnappyBee, ValleyRAT 2026-06-25
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 T1053 TTP Trickbot, IcedID, Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Castle RAT 2026-05-13
Windows AD Dangerous Deny ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows USBSTOR Registry Key Modification Sysmon EventID 13, Sysmon EventID 12 T1025 T1091 T1200 Anomaly Data Protection, APT37 Rustonotto and FadeStealer 2026-05-13
Crowdstrike User Weak Password Policy T1110 Anomaly Compromised Windows Host 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Malicious PowerShell 2026-05-13
Linux APT Privilege Escalation Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Modify Show Compress Color And Info Tip Registry Sysmon EventID 13 T1112 TTP Data Destruction, Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 T1078.002 Hunting sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
MS Scripting Process Loading WMI Module Sysmon EventID 7 T1059.007 Anomaly FIN7 2026-05-13
Monitor Registry Keys for Print Monitors Sysmon EventID 13 T1547.010 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Windows System Network Connections Discovery Netsh Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1049 Anomaly BlankGrabber Stealer, VIP Keylogger, Phantom Stealer, Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation 2026-06-25
Detect RClone Command-Line Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1020 TTP Black Basta Ransomware, Cisco Network Visibility Module Analytics, Ransomware, DarkSide Ransomware, Cactus Ransomware, Hellcat Ransomware, Storm-0501 Ransomware 2026-05-13
Get DomainPolicy with Powershell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1201 TTP Active Directory Discovery 2026-05-13
Suspicious Linux Discovery Commands Sysmon for Linux EventID 1 T1059.004 TTP Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Disable Notification Center Sysmon EventID 13 T1112 Anomaly Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Phishing Outlook Drop Dll In FORM Dir Sysmon EventID 1, Sysmon EventID 11 T1566 TTP Outlook RCE CVE-2024-21378 2026-05-13
Windows Impair Defenses Disable Auto Logger Session Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Batch File Write to System32 Sysmon EventID 11 T1204.002 TTP SamSam Ransomware, Compromised Windows Host 2026-05-13
Detect Use of cmd exe to Launch Script Interpreters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 Anomaly Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions 2026-05-13
Windows Deleted Registry By A Non Critical Process File Path Sysmon EventID 1, Sysmon EventID 12 T1112 Anomaly Data Destruction, Double Zero Destructor 2026-05-13
Linux Auditd Dd File Overwrite Linux Auditd Proctitle T1485 TTP Data Destruction, Compromised Linux Host, Industroyer2 2026-05-13
CSC Net On The Fly Compilation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1027.004 Hunting Windows Defense Evasion Tactics 2026-05-13
Process Kill Base On File Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP XMRig 2026-05-13
Windows AD Domain Controller Audit Policy Disabled Windows Event Log Security 4719 T1685 TTP Windows Audit Policy Tampering 2026-05-13
Get WMIObject Group Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 Hunting Active Directory Discovery 2026-05-13
Windows DotNet Binary in Non Standard Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.003 T1218.004 TTP WhisperGate, Data Destruction, Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities 2026-05-13
Windows BitDefender Submission Wizard DLL Sideloading Sysmon EventID 7 T1574 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Windows Credentials from Password Stores Chrome LocalState Access Windows Event Log Security 4663 T1012 Anomaly Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-06-25
Detect Certify Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1105 T1649 TTP Ingress Tool Transfer, Windows Certificate Services, Compromised Windows Host 2026-05-13
Windows ESX Admins Group Creation via PowerShell Powershell Script Block Logging 4104 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2026-05-13
Disable Windows Behavior Monitoring Sysmon EventID 13 T1685 TTP Black Basta Ransomware, BlankGrabber Stealer, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Ransomware, RedLine Stealer, Storm-0501 Ransomware, Azorult, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Cactus Ransomware, Salat Stealer, Revil Ransomware, Windows Defense Evasion Tactics 2026-06-08
Windows Hide Notification Features Through Registry Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Credentials from Password Stores Chrome Login Data Access Windows Event Log Security 4663 T1012 Anomaly Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-07-08
Suspicious Curl Network Connection Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1 T1105 TTP GhostRedirector IIS Module and Rungan Backdoor, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Metasploit Confluence Plugin Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1190 T1505.003 T1608 TTP Confluence Data Center and Confluence Server Vulnerabilities 2026-05-13
Windows File Download Via PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1059.001 T1105 Anomaly SolarWinds WHD RCE Post Exploitation, NPM Supply Chain Compromise, HAFNIUM Group, Phemedrone Stealer, Data Destruction, XWorm, NetSupport RMM Tool Abuse, StealC Stealer, Winter Vivern, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Hermetic Wiper, SysAid On-Prem Software CVE-2023-47246 Vulnerability, IcedID, Tuoni, APT37 Rustonotto and FadeStealer 2026-05-13
Windows PuTTY Suite Utility Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.004 Anomaly Command And Control, Active Directory Lateral Movement 2026-05-13
Windows User Deletion Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1531 Anomaly XMRig, Graceful Wipe Out Attack, DarkGate Malware 2026-05-13
Windows Service Execution RemCom Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1569.002 TTP Active Directory Discovery 2026-05-13
Windows Application Whitelisting Bypass Attempt via Rundll32 Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land 2026-05-13
Windows Excessive Disabled Services Event Windows Event Log System 7040 T1685 TTP Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows LOLBAS Executed Outside Expected Path Windows Event Log Security 4688, Sysmon EventID 1 T1036.005 T1218.011 Anomaly Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Windows Cloud Files Filter Loaded by Uncommon Process Sysmon EventID 7 T1543.003 Anomaly RedSun, BlueHammer 2026-05-18
Windows Powershell Logoff User via Quser Powershell Script Block Logging 4104 T1059.001 T1531 Anomaly Crypto Stealer 2026-06-29
CMD Carry Out String Command Parameter Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 Hunting Quasar RAT, Qakbot, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, Data Destruction, AsyncRAT, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Warzone RAT, Winter Vivern, WhisperGate, Gh0st RAT, Hermetic Wiper, Azorult, ProxyNotShell, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, CISA AA23-347A, IcedID, Crypto Stealer, PlugX, 0bj3ctivity Stealer 2026-05-13
Linux High Frequency Of File Deletion In Etc Folder Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly Data Destruction, AcidRain 2026-05-13
Windows Powershell History File Deletion Powershell Script Block Logging 4104 T1059.003 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Script Block Powershell Script Block Logging 4104 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Linux At Allow Config File Creation Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Attacker Tools On Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1003 T1036.005 T1595 TTP XMRig, SamSam Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, Unusual Processes, CISA AA22-264A, Compromised Windows Host, Scattered Spider 2026-07-01
Domain Account Discovery with Dsquery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.002 Anomaly Active Directory Discovery, LAMEHUG 2026-05-13
Windows Software Discovery Via PowerShell Powershell Script Block Logging 4104 T1012 T1059.001 T1518 Anomaly Windows Discovery Techniques 2026-05-13
Windows Office Product Dropped Uncommon File Sysmon EventID 1, Sysmon EventID 11 T1566.001 Anomaly AgentTesla, FIN7, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, PlugX, Warzone RAT 2026-05-13
Windows Account Discovery for None Disable User Account Powershell Script Block Logging 4104 T1087.001 Hunting CISA AA23-347A 2026-05-13
Icacls Deny Command Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1222 Anomaly XMRig, Sandworm Tools, Defense Evasion or Unauthorized Access Via SDDL Tampering, Azorult, Compromised Windows Host, Crypto Stealer 2026-05-13
Msmpeng Application DLL Side Loading Sysmon EventID 11 T1574.001 TTP Ransomware, Revil Ransomware 2026-05-13
Windows Privilege Escalation User Process Spawn System Process Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation 2026-05-13
Windows MsiExec HideWindow Rundll32 Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.007 TTP Water Gamayun, Qakbot 2026-05-13
Windows Raw Access To Disk Volume Partition Sysmon EventID 9 T1561.002 Anomaly Data Destruction, BlackByte Ransomware, Disk Wiper, Void Manticore, Hermetic Wiper, CISA AA22-264A, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, NjRAT 2026-05-13
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Sysmon EventID 11 T1555.003 TTP Braodo Stealer, Phantom Stealer, BlankGrabber Stealer, Scattered Lapsus$ Hunters 2026-06-25
Windows AD DSRM Password Reset Windows Event Log Security 4794 T1098 TTP Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Windows AppX Deployment Unsigned Package Installation Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 TTP MSIX Package Abuse 2026-05-13
GetDomainComputer with PowerShell Script Block Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2026-05-13
Windows AD GPO New CSE Addition Windows Event Log Security 5136 T1222.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
IcedID Exfiltrated Archived File Creation Sysmon EventID 11 T1560.001 Hunting IcedID, APT37 Rustonotto and FadeStealer 2026-05-13
Remote Process Instantiation via WMI and PowerShell Script Block Powershell Script Block Logging 4104 T1047 TTP Active Directory Lateral Movement 2026-05-13
Windows WMI Reconnaissance Class Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 Anomaly BlankGrabber Stealer 2026-05-13
MS Scripting Process Loading Ldap Module Sysmon EventID 7 T1059.007 Anomaly FIN7 2026-05-13
Windows PowGoop Beacon Decoding CrowdStrike ProcessRollup2, Sysmon EventID 1 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Detect Excessive Account Lockouts From Endpoint T1078.002 Anomaly Active Directory Password Spraying 2026-05-13
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Audit Policy Security Descriptor Tampering via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Suspicious IcedID Rundll32 Cmdline Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.011 TTP IcedID, Living Off The Land 2026-05-13
Windows Parent PID Spoofing with Explorer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1134.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Windows PowerShell MSIX Package Installation Powershell Script Block Logging 4104 T1059.001 T1547.001 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
Linux Hardware Addition SwapOff Sysmon for Linux EventID 1 T1200 Anomaly AwfulShred, Data Destruction, Scattered Lapsus$ Hunters 2026-05-13
Windows Debugger Tool Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036 Hunting DarkGate Malware, PlugX 2026-05-13
First Time Seen Child Process of Zoom Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 Anomaly Suspicious Zoom Child Processes 2026-05-13
Scheduled Task Deleted Or Created via CMD Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 Anomaly Quasar RAT, SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Living Off The Land, Lokibot, Prestige Ransomware, NOBELIUM Group, Remcos, CISA AA22-257A, Phemedrone Stealer, NjRAT, AsyncRAT, Rhysida Ransomware, RedLine Stealer, XWorm, DarkCrystal RAT, Windows Persistence Techniques, NetSupport RMM Tool Abuse, Winter Vivern, ShrinkLocker, AgentTesla, CISA AA24-241A, Trickbot, Medusa Ransomware, DHS Report TA18-074A, Azorult, Scattered Spider, Salt Typhoon, MoonPeak, CISA AA23-347A, Amadey, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT 2026-05-13
Windows AppLocker Block Events T1218 Anomaly Windows AppLocker 2026-05-13
Windows Raccine Scheduled Task Deletion Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP Ransomware, Compromised Windows Host 2026-05-13
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 17, Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
Windows File Collection Via Copy Utilities Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1119 Anomaly LAMEHUG 2026-05-13
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 T1134.002 Anomaly Lokibot, Salat Stealer, Brute Ratel C4, WinDealer RAT, AsyncRAT, DarkGate Malware, Derusbi, Scattered Lapsus$ Hunters, Meduza Stealer, Gh0st RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, Salt Typhoon, CISA AA23-347A, Tuoni, PlugX, China-Nexus Threat Activity, SnappyBee, ValleyRAT 2026-06-08
Registry Keys for Creating SHIM Databases Sysmon EventID 13 T1546.011 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 T1078 Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Prevent Automatic Repair Mode using Bcdedit Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Chaos Ransomware, Ransomware, Void Manticore 2026-05-13
Windows Unsigned DLL Side-Loading Sysmon EventID 7 T1574.001 Anomaly Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Earth Alux, Derusbi, China-Nexus Threat Activity, Warzone RAT, NjRAT 2026-05-13
Windows SQL Spawning CertUtil Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1105 TTP Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Short Lived DNS Record Windows Event Log Security 5137, Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Windows Disable Windows Group Policy Features Through Registry Sysmon EventID 13 T1112 Anomaly Ransomware, CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Server Software Component GACUtil Install to GAC Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1505.004 TTP IIS Components 2026-05-13
Script Execution via WMI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 TTP Suspicious WMI Use, Scattered Spider 2026-05-13
Windows Suspect Process With Authentication Traffic Sysmon EventID 3 T1087.002 T1204.002 Anomaly Active Directory Discovery 2026-05-13
Disable Defender MpEngine Registry Sysmon EventID 13 T1685 TTP IcedID, Windows Registry Abuse 2026-05-13
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, BlackByte Ransomware, Storm-2460 CLFS Zero Day Exploitation, Earth Alux, Cactus Ransomware, Graceful Wipe Out Attack 2026-05-13
Linux Auditd Add User Account Type Linux Auditd Add User T1136.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Non-System Process Querying Definition Update Sysmon EventID 22 T1068 T1071.001 Anomaly RedSun, BlueHammer, Windows Privilege Escalation 2026-04-27
Windows WMI Impersonate Token Sysmon EventID 10 T1047 Anomaly Water Gamayun, Qakbot 2026-05-13
Windows Set Account Password Policy To Unlimited Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1489 Anomaly Crypto Stealer, Ransomware, XMRig, BlackByte Ransomware 2026-05-13
Randomly Generated Windows Service Name Windows Event Log System 7045 T1543.003 Hunting BlackSuit Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Firewall Rule Added Windows Event Log Security 4946 T1686 Anomaly ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware, Salat Stealer 2026-06-08
Disabling NoRun Windows App Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Default Group Policy Object Modified Windows Event Log Security 5136 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200 T1053.005 Hunting SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, DarkCrystal RAT, Windows Persistence Techniques, Winter Vivern, BlackSuit Ransomware, CISA AA24-241A, Malicious Inno Setup Loader, IcedID, Amadey, Industroyer2, PlugX, ValleyRAT 2026-05-13
Malicious PowerShell Process With Obfuscation Techniques Sysmon EventID 1 T1059.001 TTP Malicious PowerShell, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Hellcat Ransomware 2026-05-13
Windows Masquerading Explorer As Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1574.001 TTP Water Gamayun, Compromised Windows Host, Qakbot 2026-05-13
Linux High Frequency Of File Deletion In Boot Folder Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, Data Destruction, Industroyer2 2026-05-13
Windows System Discovery Using Qwinsta Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting Qakbot 2026-05-13
UAC Bypass With Colorui COM Object Sysmon EventID 7 T1218.003 TTP Ransomware, LockBit Ransomware 2026-05-13
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Wmic NonInteractive App Uninstallation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Hunting IcedID, Azorult 2026-05-13
MSI Module Loaded by Non-System Binary Sysmon EventID 7 T1574.001 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 T1105 Anomaly XorDDos, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise 2026-05-13
Windows WinDBG Spawning AutoIt3 Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059 TTP DarkGate Malware, Compromised Windows Host 2026-05-13
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Get ADUser with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.002 Hunting Active Directory Discovery, CISA AA23-347A 2026-05-13
Headless Browser Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 T1564.003 Anomaly Phantom Stealer, Browser Hijacking, Forest Blizzard 2026-06-25
Detect Regasm with no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.009 TTP Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2026-05-13
Windows Modify Registry Disabling WER Settings Sysmon EventID 13 T1112 TTP Azorult, CISA AA23-347A 2026-05-13
Windows Protocol Tunneling with Plink Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Spoolsv Suspicious Loaded Modules Sysmon EventID 7 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Snake Malware Service Create Windows Event Log System 7045 T1547.006 T1569.002 TTP Snake Malware, Compromised Windows Host 2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery Sysmon EventID 22 T1071.004 TTP Lokibot 2026-05-13
Windows MOVEit Transfer Writing ASPX Sysmon EventID 11 T1133 T1190 TTP MOVEit Transfer Critical Vulnerability, Hellcat Ransomware 2026-05-13
Network Discovery Using Route Windows App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1016.001 Hunting CISA AA22-277A, Qakbot, Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery 2026-05-13
Cisco Isovalent - Pods Running Offensive Tools Cisco Isovalent Process Exec T1204.003 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
PowerShell Start or Stop Service Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement, Scattered Lapsus$ Hunters 2026-05-13
Windows PowerShell Process With Malicious String Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 TTP Malicious PowerShell 2026-05-13
Windows Snake Malware Kernel Driver Comadmin Sysmon EventID 11 T1547.006 TTP Snake Malware 2026-05-13
Windows Modify Registry wuStatusServer Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
PowerShell Loading DotNET into Memory via Reflection Powershell Script Block Logging 4104 T1059.001 Anomaly Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, AgentTesla, VIP Keylogger, AsyncRAT, Hermetic Wiper, 0bj3ctivity Stealer, Hellcat Ransomware, Winter Vivern 2026-06-29
Detect SharpHound Command-Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Ransomware, BlackSuit Ransomware, Windows Discovery Techniques 2026-05-13
Windows Multiple Users Remotely Failed To Authenticate From Host Windows Event Log Security 4625 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows High File Deletion Frequency Sysmon EventID 26, Sysmon EventID 23 T1485 Anomaly WhisperGate, Black Basta Ransomware, Data Destruction, Interlock Ransomware, Handala Wiper, Void Manticore, Medusa Ransomware, Clop Ransomware, Sandworm Tools, Swift Slicer, APT37 Rustonotto and FadeStealer, DarkCrystal RAT, DynoWiper, ZOVWiper, NailaoLocker Ransomware 2026-05-13
Allow Operation with Consent Admin Sysmon EventID 13 T1548 TTP Azorult, Ransomware, MoonPeak, Windows Registry Abuse 2026-05-13
Windows PowerShell Script From WindowsApps Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1204.002 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
Windows Netspy Network Scanner Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 T1595 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Windows Theme File Creation in Unusual Location Sysmon EventID 11 T1021.002 T1187 T1557.001 Anomaly Spearphishing Attachments 2026-05-13
Windows Steal Authentication Certificates CertUtil Backup Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1649 Anomaly Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services 2026-05-13
Common Ransomware Extensions Sysmon EventID 11 T1485 TTP Black Basta Ransomware, SamSam Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Ransomware, Rhysida Ransomware, Termite Ransomware, Prestige Ransomware, Ryuk Ransomware, NailaoLocker Ransomware 2026-05-13
Shai-Hulud 2 Exfiltration Artifact Files Sysmon for Linux EventID 11, Sysmon EventID 11 T1074.001 T1195.002 T1552.001 TTP NPM Supply Chain Compromise 2026-05-13
Windows AppLocker Rare Application Launch Detection T1218 Hunting Windows AppLocker 2026-05-13
Windows PUA Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Seashell Blizzard, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, BlackByte Ransomware 2026-05-13
Windows Mock Trusted Directory MSC File Creation Sysmon EventID 11 T1218.014 T1548.002 T1574 TTP Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Windows Password Managers Discovery Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1555.005 Anomaly Prestige Ransomware, Scattered Spider, Scattered Lapsus$ Hunters, Windows Post-Exploitation 2026-05-13
Windows Chromium Process Loaded Extension via Command-Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1185 Anomaly Browser Hijacking 2026-05-13
Powershell Remote Services Add TrustedHost Powershell Script Block Logging 4104 T1021.006 TTP DarkGate Malware 2026-05-13
Remcos RAT File Creation in Remcos Folder Sysmon EventID 11 T1113 TTP Remcos 2026-05-13
Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows Event Log Security 4771 T1110.003 Anomaly Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Forest Discovery with GetForestDomain Powershell Script Block Logging 4104 T1087.002 TTP Active Directory Discovery 2026-05-13
Windows MMC Loaded Script Engine DLL Sysmon EventID 7 T1620 Anomaly XML Runner Loader 2026-05-13
Microsoft Defender ATP Alerts MS Defender ATP Alerts N/A TTP Critical Alerts 2026-05-13
Windows IIS Components Module Failed to Load Windows Event Log Application 2282 T1505.004 Anomaly IIS Components 2026-05-13
Clear Unallocated Sector Using Cipher App Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070.004 TTP Ransomware, Scattered Spider, Compromised Windows Host 2026-05-13
Shai-Hulud Workflow File Creation or Modification Sysmon for Linux EventID 11, Sysmon EventID 11 T1195 T1554 T1574.006 TTP NPM Supply Chain Compromise 2026-05-13
Windows Impair Defense Change Win Defender Tracing Level Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Mimikatz Crypto Export File Extensions Sysmon EventID 11 T1649 Anomaly Sandworm Tools, Windows Certificate Services, CISA AA23-347A 2026-05-13
Samsam Test File Write Sysmon EventID 11 T1486 TTP SamSam Ransomware 2026-05-13
Windows Modify Registry Disable Win Defender Raw Write Notif Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Windows Chromium Browser No Security Sandbox Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 TTP Phantom Stealer, Malicious Inno Setup Loader 2026-06-25
Windows Steal Authentication Certificates Certificate Request Windows Event Log Security 4886 T1649 Anomaly Windows Certificate Services 2026-05-13
Linux Possible Access To Credential Files Sysmon for Linux EventID 1 T1003.008 Anomaly Linux Privilege Escalation, Salt Typhoon, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Linux Auditd Stop Services Linux Auditd Service Stop T1489 Hunting AwfulShred, Data Destruction, Compromised Linux Host, Industroyer2 2026-05-13
Windows System Remote Discovery With Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1033 Hunting Active Directory Discovery, Medusa Ransomware 2026-05-13
Creation of Shadow Copy with wmic and powershell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.003 TTP Credential Dumping, Volt Typhoon, Compromised Windows Host, Living Off The Land 2026-05-13
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 T1574.001 Anomaly Water Gamayun, Hellcat Ransomware, CISA AA23-347A 2026-05-13
Headless Browser Mockbin or Mocky Request Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1564.003 TTP GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard 2026-05-13
Linux At Application Execution Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
SLUI RunAs Elevated Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 TTP DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Hellcat Ransomware, Living Off The Land 2026-05-13
Windows Disable or Modify Tools Via Taskkill Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Crypto Stealer, NjRAT 2026-06-25
Windows MSTSC RDP Commandline Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.001 Anomaly Windows RDP Artifacts and Defense Evasion, Medusa Ransomware 2026-05-13
Windows SQL Server Critical Procedures Enabled Windows Event Log Application 15457 T1505.001 TTP SQL Server Abuse 2026-05-13
Windows Common Abused Cmd Shell Risk Behavior T1016 T1033 T1049 T1059 T1222 T1529 Correlation FIN7, CISA AA23-347A, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Azorult, DarkCrystal RAT, Volt Typhoon, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Windows Defense Evasion Tactics 2026-05-13
Windows PowerView Unconstrained Delegation Discovery Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A 2026-05-13
Suspicious MSBuild Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1127.001 TTP Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Living Off The Land 2026-05-13
Windows Modify Registry DontShowUI Sysmon EventID 13 T1112 TTP DarkGate Malware 2026-05-13
Regsvr32 Silent and Install Param Dll Loading Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.010 Anomaly Data Destruction, AsyncRAT, Living Off The Land, Hermetic Wiper, Remcos, Suspicious Regsvr32 Activity 2026-06-09
Windows Vulnerable Driver Installed Windows Event Log System 7045 T1543.003 TTP Void Manticore, Windows Drivers 2026-05-13
Windows File Association Modification via Ftype Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 Anomaly Windows File Extension and Association Abuse 2026-05-13
Scheduled Task Creation on Remote Endpoint using At Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.002 TTP 0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows Bypass UAC via Pkgmgr Tool Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 Anomaly Warzone RAT 2026-05-13
GetWmiObject Ds Computer with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1018 Anomaly Active Directory Discovery 2026-05-13
Esentutl SAM Copy Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.002 Hunting Credential Dumping, Living Off The Land 2026-05-13
Windows ISO LNK File Creation Sysmon EventID 11 T1204.001 T1566.001 Hunting AgentTesla, IcedID, Amadey, Gozi Malware, Qakbot, Azorult, Remcos, Spearphishing Attachments, Brute Ratel C4, Warzone RAT, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Remote Service Rdpwinst Tool Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.001 TTP Azorult, Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Scattered Lapsus$ Hunters 2026-05-13
Remote Process Instantiation via WMI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 TTP Salt Typhoon, Void Manticore, CISA AA23-347A, Ransomware, China-Nexus Threat Activity, Suspicious WMI Use, Active Directory Lateral Movement 2026-05-13
Windows Account Access Removal via Logoff Exec Sysmon EventID 1 T1059.001 T1531 Anomaly Crypto Stealer 2026-05-13
Windows Archived Collected Data In TEMP Folder Sysmon EventID 11 T1560 Anomaly Braodo Stealer, APT37 Rustonotto and FadeStealer 2026-05-13
Windows InstallUtil Remote Network Connection Sysmon EventID 1, Cisco Network Visibility Module Flow Data, Sysmon EventID 3 T1218.004 Anomaly Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land, Cisco Network Visibility Module Analytics 2026-05-13
Windows Audit Policy Auditing Option Modified - Registry Sysmon EventID 13 T1547.014 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Multiple Users Failed To Authenticate Using Kerberos Windows Event Log Security 4771 T1110.003 TTP Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows PowerShell Module File Created Sysmon EventID 11 T1059.001 T1129 T1574 Anomaly Malicious PowerShell, Windows Persistence Techniques 2026-05-13
Linux Kworker Process In Writable Process Path Sysmon for Linux EventID 1 T1036.004 Hunting Sandworm Tools, Cyclops Blink 2026-05-13
Dump LSASS via comsvcs DLL Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.001 TTP Data Destruction, Hellcat Ransomware, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Flax Typhoon, CISA AA22-264A, Volt Typhoon, Compromised Windows Host, Credential Dumping, Industroyer2, Scattered Lapsus$ Hunters, Suspicious Rundll32 Activity, CISA AA22-257A 2026-05-13
ETW Registry Disabled Sysmon EventID 13 T1127 T1685 TTP Data Destruction, CISA AA23-347A, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Linux Malformed Auth Entry Linux Secure T1068 Anomaly Linux Privilege Escalation 2026-05-06
Windows Process Accessing Windows Recall Directory Windows Event Log Security 4663 T1059 T1119 Anomaly Windows Post-Exploitation 2026-05-13
Disable Windows SmartScreen Protection Sysmon EventID 13 T1685 TTP Salat Stealer, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-06-08
File with Samsam Extension Sysmon EventID 11 N/A TTP SamSam Ransomware, Hellcat Ransomware 2026-05-13
Windows Outlook Macro Created by Suspicious Process Sysmon EventID 11 T1059.005 T1137 TTP NotDoor Malware 2026-05-13
Detect Excessive User Account Lockouts T1078.003 Anomaly Active Directory Password Spraying, Scattered Lapsus$ Hunters 2026-05-13
Windows Modify Registry NoChangingWallPaper Sysmon EventID 13 T1112 TTP Rhysida Ransomware 2026-05-13
SilentCleanup UAC Bypass Sysmon EventID 13 T1548.002 TTP Windows Registry Abuse, MoonPeak, Windows Defense Evasion Tactics 2026-05-13
Windows Unusual File Creation in Confluence Directory Sysmon EventID 11 T1190 T1608.001 T1608.002 Anomaly Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2026-05-13
Windows Computer Account Changed to Domain Controller Windows Event Log Security 4742 T1136.002 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Modify Registry Delete Firewall Rules Sysmon EventID 12 T1112 TTP ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A 2026-05-13
Linux Curl Upload File Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1105 TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise 2026-05-13
Change To Safe Mode With Network Config Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1490 TTP Black Basta Ransomware, BlackMatter Ransomware 2026-05-13
Windows Unusual NTLM Authentication Users By Source NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004 T1110.003 Anomaly Active Directory Password Spraying 2026-05-13
Detect MSHTA Url in Command Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data T1218.005 TTP Suspicious MSHTA Activity, Cisco Network Visibility Module Analytics, Living Off The Land, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Lumma Stealer, APT37 Rustonotto and FadeStealer 2026-05-13
Executable File Written in Administrative SMB Share Windows Event Log Security 5145 T1021.002 TTP Data Destruction, BlackSuit Ransomware, Trickbot, IcedID, Hermetic Wiper, Prestige Ransomware, Graceful Wipe Out Attack, VanHelsing Ransomware, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle T1548.003 Anomaly Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Product Key Registry Query Windows Event Log Security 4663 T1012 Anomaly BlankGrabber Stealer 2026-05-13
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
High Process Termination Frequency Sysmon EventID 5 T1486 Anomaly Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Rhysida Ransomware, Termite Ransomware, NailaoLocker Ransomware, Snake Keylogger, Crypto Stealer, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows DiskCryptor Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1486 Hunting Ransomware 2026-05-13
GetWmiObject DS User with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.002 Anomaly Active Directory Discovery 2026-05-13
Windows Service Create with Tscon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 T1563.002 TTP Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
GetDomainGroup with PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.002 TTP Active Directory Discovery 2026-05-13
Detect Certipy File Modifications Sysmon EventID 11 T1560 T1649 TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2026-05-13
Suspicious Image Creation In Appdata Folder Sysmon EventID 1, Sysmon EventID 11 T1113 TTP Remcos, APT37 Rustonotto and FadeStealer 2026-05-13
Remote Process Instantiation via WinRM and PowerShell Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.006 TTP Active Directory Lateral Movement 2026-05-13
Registry Keys Used For Privilege Escalation Sysmon EventID 13 T1546.012 TTP Data Destruction, Cloud Federated Credential Abuse, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Suspicious Windows Registry Activities 2026-05-13
Windows Service Creation Using Registry Entry Sysmon EventID 13 T1574.011 Anomaly Gh0st RAT, Salt Typhoon, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement, SnappyBee 2026-05-13
Windows ESX Admins Group Creation via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2026-05-13
Windows DISM Remove Defender Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 TTP Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Fsutil Zeroing File Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1070 TTP Ransomware, LockBit Ransomware 2026-05-13
Powershell Fileless Script Contains Base64 Encoded Content Powershell Script Block Logging 4104 T1027 T1059.001 TTP Salat Stealer, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, AsyncRAT, XWorm, NetSupport RMM Tool Abuse, Hellcat Ransomware, Winter Vivern, Malicious PowerShell, Phantom Stealer, VIP Keylogger, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, IcedID, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer 2026-06-25
Windows AppLocker Privilege Escalation via Unauthorized Bypass T1218 TTP Windows AppLocker 2026-05-13
MacOS Log Removal Osquery Results T1070 TTP MacOS Post-Exploitation 2026-05-13
GetWmiObject User Account with PowerShell Script Block Powershell Script Block Logging 4104 T1059.001 T1087.001 Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2026-05-13
Windows Impair Defense Add Xml Applocker Rules Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Hunting Azorult 2026-05-13
Windows User Discovery Via Net Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery, Sandworm Tools, Medusa Ransomware 2026-05-13
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Windows Event Log Security 4648 T1110.003 Anomaly Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Windows Default Rdp File Deletion Sysmon EventID 26, Sysmon EventID 23 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows AD AdminSDHolder ACL Modified Windows Event Log Security 5136 T1546 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Microsoft Defender Incident Alerts MS365 Defender Incident Alerts N/A TTP Critical Alerts 2026-05-13
Powershell Creating Thread Mutex Powershell Script Block Logging 4104 T1027.005 T1059.001 TTP Water Gamayun, Malicious PowerShell 2026-05-13
Windows Autostart Execution LSASS Driver Registry Modification Sysmon EventID 13 T1547.008 TTP Windows Registry Abuse 2026-05-13
Spoolsv Spawning Rundll32 Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Service Stop By Deletion Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1489 Hunting Azorult, Crypto Stealer, Graceful Wipe Out Attack 2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries Sysmon EventID 10 T1134.001 Anomaly Castle RAT 2026-05-13
Linux Kernel Module Enumeration Sysmon for Linux EventID 1 T1014 T1082 Anomaly XorDDos, Linux Rootkit 2026-05-13
Detect AzureHound Command-Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Compromised Windows Host, Windows Discovery Techniques 2026-05-13
PowerShell Domain Enumeration Powershell Script Block Logging 4104 T1059.001 Anomaly Malicious PowerShell, Data Destruction, Interlock Ransomware, CISA AA23-347A, Microsoft WSUS CVE-2025-59287, Hermetic Wiper 2026-06-28
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 T1574.001 Hunting Malicious Inno Setup Loader, Qakbot, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Sqlite Module In Temp Folder Sysmon EventID 11 T1005 TTP IcedID, Lokibot 2026-05-13
Windows Rdp AutomaticDestinations Deletion Sysmon EventID 26, Sysmon EventID 23 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Multiple Users Failed To Authenticate From Host Using NTLM Windows Event Log Security 4776 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying 2026-05-13
Windows Chromium Browser with Custom User Data Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497 Anomaly Lokibot, Phantom Stealer, Malicious Inno Setup Loader, StealC Stealer 2026-06-25
Windows NirSoft Utilities Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1588.002 Hunting WhisperGate, Data Destruction 2026-05-13
Linux Auditd Hidden Files And Directories Creation Linux Auditd Execve T1083 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows AppLocker Execution from Uncommon Locations T1218 Hunting Windows AppLocker 2026-05-13
Windows Potential Web Shell Creation For VMware Workspace ONE Sysmon EventID 11 T1505.003 Anomaly VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation 2026-05-13
Detect SharpHound Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Ransomware, Windows Discovery Techniques 2026-05-13
Linux Auditd Auditd Daemon Start Linux Auditd Daemon Start T1685.004 Anomaly Compromised Linux Host 2026-05-13
SchCache Change By App Connect And Create ADSI Object Sysmon EventID 11 T1087.002 Anomaly BlackMatter Ransomware 2026-05-13
Windows Explorer LNK Exploit Process Launch With Padding Windows Event Log Security 4688, Sysmon EventID 1 T1059.001 T1204.002 TTP ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Linux Unix Shell Enable All SysRq Functions Sysmon for Linux EventID 1 T1059.004 Anomaly AwfulShred, Data Destruction 2026-05-13
Windows Steal Authentication Certificates Certificate Issued Windows Event Log Security 4887 T1649 Anomaly Windows Certificate Services 2026-05-13
Windows Service Created with Suspicious Service Path Windows Event Log System 7045 T1569.002 TTP Gh0st RAT, Salt Typhoon, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, APT37 Rustonotto and FadeStealer, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement 2026-05-13
Cisco NVM - Rclone Execution With Network Activity Cisco Network Visibility Module Flow Data T1567.002 Anomaly Cisco Network Visibility Module Analytics, Scattered Lapsus$ Hunters 2026-05-13
Unknown Process Using The Kerberos Protocol Sysmon EventID 1, Sysmon EventID 3 T1550 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2026-05-13
Windows Defender ASR Rules Stacking Windows Event Log Defender 1134, Windows Event Log Defender 1126, Windows Event Log Defender 1122, Windows Event Log Defender 1133, Windows Event Log Defender 1131, Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1121, Windows Event Log Defender 1125 T1059 T1566.001 T1566.002 Hunting Windows Attack Surface Reduction 2026-05-13
Wmiprvse LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1047 TTP Active Directory Lateral Movement 2026-05-13
Credential Dumping via Symlink to Shadow Copy Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1003.003 TTP Credential Dumping, Compromised Windows Host 2026-05-13
Windows Modify System Firewall with Notable Process Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1686 TTP Compromised Windows Host, Medusa Ransomware, NjRAT 2026-05-13
Crowdstrike Medium Identity Risk Severity T1110 TTP Compromised Windows Host 2026-05-13
Windows WinPEAS PowerShell Script Execution Powershell Script Block Logging 4104 T1007 T1016 T1033 T1082 T1590 T1592.002 T1592.004 T1615 TTP Windows Post-Exploitation 2026-05-13
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 T1003 T1219 Anomaly Brute Ratel C4 2026-05-13
Local Account Discovery With Wmic Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1087.001 Hunting Active Directory Discovery, Scattered Lapsus$ Hunters 2026-05-13
Windows WMIC Shadowcopy Delete Sysmon EventID 1 T1490 Anomaly Suspicious WMI Use, Volt Typhoon, Cactus Ransomware 2026-05-13
Windows ScManager Security Descriptor Tampering Via Sc.EXE Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1569.002 TTP Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Impair Defenses Disable AV AutoStart via Registry Sysmon EventID 13 T1112 TTP Scattered Lapsus$ Hunters, ValleyRAT 2026-05-13
Ryuk Test Files Detected Sysmon EventID 11 T1486 TTP Ryuk Ransomware 2026-05-13
Windows Set Network Profile Category to Private via Registry Sysmon EventID 13 T1112 Anomaly Secret Blizzard 2026-05-13
Windows Credential Access From Browser Password Store Windows Event Log Security 4663 T1012 Anomaly Quasar RAT, Braodo Stealer, Snake Keylogger, Salat Stealer, BlankGrabber Stealer, Earth Alux, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Phantom Stealer, VIP Keylogger, PXA Stealer, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee 2026-06-25
Local LLM Framework DNS Query Sysmon EventID 22 T1590 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Driver Load Non-Standard Path Windows Event Log System 7045 T1014 T1068 TTP BlackSuit Ransomware, AgentTesla, CISA AA22-320A, Windows Drivers, BlackByte Ransomware 2026-05-13
Cisco NVM - Webserver Download From File Sharing Website Cisco Network Visibility Module Flow Data T1105 T1190 TTP Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 T1098.004 Anomaly Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
PetitPotam Network Share Access Request Windows Event Log Security 5145 T1187 TTP PetitPotam NTLM Relay on Active Directory Certificate Services 2026-05-13
Windows Modify Registry LongPathsEnabled Sysmon EventID 13 T1112 Anomaly BlackByte Ransomware 2026-05-13
Cisco Isovalent - Potential Escape to Host Cisco Isovalent Process Exec T1611 Anomaly Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Verclsid CLSID Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.012 Hunting Unusual Processes 2026-05-13
Disable AMSI Through Registry Sysmon EventID 13 T1685 TTP Ransomware, CISA AA23-347A, Windows Registry Abuse 2026-05-13
Linux Medusa Rootkit Sysmon for Linux EventID 11 T1014 T1589.001 TTP China-Nexus Threat Activity, Medusa Rootkit, Hellcat Ransomware, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows CrowdStrike Agent Registry Key Removal Sysmon EventID 12 T1685 Anomaly Security Solution Tampering, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry ValleyRAT C2 Config Sysmon EventID 13 T1112 TTP ValleyRAT 2026-05-13
Windows Cloud Files Filter Log Created by Non-System Process Sysmon EventID 11 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows SOAPHound Binary Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1069.001 T1069.002 T1087.001 T1087.002 T1482 TTP Compromised Windows Host, Windows Discovery Techniques 2026-05-13
Windows Credential Target Information Structure in Commandline Sysmon EventID 1 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Linux Stop Services Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Windows EDRSilencer Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685 Anomaly Security Solution Tampering 2026-06-13
Wsmprovhost LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.006 TTP CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 T1098.004 Anomaly Linux Privilege Escalation, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Audit Policy Disabled via Auditpol Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Suspicious SQLite3 LSQuarantine Behavior Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1074 TTP Silver Sparrow 2026-05-13
Nishang PowershellTCPOneLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 TTP HAFNIUM Group, Cleo File Transfer Software 2026-05-13
Windows Multiple Users Failed To Authenticate From Process Windows Event Log Security 4625 T1110.003 TTP Volt Typhoon, Active Directory Password Spraying, Insider Threat 2026-05-13
Windows RDP File Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.001 T1598.002 TTP Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion, Interlock Ransomware 2026-05-13
Windows DisableAntiSpyware Registry Sysmon EventID 13 T1685 TTP SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Windows Registry Abuse, RedLine Stealer, CISA AA22-264A, Azorult, Ryuk Ransomware, Windows Defense Evasion Tactics 2026-05-13
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows PowerShell Script TabExpansion Direct Call Powershell Script Block Logging 4104 T1059.001 T1129 Anomaly Malicious PowerShell 2026-05-13
PowerShell - Connect To Internet With Hidden Window Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 Hunting Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228 2026-06-04
Windows Process Injection With Public Source Path Sysmon EventID 8 T1055.002 Hunting Brute Ratel C4, Earth Alux, Phantom Stealer 2026-06-29
Regsvr32 with Known Silent Switch Cmdline Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1218.010 Anomaly AsyncRAT, IcedID, Qakbot, Living Off The Land, Remcos, Suspicious Regsvr32 Activity 2026-06-09
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 T1055.001 TTP Qakbot 2026-06-29
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2026-06-29