|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware
|
2026-06-01
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Windows Group Discovery Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
|
Hunting
|
SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Prestige Ransomware, Azorult, Cleo File Transfer Software, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery, Graceful Wipe Out Attack, Windows Discovery Techniques
|
2026-05-13
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
DarkSide Ransomware, Ransomware, LockBit Ransomware, ValleyRAT
|
2026-05-13
|
|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Potato Privilege Escalation Tool Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Windows InstallUtil URL in Command Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Excel Spawning Microsoft Project Application
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
|
Anomaly
|
PathWiper
|
2026-05-13
|
|
Deleting Shadow Copies
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Chaos Ransomware, SamSam Ransomware, Black Basta Ransomware, Void Manticore, LockBit Ransomware, Clop Ransomware, Medusa Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, Termite Ransomware, Prestige Ransomware, CISA AA22-264A, DarkGate Malware, VanHelsing Ransomware, Compromised Windows Host, Cactus Ransomware, Windows Log Manipulation
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055.001
T1218
|
TTP
|
Hellcat Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Credentials from Password Stores Deletion
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1555
|
TTP
|
DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host
|
2026-05-13
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
USN Journal Deletion
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070
|
TTP
|
Ransomware, Windows Log Manipulation
|
2026-05-13
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.005
|
TTP
|
IcedID, APT37 Rustonotto and FadeStealer, Living Off The Land, Trickbot
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
Data Destruction, VIP Keylogger, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Execution of File with Multiple Extensions
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
|
TTP
|
Masquerading - Rename System Utilities, AsyncRAT, Windows File Extension and Association Abuse, DarkGate Malware
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
Braodo Stealer, Cleo File Transfer Software, Flax Typhoon, SystemBC, Salat Stealer, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, Water Gamayun, Rhysida Ransomware, XWorm, DarkGate Malware, Hellcat Ransomware, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Phantom Stealer, CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Cactus Ransomware, Scattered Spider, Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Lumma Stealer, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer
|
2026-06-25
|
|
Windows Password Policy Discovery with Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Potential Cloudflared Network Connection
|
Sysmon EventID 3
|
T1572
|
Hunting
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows WMI Process And Service List
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.011
|
TTP
|
Windows Persistence Techniques, Windows Service Abuse, Living Off The Land
|
2026-05-13
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
T1589.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.004
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Suspicious Copy on System32
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
|
Anomaly
|
AsyncRAT, IcedID, Sandworm Tools, Water Gamayun, Qakbot, Unusual Processes, Volt Typhoon, Compromised Windows Host
|
2026-05-13
|
|
Spike in File Writes
|
Sysmon EventID 11
|
N/A
|
Anomaly
|
SamSam Ransomware, Ryuk Ransomware, Ransomware, Rhysida Ransomware
|
2026-05-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Detect RTLO In Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
T1135
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, BlankGrabber Stealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows MSIExec DLLRegisterServer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec, Water Gamayun
|
2026-05-13
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4727, Windows Event Log Security 4737, Windows Event Log Security 4730
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Windows Screen Capture in TEMP folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
VIP Keylogger, Braodo Stealer, Crypto Stealer, StealC Stealer, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Rundll32 with Non-Standard File Extension
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Gh0st RAT, Suspicious Rundll32 Activity, Living Off The Land
|
2026-05-13
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Defender ASR or Threat Configuration Tamper
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Level RMM PowerShell Script Installer
|
Powershell Script Block Logging 4104
|
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
ICACLS Grant Command
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222
|
Anomaly
|
XMRig, Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Windows Crowdstrike RTR Script Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
Cobalt Strike, Malicious PowerShell, Suspicious MSHTA Activity, Living Off The Land
|
2026-05-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
XMRig, Windows Registry Abuse
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Suspicious Rundll32 StartW
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
Cobalt Strike, Hellcat Ransomware, Trickbot, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, BlackByte Ransomware
|
2026-05-13
|
|
Windows Binary Execution from an Archive
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
System User Discovery With Whoami
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
PHP-CGI RCE Attack on Japanese Organizations, CISA AA23-347A, Rhysida Ransomware, Qakbot, Lotus Blossom Chrysalis Backdoor, Active Directory Discovery, LAMEHUG, Winter Vivern
|
2026-05-13
|
|
Windows Odbcconf Load Response File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
T1222.001
T1550
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Execute Javascript With Jscript COM CLSID
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
Ransomware
|
2026-05-13
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows IOBit Unlocker Extension DLL Registration via Regsvr32
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.010
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Proxy Execution of .NET Utilities via Scripts
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 13
|
T1219
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Suspicious msbuild path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1127.001
|
TTP
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware
|
2026-05-13
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 4662, Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Detect Regsvr32 Application Control Bypass
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.010
|
TTP
|
Cobalt Strike, BlackByte Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Living Off The Land, Compromised Windows Host, Graceful Wipe Out Attack, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows DNS Query Request To TinyUrl
|
Sysmon EventID 22
|
T1105
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
T1134.004
T1543
|
Anomaly
|
WhisperGate, MuddyWater, Data Destruction, ShrinkLocker, Axios Supply Chain Post Compromise, FIN7, VIP Keylogger, XWorm, Unusual Processes, Remcos, 0bj3ctivity Stealer, NjRAT
|
2026-05-13
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Chaos Ransomware, SamSam Ransomware, Black Basta Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Ransomware, Rhysida Ransomware, Termite Ransomware, Storm-0501 Ransomware, Ryuk Ransomware, Hellcat Ransomware, NailaoLocker Ransomware
|
2026-05-13
|
|
Windows Hosts File Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
MuddyWater, Malicious PowerShell, Data Destruction, MoonPeak, Medusa Ransomware, AsyncRAT, IcedID, PXA Stealer, Hermetic Wiper, XWorm, Braodo Stealer, Salat Stealer, Hellcat Ransomware
|
2026-06-29
|
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Water Gamayun, Microsoft WSUS CVE-2025-59287, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Winter Vivern
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Rundll32 Control RunDLL Hunt
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
Hunting
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity, Living Off The Land
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1059.001
T1592
|
Anomaly
|
Quasar RAT, Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, MoonPeak, LockBit Ransomware, AsyncRAT, BlankGrabber Stealer, VIP Keylogger, Qakbot, Hermetic Wiper, Industroyer2, Scattered Spider, Malicious Inno Setup Loader
|
2026-05-13
|
|
Domain Controller Discovery with Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Wmic Group Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1558
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
T1553.003
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, MoonPeak, Malicious PowerShell, Medusa Ransomware, IcedID, Hermetic Wiper, Salat Stealer
|
2026-06-08
|
|
Windows RDP Bitmap Cache File Creation
|
Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Gh0st RAT, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, Tuoni, PlugX, Brute Ratel C4, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
T1543.003
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
T1218
|
Hunting
|
Lumma Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, IcedID, Windows Registry Abuse, Azorult
|
2026-05-13
|
|
Windows Proxy Via Netsh
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Living Off The Land, Lokibot, XWorm, DarkCrystal RAT, Ryuk Ransomware, Windows Persistence Techniques, NetSupport RMM Tool Abuse, CISA AA24-241A, Medusa Ransomware, Azorult, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction
|
2026-05-13
|
|
Unload Sysmon Filter Driver
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
Disabling Security Tools, CISA AA23-347A
|
2026-05-13
|
|
WSReset UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Windows Registry Abuse, MoonPeak, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows RMM Tool Execution
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Suspicious User Agents, NetSupport RMM Tool Abuse, Remote Monitoring and Management Software
|
2026-05-13
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
T1552.002
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
DSQuery Domain Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery
|
2026-05-13
|
|
Windows Remote Management Execute Shell
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1021.006
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Service Stop Attempt
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1489
|
Hunting
|
Prestige Ransomware, Scattered Lapsus$ Hunters, Graceful Wipe Out Attack, Gh0st RAT
|
2026-05-13
|
|
System User Discovery With Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
Ransomware, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Rundll32 Inline HTA Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, NOBELIUM Group, Suspicious MSHTA Activity, Living Off The Land
|
2026-05-13
|
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
T1114.001
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Net System Service Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1007
|
Hunting
|
Gh0st RAT, LAMEHUG
|
2026-05-13
|
|
SecretDumps Offline NTDS Dumping Tool
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.003
|
TTP
|
Rhysida Ransomware, Storm-0501 Ransomware, Credential Dumping, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Unusual Intelliform Storage Registry Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT, Lokibot
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1489
|
TTP
|
XMRig, Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Sensitive Group Discovery With Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Anomaly
|
BlackSuit Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Volt Typhoon, Active Directory Discovery
|
2026-05-13
|
|
Windows Office Product Spawned Child Process For Download
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, PlugX, Spearphishing Attachments, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027.005
|
TTP
|
Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction
|
2026-05-13
|
|
Windows Suspicious Child Process of TieringEngineService.exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
|
TTP
|
RedSun, Windows Privilege Escalation
|
2026-05-01
|
|
GetLocalUser with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1127
|
TTP
|
Trusted Developer Utilities Proxy Execution, Living Off The Land
|
2026-05-13
|
|
Windows DLL Module Loaded in Temp Dir
|
Sysmon EventID 7
|
T1105
|
Hunting
|
Lokibot, SolarWinds WHD RCE Post Exploitation, Interlock Rat
|
2026-05-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Salt Typhoon, Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Child Processes of Spoolsv exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
T1027.013
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Crypto Stealer, GhostRedirector IIS Module and Rungan Backdoor, Salat Stealer
|
2026-06-08
|
|
Remote Process Instantiation via WinRM and Winrs
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1055
|
TTP
|
Hellcat Ransomware, Trickbot
|
2026-05-13
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-13
|
|
Windows System Network Config Discovery Display DNS
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1016
|
Anomaly
|
Prestige Ransomware, Water Gamayun, Windows Post-Exploitation, Medusa Ransomware
|
2026-05-13
|
|
Windows File and Directory Permissions Enable Inheritance
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1222.001
|
Hunting
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Windows Process Execution From ProgramData
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
|
Hunting
|
Salt Typhoon, Axios Supply Chain Post Compromise, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, XWorm, StealC Stealer, Salat Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, SnappyBee
|
2026-06-08
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
T1685
|
Hunting
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default RDP File Creation By Non MSTSC Process
|
Sysmon EventID 1, Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect New Local Admin account
|
Windows Event Log Security 4732, Windows Event Log Security 4720
|
T1136.001
|
TTP
|
CISA AA24-241A, HAFNIUM Group, DHS Report TA18-074A, Scattered Lapsus$ Hunters, CISA AA22-257A
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Odbcconf Load DLL
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Advanced IP or Port Scanner Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1489
|
TTP
|
Ryuk Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, BlackLotus Campaign, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Quasar RAT, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, AsyncRAT, Scheduled Tasks, RedLine Stealer, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Castle RAT
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Detect Regasm Spawning a Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.009
|
TTP
|
Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Snake Keylogger, DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
CISA AA23-347A, Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Disabling Firewall with Netsh
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows TOR Client Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1090.003
|
Anomaly
|
Data Exfiltration, Command And Control, Data Protection, Compromised Windows Host, Windows Post-Exploitation
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Audit Policy Cleared via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
T1021
|
TTP
|
Interlock Ransomware, Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AutoIt3 Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
DarkGate Malware, Void Manticore, Handala Wiper, Crypto Stealer
|
2026-05-13
|
|
Windows Diskshadow Proxy Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1059.001
T1059.003
T1204.001
|
TTP
|
Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Fake CAPTCHA Campaigns
|
2026-05-13
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Prestige Ransomware, Compromised Windows Host, Crypto Stealer, Spearphishing Attachments, Graceful Wipe Out Attack
|
2026-05-13
|
|
Domain Group Discovery With Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Quasar RAT, Scheduled Tasks, Living Off The Land, RedLine Stealer, Prestige Ransomware, NOBELIUM Group, Compromised Windows Host, Active Directory Lateral Movement, Phemedrone Stealer
|
2026-05-13
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows MSIExec Spawn WinDBG
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.007
|
TTP
|
DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
SolarWinds WHD RCE Post Exploitation, RedLine Stealer, CISA AA23-347A
|
2026-05-13
|
|
Windows Suspicious VMWare Tools Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Windows Powershell RemoteSigned File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
Amadey
|
2026-05-13
|
|
Detect Rare Executables
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
Anomaly
|
Salt Typhoon, Rhysida Ransomware, Unusual Processes, Crypto Stealer, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
SLUI Spawning a Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1548.002
|
TTP
|
DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Services Escalate Exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1548
|
TTP
|
Cobalt Strike, CISA AA23-347A, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware
|
2026-05-13
|
|
Creation of Shadow Copy
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.003
|
TTP
|
Credential Dumping, Volt Typhoon, Compromised Windows Host
|
2026-05-13
|
|
Windows Office Product Spawned Control
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
TTP
|
Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host
|
2026-05-13
|
|
Windows Wmic CPU Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows OneDrive Share Mounted via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Windows Registry Entries Exported Via Reg
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1012
|
Hunting
|
CISA AA23-347A, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Detect Remote Access Software Usage Registry
|
Sysmon EventID 13
|
T1219
|
Anomaly
|
Command And Control, CISA AA24-241A, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat
|
2026-05-13
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Snake Keylogger, StealC Stealer
|
2026-06-25
|
|
Windows AppCertDLL Modification Via Command Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.009
|
Anomaly
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558.001
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Chrome Auto-Update Disabled via Registry
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Azorult, Windows Registry Abuse, CISA AA23-347A
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery, Water Gamayun, Winter Vivern
|
2026-05-13
|
|
PowerShell Get LocalGroup Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2026-05-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Modify ACL permission To Files Or Folder
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, XMRig, Crypto Stealer
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Dump LSASS via procdump
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.001
|
TTP
|
HAFNIUM Group, Storm-2460 CLFS Zero Day Exploitation, Seashell Blizzard, Credential Dumping, Compromised Windows Host, CISA AA22-257A
|
2026-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
T1112
|
Anomaly
|
ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A
|
2026-05-13
|
|
BITSAdmin Download File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
T1197
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, BITS Jobs, Scattered Spider, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows SSH Proxy Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware, CISA AA23-347A
|
2026-05-13
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
CISA AA22-264A, Windows Drivers, Crypto Stealer
|
2026-05-13
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, BlackSuit Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Rundll32 Apply User Settings Changes
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Rhysida Ransomware
|
2026-05-13
|
|
Possible Browser Pass View Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1555.003
|
Hunting
|
Remcos
|
2026-05-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
Void Manticore, Windows Drivers, BlackByte Ransomware
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
Black Basta Ransomware, LockBit Ransomware, Windows Registry Abuse, Ransomware, Rhysida Ransomware, ZOVWiper, BlackMatter Ransomware, Brute Ratel C4, Revil Ransomware
|
2026-05-13
|
|
Windows SpeechRuntime COM Hijacking DLL Load
|
Sysmon EventID 7
|
T1021.003
|
TTP
|
Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows System Time Discovery W32tm Delay
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Domain Controller Discovery with Nltest
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Medusa Ransomware, Rhysida Ransomware, NetSupport RMM Tool Abuse, Active Directory Discovery
|
2026-05-13
|
|
Windows HTTP Network Communication From MSIExec
|
Sysmon EventID 1, Cisco Network Visibility Module Flow Data, Sysmon EventID 3
|
T1218.007
|
Anomaly
|
Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Windows System Binary Proxy Execution MSIExec, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Filtering Platform Policy Added to Block EDR Process
|
Sysmon EventID 13
|
T1685
|
TTP
|
Disabling Security Tools, Security Solution Tampering
|
2026-05-13
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
MuddyWater, AgentTesla, Trickbot, IcedID, Qakbot, Azorult, DarkCrystal RAT, Remcos, PlugX, Spearphishing Attachments, NjRAT
|
2026-05-13
|
|
Windows Suspicious Burst of Password Changes
|
Windows Event Log Security 4723, Windows Event Log Security 4724
|
T1068
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-29
|
|
Windows PsTools Recon Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
T1046
T1082
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1485
|
TTP
|
Data Destruction, Void Manticore, Handala Wiper, Disk Wiper, Swift Slicer
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
TTP
|
Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Active Directory Lateral Movement, SnappyBee
|
2026-05-13
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Sdclt UAC Bypass
|
Sysmon EventID 13, Sysmon EventID 12
|
T1548.002
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Devtunnels Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
T1202
|
Anomaly
|
Lumma Stealer, Fake CAPTCHA Campaigns
|
2026-05-13
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
GetCurrent User with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
T1685
|
Anomaly
|
Data Destruction, Double Zero Destructor, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.015
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
T1505.001
|
Anomaly
|
SQL Server Abuse, Hellcat Ransomware
|
2026-05-13
|
|
Windows Chrome Enable Extension Loading via Command-Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, NetSupport RMM Tool Abuse, Hellcat Ransomware, Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hiding Files And Directories With Attrib exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222.001
|
TTP
|
VIP Keylogger, Azorult, Windows Persistence Techniques, Compromised Windows Host, Crypto Stealer, Malicious Inno Setup Loader, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, XMRig, Windows Registry Abuse, Warzone RAT
|
2026-05-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Audit Policy Restored via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Information Discovery Fsutil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows User Disabled Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Detect mshta inline hta execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, BlankGrabber Stealer, Gozi Malware, Living Off The Land, XWorm, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, RedLine Stealer, SnappyBee
|
2026-05-13
|
|
Excessive number of service control start as disabled
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, ProxyShell, Seashell Blizzard, Compromised Windows Host, ProxyNotShell, CISA AA22-257A, BlackByte Ransomware
|
2026-05-13
|
|
Windows Mimikatz Binary Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003
|
TTP
|
CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Flax Typhoon, Credential Dumping, Volt Typhoon, Compromised Windows Host, Scattered Spider
|
2026-05-13
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
XMRig, Water Gamayun, Compromised Windows Host
|
2026-05-13
|
|
Windows Audit Policy Excluded Category via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.008
T1204.002
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Amadey, Water Gamayun, Unusual Processes, Snake Keylogger, Remcos, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Clop Common Exec Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Salt Typhoon, Medusa Ransomware, Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, SystemBC, China-Nexus Threat Activity, 0bj3ctivity Stealer, CISA AA22-257A, Winter Vivern, Castle RAT
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1197
|
TTP
|
BITS Jobs, Gozi Malware
|
2026-05-13
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Data Destruction, CISA AA23-347A, Scattered Lapsus$ Hunters, Industroyer2, Active Directory Discovery
|
2026-05-13
|
|
Excessive Usage of NSLOOKUP App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1048
|
Anomaly
|
Data Exfiltration, Command And Control, Dynamic DNS, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
MoonPeak, CISA AA23-347A, Scheduled Tasks, Lokibot, Malicious Inno Setup Loader, Winter Vivern
|
2026-05-13
|
|
Windows Cabinet File Extraction Via Expand
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
|
TTP
|
NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Suspicious Child Process Spawned From WebServer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.003
|
Anomaly
|
Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, WS FTP Server Critical Vulnerabilities, ProxyShell, Microsoft WSUS CVE-2025-59287, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, CISA AA22-264A, Compromised Windows Host, Microsoft SharePoint Vulnerabilities, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, CISA AA22-257A, BlackByte Ransomware
|
2026-05-13
|
|
Windows NirSoft Tool Bundle File Created
|
Sysmon EventID 11
|
T1588.002
|
Anomaly
|
WhisperGate, Data Destruction, Unusual Processes
|
2026-05-13
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
Quasar RAT, Lokibot, Snake Keylogger, Remcos, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, RedLine Stealer, DarkGate Malware, StealC Stealer, Warzone RAT, AgentTesla, VIP Keylogger, Phantom Stealer, Azorult, 3CX Supply Chain Attack, Malicious Inno Setup Loader, Salt Typhoon, CISA AA23-347A, FIN7, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-06-25
|
|
Windows Potential Cloudflared Tunnel Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1572
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2026-05-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
Malicious PowerShell, Data Destruction, SolarWinds WHD RCE Post Exploitation, HAFNIUM Group, Hermetic Wiper, DarkGate Malware, Credential Dumping, SystemBC
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Crypto Stealer
|
2026-05-13
|
|
Single Letter Process On Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
|
TTP
|
DHS Report TA18-074A, Compromised Windows Host
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Sdelete Application Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070.004
T1485
|
TTP
|
Masquerading - Rename System Utilities, Void Manticore, Scattered Spider
|
2026-05-13
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 13, Sysmon EventID 12, Sysmon EventID 14
|
T1112
T1689
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware, BlackSuit Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Powershell Disable Security Monitoring
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
BlankGrabber Stealer, CISA AA24-241A, Ransomware, Salat Stealer, Revil Ransomware
|
2026-06-08
|
|
Add or Set Windows Defender Exclusion
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
WhisperGate, Data Destruction, AgentTesla, CISA AA22-320A, XWorm, Remcos, Compromised Windows Host, Crypto Stealer, NetSupport RMM Tool Abuse, Salat Stealer, Windows Defense Evasion Tactics, ValleyRAT
|
2026-06-08
|
|
NLTest Domain Trust Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Medusa Ransomware, IcedID, Qakbot, Rhysida Ransomware, Storm-0501 Ransomware, Cleo File Transfer Software, Ryuk Ransomware, Active Directory Discovery, Domain Trust Discovery
|
2026-05-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
Lokibot, NjRAT
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1531
|
Anomaly
|
XMRig, Ransomware, Rhysida Ransomware, Prestige Ransomware, Azorult, Windows Post-Exploitation, Graceful Wipe Out Attack
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Compromised Windows Host, Seashell Blizzard
|
2026-05-13
|
|
Windows Odbcconf Hunting
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.008
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
AgentTesla
|
2026-05-13
|
|
Network Connection Discovery With Arp
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
Interlock Ransomware, IcedID, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Firewall Allowed Program Enable
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1686
|
Anomaly
|
Medusa Ransomware, Azorult, NjRAT, PlugX, Salat Stealer, BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-06-08
|
|
Elevated Group Discovery With Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Cobalt Strike PowerShell Loader
|
Powershell Script Block Logging 4104
|
T1059.001
T1608
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows System User Discovery Via Quser
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper
|
2026-05-13
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
DarkCrystal RAT, Compromised Windows Host
|
2026-05-13
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
|
TTP
|
Seashell Blizzard, Credential Dumping, Scattered Lapsus$ Hunters, Cactus Ransomware, CISA AA22-257A
|
2026-05-13
|
|
NET Profiler UAC bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1489
|
Anomaly
|
Azorult, XMRig
|
2026-05-13
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Suspicious Windows Registry Activities, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Default Group Policy Object Modified with GPME
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detect Renamed WinRAR
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1560.001
|
Hunting
|
China-Nexus Threat Activity, Salt Typhoon, Collection and Staging, CISA AA22-277A
|
2026-05-13
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Powershell Defender Threat Actions Set to Allow
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
TTP
|
Salat Stealer
|
2026-05-12
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 26, Sysmon EventID 23
|
T1485
|
TTP
|
WhisperGate, Data Destruction, BlackByte Ransomware
|
2026-05-13
|
|
WMIC XSL Execution via URL
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1220
|
TTP
|
Suspicious WMI Use, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA23-347A, Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, Cactus Ransomware
|
2026-05-13
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Amadey, PXA Stealer, Remcos, Meduza Stealer, Spearphishing Attachments, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.004
T1685.001
|
Anomaly
|
IIS Components, Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Water Gamayun, ValleyRAT
|
2026-05-13
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
MoonPeak, BlankGrabber Stealer, CISA AA23-347A, Phantom Stealer, Amadey, RedLine Stealer, Braodo Stealer, DarkGate Malware, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer, Malicious Inno Setup Loader, Phemedrone Stealer
|
2026-06-25
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-05-13
|
|
7zip CommandLine To SMB Share Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1560.001
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Quasar RAT, WhisperGate, Data Destruction, Void Manticore, Gh0st RAT, Meduza Stealer, Warzone RAT, BlackByte Ransomware
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious PowerShell Process - Encoded Command
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1027
|
Hunting
|
WhisperGate, Data Destruction, Malicious PowerShell, SolarWinds WHD RCE Post Exploitation, CISA AA22-320A, GhostRedirector IIS Module and Rungan Backdoor, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Hermetic Wiper, DarkCrystal RAT, Volt Typhoon, NOBELIUM Group, Crypto Stealer, Microsoft SharePoint Vulnerabilities, Lumma Stealer, Scattered Spider
|
2026-05-13
|
|
Recursive Delete of Directory In Batch CMD
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070.004
|
TTP
|
Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Excessive Usage Of Taskkill
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
XMRig, AgentTesla, CISA AA22-277A, BlankGrabber Stealer, CISA AA22-264A, Azorult, Crypto Stealer, NjRAT
|
2026-05-13
|
|
Windows Credentials in Registry Reg Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1552.002
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700
|
T1053.005
|
TTP
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Seashell Blizzard, Ryuk Ransomware, Windows Persistence Techniques, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Firewall Rule Deletion
|
Windows Event Log Security 4948
|
T1686
|
Anomaly
|
ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware
|
2026-05-13
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
Chaos Ransomware, Salt Typhoon, Derusbi, PlugX, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
BlankGrabber Stealer, IcedID, Amadey, Gozi Malware, Qakbot, Spearphishing Attachments, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlankGrabber Stealer, CISA AA23-347A, IcedID, Windows Registry Abuse, Azorult, Salat Stealer
|
2026-06-08
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-05-13
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1126, Windows Event Log Defender 1122, Windows Event Log Defender 1132, Windows Event Log Defender 1134, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
T1685
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
System Info Gathering Using Dxdiag Application
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1592
|
Hunting
|
Remcos
|
2026-05-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-05-13
|
|
Eventvwr UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
IcedID, Windows Registry Abuse, Living Off The Land, Windows Defense Evasion Tactics, ValleyRAT
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Sandworm Tools, Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Windows SIP Provider Inventory
|
|
T1553.003
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
Unusual Processes
|
2026-05-13
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
T1036
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
Hunting
|
PathWiper, PHP-CGI RCE Attack on Japanese Organizations, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Suspicious Defender Engine or Signature Files Created
|
Sysmon EventID 11
|
T1068
|
Anomaly
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Default Rdp File Unhidden
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
T1543
|
TTP
|
Quasar RAT, Swift Slicer, Qakbot, Lokibot, SesameOp, Prestige Ransomware, Remcos, SystemBC, Brute Ratel C4, BlackByte Ransomware, Phemedrone Stealer, Graceful Wipe Out Attack, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Water Gamayun, Earth Alux, Rhysida Ransomware, RedLine Stealer, XWorm, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, RoguePlanet, Volt Typhoon, Double Zero Destructor, PlugX, Industroyer2, China-Nexus Threat Activity, NailaoLocker Ransomware, SnappyBee, ValleyRAT
|
2026-06-25
|
|
Windows Curl Upload to Remote Destination
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1105
|
TTP
|
PromptLock, Axios Supply Chain Post Compromise, Cisco Network Visibility Module Analytics, NPM Supply Chain Compromise, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Compromised Windows Host
|
2026-05-13
|
|
Windows Shell or Script Execution From IIS Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Disable Internet Explorer Addons
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1176.001
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Ransomware, CISA AA23-347A, Windows Registry Abuse
|
2026-05-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer, CISA AA23-347A
|
2026-05-13
|
|
Windows XLL File Creation Outside of Typical Location
|
Sysmon EventID 11
|
T1059
T1129
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Network Connection Discovery With Netstat
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, PlugX, Active Directory Discovery
|
2026-05-13
|
|
Windows Office Product Dropped Cab or Inf File
|
Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
TTP
|
Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Detect Regsvcs Spawning a Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.009
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
Compromised Windows Host, Remcos
|
2026-05-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Chrome Extension Allowed Registry Modification
|
Sysmon EventID 13
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2026-05-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, SnappyBee
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
T1003.004
|
TTP
|
Scattered Lapsus$ Hunters, CISA AA23-347A
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Windows FFmpeg Audio and Video Device Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1125
|
Anomaly
|
Salat Stealer
|
2026-05-20
|
|
Suspicious Regsvr32 Register Suspicious Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.010
|
TTP
|
Salt Typhoon, IcedID, Qakbot, Living Off The Land, Derusbi, China-Nexus Threat Activity, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Hellcat Ransomware, Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Credentials from Password Stores Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1555
|
Anomaly
|
Prestige Ransomware, DarkGate Malware, NetSupport RMM Tool Abuse, Windows Post-Exploitation
|
2026-05-13
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1548.002
|
TTP
|
Living Off The Land, Castle RAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.009
|
TTP
|
Windows Persistence Techniques, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Execute Arbitrary Commands with MSDT
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
T1543
|
Anomaly
|
Gh0st RAT, PromptLock, Axios Supply Chain Post Compromise, AgentTesla, Trickbot, Ransomware, Qakbot, Lokibot, XWorm, SesameOp, RoguePlanet, Ryuk Ransomware, Remcos, Salat Stealer, PathWiper, NjRAT
|
2026-06-08
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, Detect Zerologon Attack
|
2026-05-13
|
|
Windows RDP Server Registry Entry Created
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Remote Create Service
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
Anomaly
|
CISA AA23-347A, BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows LAPS Password Gathering Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1003
T1552
|
Anomaly
|
Credential Dumping, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Brute Ratel C4, PathWiper
|
2026-05-13
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Qakbot, XWorm, Azorult, Remcos, NetSupport RMM Tool Abuse, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics, ValleyRAT
|
2026-06-08
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Discovery, Rhysida Ransomware, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows RDP Client Launched with Admin Session
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Findstr GPP Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Compromised Windows Host
|
2026-05-13
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
T1592
|
TTP
|
Quasar RAT, Malicious PowerShell, Data Destruction, MoonPeak, Ransomware, Qakbot, Hermetic Wiper, XWorm, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4749, Windows Event Log Security 4744, Windows Event Log Security 4783, Windows Event Log Security 4756, Windows Event Log Security 4790, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4727, Windows Event Log Security 4731
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Process Execution via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows System User Privilege Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows SubInAcl Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host
|
2026-05-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services, Active Directory Kerberos Attacks
|
2026-07-04
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
ProxyNotShell, ProxyShell, BlackByte Ransomware, Scattered Spider
|
2026-05-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Event Log Cleared
|
Windows Event Log System 104, Windows Event Log Security 1102
|
T1685.005
|
TTP
|
ShrinkLocker, Clop Ransomware, Ransomware, CISA AA22-264A, Compromised Windows Host, Salat Stealer, Windows Log Manipulation
|
2026-06-08
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Rubeus Command Line Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-05-13
|
|
Windows Suspicious Defender Update Activity in INetCache
|
Sysmon EventID 11, Sysmon EventID 23
|
T1068
T1105
|
Anomaly
|
Windows Persistence Techniques, BlueHammer
|
2026-04-27
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Windows Registry Abuse, RedLine Stealer
|
2026-05-13
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
TTP
|
BlankGrabber Stealer, NjRAT
|
2026-05-13
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity, Living Off The Land
|
2026-05-13
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Brute Ratel C4, Crypto Stealer, PlugX
|
2026-05-13
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
|
Hunting
|
Brute Ratel C4, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Systeminfo Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG, BlankGrabber Stealer, Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows System Discovery Using ldap Nslookup
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows IIS Components Add New Module
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.004
|
Anomaly
|
IIS Components, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Unusually Long Command Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
N/A
|
Anomaly
|
Suspicious Command-Line Executions, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Unusual Processes
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Create or delete windows shares using net exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070.005
|
TTP
|
CISA AA22-277A, Hidden Cobra Malware, Prestige Ransomware, DarkGate Malware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Excessive number of taskhost processes
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Conti Common Exec parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
TTP
|
Ransomware, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Get-DomainTrust with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, BlankGrabber Stealer, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
|
TTP
|
Credential Dumping, VanHelsing Ransomware
|
2026-05-13
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
T1070
|
TTP
|
WhisperGate, Data Destruction, Remcos, Clop Ransomware
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Ransomware, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
APT37 Rustonotto and FadeStealer, Winter Vivern
|
2026-05-13
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1008
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Gh0st RAT
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Remote Services Allow Rdp In Firewall
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Azorult, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2026-06-29
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
T1550
T1649
|
TTP
|
Windows Certificate Services, Compromised Windows Host
|
2026-05-13
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
|
Hunting
|
Castle RAT, Salt Typhoon, SnappyBee, China-Nexus Threat Activity, Interlock Rat
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Cached Domain Credentials Reg Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying, Insider Threat
|
2026-05-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Hunting
|
Suspicious Command-Line Executions, NOBELIUM Group, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 13, Sysmon EventID 1
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
AgentTesla, IcedID, Gozi Malware, Qakbot, Azorult, Remcos, Brute Ratel C4, Warzone RAT
|
2026-05-13
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Interlock Rat
|
2026-05-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Network Connection From Program In Suspect Location
|
Sysmon EventID 3
|
T1011
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
Anomaly
|
Azorult
|
2026-06-29
|
|
Detect mshta renamed
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.005
|
Hunting
|
APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity, Living Off The Land
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
T1543.003
|
TTP
|
Windows Drivers, CISA AA22-320A
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
Ransomware, LockBit Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Uncommon Remote Thread Creation In Browser Process
|
Sysmon EventID 8
|
T1055.001
|
Anomaly
|
IcedID, Qakbot, Living Off The Land
|
2026-06-29
|
|
Remote System Discovery with Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows WinSCP Configuration Security Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Phantom Stealer
|
2026-06-24
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, APT37 Rustonotto and FadeStealer, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Remote System Discovery with Dsquery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Mmc LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1218.014
|
TTP
|
Water Gamayun, Living Off The Land, XML Runner Loader, Active Directory Lateral Movement
|
2026-05-13
|
|
Potential Telegram API Request Via CommandLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1041
T1102.002
|
Anomaly
|
XMRig, BlankGrabber Stealer, Water Gamayun, 0bj3ctivity Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Ransomware, LockBit Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4742
|
T1210
|
Hunting
|
Detect Zerologon Attack
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Disable Schedule Task
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
IcedID, Living Off The Land
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
RunDLL Loading DLL By Ordinal
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
IcedID, Suspicious Rundll32 Activity, Living Off The Land, Unusual Processes
|
2026-05-13
|
|
Windows Credential Dumping LSASS Memory Createdump
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.001
|
TTP
|
Credential Dumping, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Phantom Stealer, XWorm, VIP Keylogger, AsyncRAT
|
2026-06-25
|
|
Suspicious WAV file in Appdata Folder
|
Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
WinRAR Spawning Shell Application
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
|
TTP
|
WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host
|
2026-05-13
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
RedLine Stealer, StealC Stealer, Meduza Stealer
|
2026-05-13
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
T1036
|
TTP
|
Collection and Staging, PlugX
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
Ransomware, DarkSide Ransomware, DarkGate Malware, VanHelsing Ransomware, Cactus Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 13, Sysmon EventID 1
|
T1112
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows VSSVC Process Accessing Defender Engine
|
Sysmon EventID 10
|
T1068
|
TTP
|
RedSun, Windows Privilege Escalation
|
2026-05-01
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
PHP-CGI RCE Attack on Japanese Organizations, Malicious PowerShell, MoonPeak, Medusa Ransomware
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Living Off The Land
|
2026-05-13
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
T1218.005
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Apache Benchmark Binary
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
MetaSploit
|
2026-05-13
|
|
Windows Registry Entries Restored Via Reg
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows WinRAR Launched Outside Default Installation Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows AdFind Exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
BlackSuit Ransomware, IcedID, Domain Trust Discovery, NOBELIUM Group, Graceful Wipe Out Attack
|
2026-05-13
|
|
Ntdsutil Export NTDS
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.003
|
TTP
|
HAFNIUM Group, Rhysida Ransomware, Living Off The Land, Prestige Ransomware, Credential Dumping, Volt Typhoon, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
T1105
|
TTP
|
XMRig, Water Gamayun, Snake Keylogger, Crypto Stealer, 0bj3ctivity Stealer, Phemedrone Stealer
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Network Connection Discovery Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
Azorult, Active Directory Discovery, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222.001
|
Anomaly
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053
|
Anomaly
|
XMRig, Data Destruction, Medusa Ransomware, Scheduled Tasks, Qakbot, Industroyer2, CISA AA22-257A
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Salt Typhoon, SolarWinds WHD RCE Post Exploitation, NailaoLocker Ransomware, XWorm, Lokibot, DarkGate Malware, Derusbi, PlugX, China-Nexus Threat Activity, Malicious Inno Setup Loader, SnappyBee
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
LockBit Ransomware, Ransomware, Termite Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters, BlackMatter Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
T1553.005
|
TTP
|
Quasar RAT, Warzone RAT
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Domain Group Discovery With Dsquery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Alternate DataStream - Process Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1564.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-06-04
|
|
GetDomainController with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Domain Account Discovery with Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
TTP
|
Active Directory Discovery, Interlock Ransomware
|
2026-05-13
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
Phantom Stealer, VIP Keylogger, Lokibot, Snake Keylogger, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer
|
2026-06-25
|
|
Suspicious Rundll32 no Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Hellcat Ransomware, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows RDP Login Session Was Established
|
Windows Event Log Security 4624
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Medusa Ransomware, Windows Registry Abuse, Azorult, Prohibited Traffic Allowed or Protocol Mismatch, PlugX, NjRAT
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Ransomware, Data Destruction, Hermetic Wiper, Windows Registry Abuse
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Svchost.exe Parent Process Anomaly
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.001
|
Anomaly
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Windows Regsvr32 Renamed Binary
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.010
|
TTP
|
Compromised Windows Host, Qakbot
|
2026-05-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Credential Dumping, CISA AA22-320A, Windows Registry Abuse
|
2026-05-13
|
|
Detect Renamed 7-Zip
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1560.001
|
Hunting
|
Collection and Staging, Malicious Inno Setup Loader
|
2026-05-13
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
TTP
|
Remcos, FIN7
|
2026-05-13
|
|
Windows Gdrive Binary Activity
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1567
|
TTP
|
China-Nexus Threat Activity
|
2026-05-13
|
|
GetDomainComputer with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1529
|
Hunting
|
Quasar RAT, MuddyWater, MoonPeak, XWorm, DarkGate Malware, DarkCrystal RAT, Scattered Lapsus$ Hunters, NjRAT
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA24-241A
|
2026-05-13
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
T1592
|
Anomaly
|
Malicious PowerShell, Data Destruction, Hermetic Wiper
|
2026-05-13
|
|
Suspicious Rundll32 PluginInit
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
IcedID
|
2026-05-13
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
T1685
|
TTP
|
Azorult, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.002
|
TTP
|
Data Destruction, CISA AA23-347A, Windows Registry Abuse, Seashell Blizzard, DarkSide Ransomware, Credential Dumping, Volt Typhoon, Compromised Windows Host, Industroyer2, CISA AA22-257A
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows File Download Via CertUtil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1105
|
TTP
|
Cisco Network Visibility Module Analytics, CISA AA22-277A, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, Compromised Windows Host, ProxyNotShell
|
2026-05-13
|
|
Windows SQLCMD Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Hunting
|
SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Snake Keylogger, 0bj3ctivity Stealer, VIP Keylogger
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Chaos Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Prestige Ransomware, Ryuk Ransomware, Storm-0501 Ransomware
|
2026-05-13
|
|
CertUtil With Decode Argument
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1140
|
TTP
|
Deobfuscate-Decode Files or Information, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Quasar RAT, Emotet Malware DHS Report TA18-201A, Ransomware, Qakbot, Lokibot, Braodo Stealer, Snake Keylogger, Remcos, SystemBC, Salat Stealer, WinDealer RAT, BlackByte Ransomware, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Interlock Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AsyncRAT, RedLine Stealer, XWorm, Suspicious Windows Registry Activities, DarkGate Malware, DarkCrystal RAT, Windows Persistence Techniques, Derusbi, NetSupport RMM Tool Abuse, Warzone RAT, Castle RAT, Gh0st RAT, BlackSuit Ransomware, Suspicious MSHTA Activity, Phantom Stealer, DHS Report TA18-074A, Sneaky Active Directory Persistence Tricks, Azorult, Cactus Ransomware, Chaos Ransomware, Salt Typhoon, MoonPeak, CISA AA23-347A, IcedID, Amadey, Windows Registry Abuse, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT
|
2026-06-25
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Prestige Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Water Gamayun, Windows Certificate Services, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect HTML Help URL in Command Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1218.001
|
TTP
|
Cisco Network Visibility Module Analytics, Suspicious Compiled HTML Activity, Living Off The Land, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Ryuk Ransomware, Windows Persistence Techniques, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows SpeechRuntime Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Uninstall App Using MsiExec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.007
|
TTP
|
Ransomware
|
2026-05-13
|
|
Windows Curl Download to Suspicious Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1105
|
TTP
|
Black Basta Ransomware, Salt Typhoon, Cisco Network Visibility Module Analytics, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, IcedID, NPM Supply Chain Compromise, Ingress Tool Transfer, Compromised Windows Host, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1558.003
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, Crypto Stealer, CISA AA22-320A
|
2026-05-13
|
|
Windows Wmic DiskDrive Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4662, Windows Event Log Security 4624
|
T1003.006
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Privilege Escalation Attempt Via MSI Rollback
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
T1560
|
Anomaly
|
CISA AA23-347A, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer, CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, FIN7, Water Gamayun, Gozi Malware, SolarWinds WHD RCE Post Exploitation, Qakbot, Rhysida Ransomware, DarkGate Malware, Tuoni, Volt Typhoon
|
2026-05-13
|
|
Windows Office Product Spawned Uncommon Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
TTP
|
MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, AgentTesla, FIN7, Trickbot, IcedID, Qakbot, CVE-2023-21716 Word RTF Heap Corruption, Azorult, DarkCrystal RAT, Compromised Windows Host, Remcos, PlugX, Spearphishing Attachments, Warzone RAT, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Gozi Malware, Compromised Windows Host, Active Directory Privilege Escalation
|
2026-05-13
|
|
Disabling Remote User Account Control
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
AgentTesla, Windows Registry Abuse, Suspicious Windows Registry Activities, Azorult, Remcos, Windows Defense Evasion Tactics
|
2026-05-13
|
|
System Information Discovery Detection
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
TTP
|
Interlock Ransomware, BlackSuit Ransomware, BlankGrabber Stealer, SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Gozi Malware, Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, NetSupport RMM Tool Abuse, LAMEHUG, Windows Discovery Techniques
|
2026-05-13
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Malicious PowerShell, Data Destruction, Hermetic Wiper
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Windows Certificate Services, Hellcat Ransomware
|
2026-05-13
|
|
Windows DISM Install PowerShell Web Access
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2026-05-13
|
|
Rundll32 Shimcache Flush
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
|
TTP
|
Compromised Windows Host, Living Off The Land, Unusual Processes
|
2026-05-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
NOBELIUM Group, Windows Service Abuse, Orangeworm Attack Group
|
2026-05-13
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
T1589.002
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Azorult, Ransomware, Crypto Stealer
|
2026-05-13
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.011
|
TTP
|
Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, PrintNightmare CVE-2021-34527, Compromised Windows Host, Cactus Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, Security Solution Tampering
|
2026-05-13
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware
|
2026-05-13
|
|
Windows LOLBAS Executed As Renamed File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1218.011
|
TTP
|
Masquerading - Rename System Utilities, Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
T1218.003
|
Anomaly
|
Quasar RAT, Phantom Stealer, VIP Keylogger, Lokibot, StealC Stealer, 0bj3ctivity Stealer
|
2026-06-25
|
|
DNS Exfiltration Using Nslookup App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1048
|
TTP
|
Data Exfiltration, Command And Control, Compromised Windows Host, Dynamic DNS, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1529
|
Anomaly
|
Quasar RAT, MuddyWater, MoonPeak, Sandworm Tools, XWorm, DarkGate Malware, DarkCrystal RAT, Scattered Lapsus$ Hunters, ZOVWiper, NjRAT
|
2026-05-13
|
|
Windows Attempt To Stop Security Service
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
WhisperGate, Data Destruction, Trickbot, Azorult, Disabling Security Tools, Graceful Wipe Out Attack
|
2026-05-13
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity, Living Off The Land
|
2026-05-13
|
|
Excessive distinct processes from Windows Temp
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Chaos Ransomware, Black Basta Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Rhysida Ransomware, Termite Ransomware, DarkSide Ransomware, Cactus Ransomware, BlackMatter Ransomware, Hellcat Ransomware, NailaoLocker Ransomware
|
2026-05-13
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1207
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying, Insider Threat
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
TTP
|
CISA AA23-347A, Qakbot, Living Off The Land, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4662, Windows Event Log Security 4624
|
T1003.006
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-05-13
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Data Destruction, Hellcat Ransomware, Scheduled Tasks, Compromised Windows Host, Industroyer2, Cactus Ransomware, Active Directory Discovery, CISA AA22-257A, Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.013
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows System LogOff Commandline
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1529
|
Anomaly
|
DarkCrystal RAT, Scattered Lapsus$ Hunters, XWorm, NjRAT
|
2026-05-13
|
|
Windows InstallUtil Uninstall Option
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2026-05-13
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Credential Dumping, Lokibot, Scattered Lapsus$ Hunters, CISA AA23-347A
|
2026-05-13
|
|
Detect PsExec With accepteula Flag
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
|
TTP
|
SamSam Ransomware, BlackByte Ransomware, Medusa Ransomware, CISA AA22-320A, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Storm-0501 Ransomware, Seashell Blizzard, DarkSide Ransomware, DarkGate Malware, Volt Typhoon, VanHelsing Ransomware, Cactus Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Windows Post-Exploitation, Living Off The Land
|
2026-05-13
|
|
Windows MSIExec Unregister DLLRegisterServer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
Hunting
|
Credential Dumping, Lokibot, Scattered Lapsus$ Hunters, CISA AA23-347A
|
2026-05-13
|
|
Revil Registry Entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Suspicious DLLHost no Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware, Cactus Ransomware
|
2026-05-13
|
|
GetAdGroup with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
T1219
|
Anomaly
|
Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat
|
2026-05-13
|
|
Windows Eventlog Cleared Via Wevtutil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.005
|
Anomaly
|
ShrinkLocker, CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, Windows Log Manipulation
|
2026-05-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
Chaos Ransomware, Quasar RAT, XWorm, Snake Keylogger, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
T1685
|
Anomaly
|
WhisperGate, Data Destruction, AgentTesla, BlankGrabber Stealer, CISA AA22-320A, Remcos, NetSupport RMM Tool Abuse, Salat Stealer, Warzone RAT, Windows Defense Evasion Tactics
|
2026-06-29
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-05-13
|
|
Windows Sqlservr Spawning Shell
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
T1685.005
|
Hunting
|
Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters, Clop Ransomware
|
2026-05-13
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
|
Anomaly
|
Snake Keylogger, Hellcat Ransomware, Phantom Stealer, AgentTesla
|
2026-06-25
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1127
|
Hunting
|
Cobalt Strike, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution, BlackByte Ransomware
|
2026-05-13
|
|
Windows Credentials from Password Stores Creation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1555
|
TTP
|
DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Warzone RAT, Qakbot
|
2026-06-29
|
|
Allow Network Discovery In Firewall
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1686.001
|
TTP
|
BlackByte Ransomware, Medusa Ransomware, Ransomware, Hellcat Ransomware, Revil Ransomware, NjRAT
|
2026-05-13
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Potential System Network Configuration Discovery Activity
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.001
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows FFmpeg DirectShow Video Capture
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1125
|
Anomaly
|
Salat Stealer
|
2026-05-20
|
|
Windows MSIExec Remote Download
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1218.007
|
Anomaly
|
Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, Water Gamayun, Windows System Binary Proxy Execution MSIExec, StealC Stealer
|
2026-05-13
|
|
Windows ComputerDefaults Spawning a Process
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
BlankGrabber Stealer, Castle RAT
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Remote Host Computer Management Access
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1021.006
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Check Elevated CMD using whoami
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
TTP
|
FIN7
|
2026-05-13
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Azorult, Windows RDP Artifacts and Defense Evasion, BlackSuit Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1547.005
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Hellcat Ransomware
|
2026-05-13
|
|
System Processes Run From Unexpected Locations
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
|
Anomaly
|
Ransomware, Qakbot, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability, Masquerading - Rename System Utilities, Suspicious Command-Line Executions, DarkGate Malware
|
2026-05-13
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
Remcos, FIN7, AsyncRAT
|
2026-05-13
|
|
Windows Firewall Rule Modification
|
Windows Event Log Security 4947
|
T1686
|
Anomaly
|
ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware
|
2026-05-13
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
T1553.003
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
TTP
|
Azorult
|
2026-05-13
|
|
Get DomainUser with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-07-01
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
T1553.004
|
Anomaly
|
Windows Registry Abuse, Windows Drivers
|
2026-05-13
|
|
Windows MsMpEng Writing to System32
|
Sysmon EventID 15, Sysmon EventID 11
|
T1068
T1543.003
|
TTP
|
RedSun, Windows Drivers, BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
T1218.010
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
Windows Indicator Removal Via Rmdir
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070
|
Anomaly
|
DarkGate Malware, APT37 Rustonotto and FadeStealer, ZOVWiper
|
2026-05-13
|
|
Disable Logs Using WevtUtil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.005
|
TTP
|
Ransomware, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
T1555.004
|
Anomaly
|
Hellcat Ransomware, Meduza Stealer
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
AcidPour, Swift Slicer, Qakbot, Lokibot, SesameOp, Snake Keylogger, Remcos, Salat Stealer, Brute Ratel C4, WinDealer RAT, BlackByte Ransomware, Graceful Wipe Out Attack, NjRAT, Axios Supply Chain Post Compromise, Data Destruction, Void Manticore, LockBit Ransomware, Handala Wiper, AsyncRAT, Rhysida Ransomware, RedLine Stealer, PromptFlux, DarkGate Malware, DarkCrystal RAT, Derusbi, Meduza Stealer, Warzone RAT, WhisperGate, XMRig, AgentTesla, Trickbot, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, Amadey, IcedID, RoguePlanet, Volt Typhoon, Double Zero Destructor, Crypto Stealer, PlugX, Industroyer2, China-Nexus Threat Activity, XML Runner Loader, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT
|
2026-06-25
|
|
Windows Devtunnels Image Loaded
|
Sysmon EventID 7
|
T1090
|
Anomaly
|
Reverse Network Proxy
|
2026-05-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows Delete or Modify System Firewall
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1686
|
Hunting
|
ShrinkLocker, NjRAT
|
2026-05-13
|
|
Detect Remote Access Software Usage Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1219
|
Anomaly
|
Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Storm-0501 Ransomware, Insider Threat
|
2026-05-13
|
|
Windows Ngrok Reverse Proxy Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA24-241A, Reverse Network Proxy, CISA AA22-320A
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA23-347A, CISA AA22-264A, DarkSide Ransomware, Credential Dumping, Scattered Lapsus$ Hunters, Detect Zerologon Attack, CISA AA22-257A
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Cactus Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Void Manticore, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Ryuk Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2026-05-13
|
|
Runas Execution in CommandLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1134.001
|
Hunting
|
Quasar RAT, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Allow File And Printing Sharing In Firewall
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1686.001
|
TTP
|
Ransomware, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1127.001
|
Hunting
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1027.010
T1059.001
|
Anomaly
|
Deobfuscate-Decode Files or Information, Compromised Windows Host
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
Malicious PowerShell, Data Destruction, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Hermetic Wiper, CISA AA22-264A, Scattered Spider, Hellcat Ransomware
|
2026-05-13
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
Sysmon EventID 1
|
T1548.002
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious mshta child process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.005
|
TTP
|
MuddyWater, Lumma Stealer, Suspicious MSHTA Activity, Living Off The Land
|
2026-05-13
|
|
BITS Job Persistence
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1197
|
TTP
|
BITS Jobs, Living Off The Land
|
2026-05-13
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, IcedID, Windows Registry Abuse, Qakbot, Azorult
|
2026-05-13
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Black Basta Ransomware, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, IcedID, Windows Registry Abuse, Cactus Ransomware, Salat Stealer
|
2026-06-08
|
|
Windows Wermgr Alternate Data Stream in Temp Dir
|
Sysmon EventID 15
|
T1564.004
|
Anomaly
|
RoguePlanet
|
2026-06-11
|
|
Detect HTML Help Renamed
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.001
|
Hunting
|
APT37 Rustonotto and FadeStealer, Suspicious Compiled HTML Activity, Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
RedLine Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Certutil exe certificate extraction
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1649
|
TTP
|
Cloud Federated Credential Abuse, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Windows Certificate Services
|
2026-05-13
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
MuddyWater, Salt Typhoon, BlankGrabber Stealer, AsyncRAT, HAFNIUM Group, DHS Report TA18-074A, XWorm, DarkCrystal RAT, Volt Typhoon, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
T1592.001
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Control Loading from World Writable Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.002
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Rundll32 WebDAV Request
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1048.003
|
Hunting
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
Suspicious Rundll32 dllregisterserver
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
IcedID, Suspicious Rundll32 Activity, Living Off The Land
|
2026-05-13
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Windows Rundll32 WebDav With Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2026-05-13
|
|
Detect Renamed RClone
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1020
|
Hunting
|
Black Basta Ransomware, DarkSide Ransomware, Ransomware, Cactus Ransomware
|
2026-05-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
T1036.008
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, Interlock Ransomware, AgentTesla, CISA AA22-320A, Snake Keylogger, APT37 Rustonotto and FadeStealer, BlackByte Ransomware
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Scheduled Tasks, Qakbot, Windows Persistence Techniques, Castle RAT
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
Axios Supply Chain Post Compromise, Hellcat Ransomware, XWorm
|
2026-05-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Malicious PowerShell, Active Directory Lateral Movement, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Suspicious Reg exe Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Wmic Memory Chip Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Process With NetExec Command Line Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
T1113
|
TTP
|
Water Gamayun, BlankGrabber Stealer, APT37 Rustonotto and FadeStealer, Winter Vivern
|
2026-05-13
|
|
Remote WMI Command Attempt
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
CISA AA23-347A, IcedID, Living Off The Land, Volt Typhoon, Suspicious WMI Use, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505.004
|
Anomaly
|
IIS Components, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 7, Sysmon EventID 22
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-05-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1222.001
|
TTP
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Excessive Usage Of Cacls App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222
|
Anomaly
|
XMRig, Prestige Ransomware, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer, Windows Post-Exploitation
|
2026-05-13
|
|
Credential Dumping via Copy Command from Shadow Copy
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, XWorm, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Rundll32 Control RunDLL World Writable Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2026-05-13
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1654
|
Anomaly
|
BlankGrabber Stealer, Windows Discovery Techniques
|
2026-05-13
|
|
Detect Renamed PSExec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1569.002
|
Hunting
|
Salt Typhoon, SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Cactus Ransomware, China-Nexus Threat Activity, BlackByte Ransomware
|
2026-05-13
|
|
WinRM Spawning a Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
|
TTP
|
Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, CISA AA23-347A, Unusual Processes
|
2026-05-13
|
|
Windows Archive Collected Data via Rar
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1560.001
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
|
Hunting
|
Credential Dumping, Rhysida Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
Seashell Blizzard, SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
GetAdComputer with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Windows MSIExec Spawn Discovery Command
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.007
|
Anomaly
|
Windows System Binary Proxy Execution MSIExec, Water Gamayun, StealC Stealer, Medusa Ransomware
|
2026-05-13
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos client registry install entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Windows Registry Abuse, Remcos
|
2026-05-13
|
|
Resize ShadowStorage volume
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Clop Ransomware, Medusa Ransomware, VanHelsing Ransomware, Compromised Windows Host, BlackByte Ransomware
|
2026-05-13
|
|
Windows File and Directory Permissions Remove Inheritance
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1222.001
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Wmic Network Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows DNS Gather Network Info
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1590.002
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2026-05-13
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Permission Modification using Takeown App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222
|
Anomaly
|
Sandworm Tools, Ransomware, Scattered Lapsus$ Hunters, Crypto Stealer
|
2026-05-13
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
Chaos Ransomware, Quasar RAT, Interlock Ransomware, BlankGrabber Stealer, Phantom Stealer, Gozi Malware, RedLine Stealer, XWorm, PromptFlux, Crypto Stealer, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-06-25
|
|
Windows Office Product Spawned MSDT
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
TTP
|
Spearphishing Attachments, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host
|
2026-05-13
|
|
Windows BitLockerToGo Process Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1218
|
Hunting
|
Lumma Stealer
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Malicious PowerShell, Hellcat Ransomware
|
2026-05-13
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
Quasar RAT, Lokibot, Snake Keylogger, Remcos, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, RedLine Stealer, DarkGate Malware, StealC Stealer, Warzone RAT, AgentTesla, VIP Keylogger, Phantom Stealer, 3CX Supply Chain Attack, Malicious Inno Setup Loader, Salt Typhoon, CISA AA23-347A, FIN7, China-Nexus Threat Activity, SnappyBee
|
2026-06-25
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Suspicious wevtutil Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.005
|
TTP
|
ShrinkLocker, CISA AA23-347A, Clop Ransomware, Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VoidLink Cloud-Native Linux Malware, Scattered Spider, Windows Log Manipulation, Storm-0501 Ransomware
|
2026-05-13
|
|
Windows Default Cobalt Strike PowerShell Beacon
|
Powershell Script Block Logging 4104
|
T1059.001
T1204.002
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2026-05-13
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Suspicious WMI Use, Hellcat Ransomware
|
2026-05-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host
|
2026-05-13
|
|
Windows Browser Process Launched with Unusual Flags
|
Sysmon EventID 1
|
T1185
|
Anomaly
|
Phantom Stealer, Castle RAT
|
2026-06-25
|
|
Suspicious mshta spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.005
|
TTP
|
APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity, Living Off The Land
|
2026-05-13
|
|
Windows AI Platform DNS Query
|
Sysmon EventID 22
|
T1071.004
|
Anomaly
|
LAMEHUG, SesameOp, PromptFlux
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Phantom Stealer, Water Gamayun, Earth Alux, Qakbot, Warzone RAT, Graceful Wipe Out Attack
|
2026-06-29
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Identify Protocol Handlers
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
T1203
T1218
|
TTP
|
Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Azure Storage Utility Execution Via CLI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1567.002
|
Anomaly
|
Data Exfiltration
|
2026-05-13
|
|
Windows InstallUtil in Non Standard Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1218.004
|
TTP
|
WhisperGate, Data Destruction, Signed Binary Proxy Execution InstallUtil, Ransomware, Living Off The Land, Unusual Processes, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
T1649
|
TTP
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Detect Network Scanner Behavior
|
Sysmon EventID 3
|
T1595.001
T1595.002
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.014
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 13, Sysmon EventID 12
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon
|
2026-05-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Revil Common Exec Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
TTP
|
Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Network Share Interaction Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1039
T1135
|
Hunting
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2026-05-13
|
|
Detect Regsvcs with No Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
XSL Script Execution With WMIC
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1220
|
TTP
|
Suspicious WMI Use, FIN7
|
2026-05-13
|
|
Windows Symlink Evaluation Change via Fsutil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222.001
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2026-05-13
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Ingress Tool Transfer Using Explorer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
T1685
|
Anomaly
|
WhisperGate, Data Destruction
|
2026-06-29
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Malicious PowerShell, Active Directory Privilege Escalation, Active Directory Discovery, Hellcat Ransomware
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Proxy Via Registry
|
Sysmon EventID 13
|
T1090.001
|
Anomaly
|
Volt Typhoon
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
T1563.002
|
Hunting
|
Interlock Ransomware, Windows RDP Artifacts and Defense Evasion, NetSupport RMM Tool Abuse, Active Directory Lateral Movement, BlackByte Ransomware
|
2026-05-13
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222
T1564.004
|
TTP
|
Windows Persistence Techniques, Windows Post-Exploitation, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
T1685
|
TTP
|
Salat Stealer, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-06-08
|
|
Detect Remote Access Software Usage FileInfo
|
Sysmon EventID 1
|
T1219
|
Anomaly
|
Command And Control, Interlock Ransomware, Ransomware, Gozi Malware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1126, Windows Event Log Defender 1133, Windows Event Log Defender 1129, Windows Event Log Defender 1121, Windows Event Log Defender 1131
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
T1021.001
|
TTP
|
NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Command Obfuscation with Environment Variable Substrings
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1027.010
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Data Destruction, Hermetic Wiper, Windows Privilege Escalation, Compromised Windows Host
|
2026-05-13
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
RedLine Stealer, CISA AA23-347A
|
2026-05-13
|
|
Windows Create Local Account
|
Windows Event Log Security 4720
|
T1136.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
|
TTP
|
Credential Dumping, BlackSuit Ransomware, Lokibot
|
2026-06-29
|
|
Windows WBAdmin File Recovery From Backup
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
FodHelper UAC Bypass
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
T1548.002
|
TTP
|
BlankGrabber Stealer, IcedID, Compromised Windows Host, ValleyRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1685.001
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
T1115
|
Anomaly
|
Prestige Ransomware, BlankGrabber Stealer, Windows Post-Exploitation
|
2026-06-29
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
TTP
|
Spearphishing Attachments, Compromised Windows Host, APT37 Rustonotto and FadeStealer, AsyncRAT
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Quasar RAT, Ransomware, Scheduled Tasks, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, XWorm, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, Winter Vivern, Castle RAT, Medusa Ransomware, Malicious Inno Setup Loader, Active Directory Lateral Movement, Salt Typhoon, CISA AA23-347A, IcedID, Industroyer2, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT
|
2026-05-13
|
|
Remote Desktop Process Running On System
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
Hunting
|
Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Hidden Cobra Malware
|
2026-05-13
|
|
Windows MpCmdRun RemoveDefinitions Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Rundll32 LockWorkStation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Anomalous usage of 7zip
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1560.001
|
Anomaly
|
Cobalt Strike, BlackByte Ransomware, BlackSuit Ransomware, NOBELIUM Group, Graceful Wipe Out Attack
|
2026-05-13
|
|
Get-ForestTrust with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, BlackByte Ransomware, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, Storm-0501 Ransomware, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
Active Directory Discovery, Gozi Malware, Medusa Ransomware, CISA AA22-320A
|
2026-05-13
|
|
Hunting 3CXDesktopApp Software
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
T1685
|
TTP
|
BlankGrabber Stealer, Phantom Stealer, Braodo Stealer, Scattered Lapsus$ Hunters, Salat Stealer, Hellcat Ransomware, Castle RAT
|
2026-06-25
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Post-Exploitation, Linux Privilege Escalation, Compromised Linux Host, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Rootkit
|
2026-05-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-05-13
|
|
Windows Admin Password Changed by Non-Admin
|
Windows Event Log Security 4723
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows Certutil Root Certificate Addition
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1587.003
|
TTP
|
Secret Blizzard
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4726, Windows Event Log System 4720
|
T1078.003
T1136.001
|
TTP
|
Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1552.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Medusa Ransomware, Scheduled Tasks, Living Off The Land, Seashell Blizzard, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows NirSoft AdvancedRun
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1588.002
|
TTP
|
WhisperGate, Ransomware, Data Destruction, Unusual Processes
|
2026-05-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
CISA AA22-277A, ProxyShell, CISA AA22-264A, ProxyNotShell, Scattered Spider, BlackByte Ransomware
|
2026-05-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
DarkGate Malware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability, Compromised Windows Host
|
2026-05-13
|
|
Windows Private Keys Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1552.004
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Phishing PDF File Executes URL Link
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1566.001
|
Anomaly
|
Spearphishing Attachments, MuddyWater, Snake Keylogger
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
Phantom Stealer, VIP Keylogger
|
2026-06-25
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
Remcos, AsyncRAT
|
2026-05-13
|
|
Windows WMI Process Call Create
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Volt Typhoon, Cactus Ransomware, Suspicious WMI Use
|
2026-05-13
|
|
Windows ConHost with Headless Argument
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1564.003
T1564.006
|
TTP
|
Spearphishing Attachments, Compromised Windows Host
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.011
|
TTP
|
Windows Persistence Techniques, Compromised Windows Host
|
2026-05-13
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
PowerShell Environment Variable Execution
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger
|
2026-06-29
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows Unusual FileZilla XML Config Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT, Phantom Stealer
|
2026-06-25
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218.011
|
TTP
|
IcedID, Gh0st RAT, Living Off The Land
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Flax Typhoon, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Create Local Administrator Account Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1136.001
|
Anomaly
|
CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, DHS Report TA18-074A, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters, CISA AA22-257A
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Hellcat Ransomware, Winter Vivern
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
WhisperGate, Data Destruction, BlackByte Ransomware, Disk Wiper, Void Manticore, Hermetic Wiper, CISA AA22-264A, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, NjRAT
|
2026-05-13
|
|
Ryuk Wake on LAN Command
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
Ryuk Ransomware, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505.004
|
TTP
|
IIS Components, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Masquerading Msdtc Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036
|
TTP
|
Compromised Windows Host, PlugX
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.003
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat
|
2026-05-13
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
T1537
|
Anomaly
|
Hellcat Ransomware, Information Sabotage, Insider Threat
|
2026-05-13
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
T1036
T1572
|
TTP
|
Flax Typhoon, Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Process Commandline Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-05-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-05-13
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
Quasar RAT, AcidPour, Swift Slicer, Qakbot, Lokibot, SesameOp, Snake Keylogger, Remcos, SystemBC, Brute Ratel C4, WinDealer RAT, BlackByte Ransomware, Graceful Wipe Out Attack, NjRAT, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Earth Alux, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, Derusbi, DynoWiper, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Cactus Ransomware, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, Volt Typhoon, Double Zero Destructor, Crypto Stealer, PlugX, Industroyer2, China-Nexus Threat Activity, XML Runner Loader, NailaoLocker Ransomware, SnappyBee, ValleyRAT
|
2026-06-25
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Trickbot, IcedID, Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Castle RAT
|
2026-05-13
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Windows System Network Connections Discovery Netsh
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Anomaly
|
BlankGrabber Stealer, VIP Keylogger, Phantom Stealer, Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2026-06-25
|
|
Detect RClone Command-Line Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1020
|
TTP
|
Black Basta Ransomware, Cisco Network Visibility Module Analytics, Ransomware, DarkSide Ransomware, Cactus Ransomware, Hellcat Ransomware, Storm-0501 Ransomware
|
2026-05-13
|
|
Get DomainPolicy with Powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
SamSam Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
T1112
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2026-05-13
|
|
CSC Net On The Fly Compilation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1027.004
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Process Kill Base On File Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
XMRig
|
2026-05-13
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Get WMIObject Group Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows DotNet Binary in Non Standard Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1218.004
|
TTP
|
WhisperGate, Data Destruction, Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-06-25
|
|
Detect Certify Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
T1649
|
TTP
|
Ingress Tool Transfer, Windows Certificate Services, Compromised Windows Host
|
2026-05-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
T1685
|
TTP
|
Black Basta Ransomware, BlankGrabber Stealer, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Ransomware, RedLine Stealer, Storm-0501 Ransomware, Azorult, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Cactus Ransomware, Salat Stealer, Revil Ransomware, Windows Defense Evasion Tactics
|
2026-06-08
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-07-08
|
|
Windows Metasploit Confluence Plugin Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1059.001
T1105
|
Anomaly
|
SolarWinds WHD RCE Post Exploitation, NPM Supply Chain Compromise, HAFNIUM Group, Phemedrone Stealer, Data Destruction, XWorm, NetSupport RMM Tool Abuse, StealC Stealer, Winter Vivern, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Hermetic Wiper, SysAid On-Prem Software CVE-2023-47246 Vulnerability, IcedID, Tuoni, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PuTTY Suite Utility Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.004
|
Anomaly
|
Command And Control, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows User Deletion Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1531
|
Anomaly
|
XMRig, Graceful Wipe Out Attack, DarkGate Malware
|
2026-05-13
|
|
Windows Service Execution RemCom
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
Compromised Windows Host, Suspicious Rundll32 Activity, Living Off The Land
|
2026-05-13
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
T1685
|
TTP
|
Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows LOLBAS Executed Outside Expected Path
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1036.005
T1218.011
|
Anomaly
|
Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Cloud Files Filter Loaded by Uncommon Process
|
Sysmon EventID 7
|
T1543.003
|
Anomaly
|
RedSun, BlueHammer
|
2026-05-18
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-06-29
|
|
CMD Carry Out String Command Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Hunting
|
Quasar RAT, Qakbot, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, Data Destruction, AsyncRAT, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Warzone RAT, Winter Vivern, WhisperGate, Gh0st RAT, Hermetic Wiper, Azorult, ProxyNotShell, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, CISA AA23-347A, IcedID, Crypto Stealer, PlugX, 0bj3ctivity Stealer
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1003
T1036.005
T1595
|
TTP
|
XMRig, SamSam Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, Unusual Processes, CISA AA22-264A, Compromised Windows Host, Scattered Spider
|
2026-07-01
|
|
Domain Account Discovery with Dsquery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
AgentTesla, FIN7, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, PlugX, Warzone RAT
|
2026-05-13
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Icacls Deny Command
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1222
|
Anomaly
|
XMRig, Sandworm Tools, Defense Evasion or Unauthorized Access Via SDDL Tampering, Azorult, Compromised Windows Host, Crypto Stealer
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation
|
2026-05-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.007
|
TTP
|
Water Gamayun, Qakbot
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
Data Destruction, BlackByte Ransomware, Disk Wiper, Void Manticore, Hermetic Wiper, CISA AA22-264A, Caddy Wiper, Graceful Wipe Out Attack, PathWiper, NjRAT
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Braodo Stealer, Phantom Stealer, BlankGrabber Stealer, Scattered Lapsus$ Hunters
|
2026-06-25
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
IcedID Exfiltrated Archived File Creation
|
Sysmon EventID 11
|
T1560.001
|
Hunting
|
IcedID, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows WMI Reconnaissance Class Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1134.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Windows Debugger Tool Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036
|
Hunting
|
DarkGate Malware, PlugX
|
2026-05-13
|
|
First Time Seen Child Process of Zoom
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Living Off The Land, Lokibot, Prestige Ransomware, NOBELIUM Group, Remcos, CISA AA22-257A, Phemedrone Stealer, NjRAT, AsyncRAT, Rhysida Ransomware, RedLine Stealer, XWorm, DarkCrystal RAT, Windows Persistence Techniques, NetSupport RMM Tool Abuse, Winter Vivern, ShrinkLocker, AgentTesla, CISA AA24-241A, Trickbot, Medusa Ransomware, DHS Report TA18-074A, Azorult, Scattered Spider, Salt Typhoon, MoonPeak, CISA AA23-347A, Amadey, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT
|
2026-05-13
|
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2026-05-13
|
|
Windows Raccine Scheduled Task Deletion
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows File Collection Via Copy Utilities
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1119
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
Lokibot, Salat Stealer, Brute Ratel C4, WinDealer RAT, AsyncRAT, DarkGate Malware, Derusbi, Scattered Lapsus$ Hunters, Meduza Stealer, Gh0st RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, Salt Typhoon, CISA AA23-347A, Tuoni, PlugX, China-Nexus Threat Activity, SnappyBee, ValleyRAT
|
2026-06-08
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Chaos Ransomware, Ransomware, Void Manticore
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Earth Alux, Derusbi, China-Nexus Threat Activity, Warzone RAT, NjRAT
|
2026-05-13
|
|
Windows SQL Spawning CertUtil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
|
TTP
|
Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Server Software Component GACUtil Install to GAC
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Script Execution via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Spider
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Windows Registry Abuse
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Storm-2460 CLFS Zero Day Exploitation, Earth Alux, Cactus Ransomware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Non-System Process Querying Definition Update
|
Sysmon EventID 22
|
T1068
T1071.001
|
Anomaly
|
RedSun, BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Water Gamayun, Qakbot
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1489
|
Anomaly
|
Crypto Stealer, Ransomware, XMRig, BlackByte Ransomware
|
2026-05-13
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Firewall Rule Added
|
Windows Event Log Security 4946
|
T1686
|
Anomaly
|
ShrinkLocker, NetSupport RMM Tool Abuse, Medusa Ransomware, Salat Stealer
|
2026-06-08
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, DarkCrystal RAT, Windows Persistence Techniques, Winter Vivern, BlackSuit Ransomware, CISA AA24-241A, Malicious Inno Setup Loader, IcedID, Amadey, Industroyer2, PlugX, ValleyRAT
|
2026-05-13
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Malicious PowerShell, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Hellcat Ransomware
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.001
|
TTP
|
Water Gamayun, Compromised Windows Host, Qakbot
|
2026-05-13
|
|
Windows System Discovery Using Qwinsta
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Qakbot
|
2026-05-13
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Wmic NonInteractive App Uninstallation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Hunting
|
IcedID, Azorult
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows WinDBG Spawning AutoIt3
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Get ADUser with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Headless Browser Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
T1564.003
|
Anomaly
|
Phantom Stealer, Browser Hijacking, Forest Blizzard
|
2026-06-25
|
|
Detect Regasm with no Command Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.009
|
TTP
|
Void Manticore, Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Protocol Tunneling with Plink
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.004
T1572
|
TTP
|
CISA AA22-257A
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Snake Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows Visual Basic Commandline Compiler DNSQuery
|
Sysmon EventID 22
|
T1071.004
|
TTP
|
Lokibot
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Network Discovery Using Route Windows App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1016.001
|
Hunting
|
CISA AA22-277A, Qakbot, Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows PowerShell Process With Malicious String
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, AgentTesla, VIP Keylogger, AsyncRAT, Hermetic Wiper, 0bj3ctivity Stealer, Hellcat Ransomware, Winter Vivern
|
2026-06-29
|
|
Detect SharpHound Command-Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, BlackSuit Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 26, Sysmon EventID 23
|
T1485
|
Anomaly
|
WhisperGate, Black Basta Ransomware, Data Destruction, Interlock Ransomware, Handala Wiper, Void Manticore, Medusa Ransomware, Clop Ransomware, Sandworm Tools, Swift Slicer, APT37 Rustonotto and FadeStealer, DarkCrystal RAT, DynoWiper, ZOVWiper, NailaoLocker Ransomware
|
2026-05-13
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 13
|
T1548
|
TTP
|
Azorult, Ransomware, MoonPeak, Windows Registry Abuse
|
2026-05-13
|
|
Windows PowerShell Script From WindowsApps Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1204.002
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Windows Netspy Network Scanner Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
T1595
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Theme File Creation in Unusual Location
|
Sysmon EventID 11
|
T1021.002
T1187
T1557.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1649
|
Anomaly
|
Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Black Basta Ransomware, SamSam Ransomware, Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Ransomware, Rhysida Ransomware, Termite Ransomware, Prestige Ransomware, Ryuk Ransomware, NailaoLocker Ransomware
|
2026-05-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Seashell Blizzard, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Password Managers Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1555.005
|
Anomaly
|
Prestige Ransomware, Scattered Spider, Scattered Lapsus$ Hunters, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Chromium Process Loaded Extension via Command-Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1185
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
Anomaly
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
T1620
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505.004
|
Anomaly
|
IIS Components
|
2026-05-13
|
|
Clear Unallocated Sector Using Cipher App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070.004
|
TTP
|
Ransomware, Scattered Spider, Compromised Windows Host
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
Sandworm Tools, Windows Certificate Services, CISA AA23-347A
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
TTP
|
Phantom Stealer, Malicious Inno Setup Loader
|
2026-06-25
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows System Remote Discovery With Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Creation of Shadow Copy with wmic and powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.003
|
TTP
|
Credential Dumping, Volt Typhoon, Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Water Gamayun, Hellcat Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Headless Browser Mockbin or Mocky Request
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1564.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard
|
2026-05-13
|
|
SLUI RunAs Elevated
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1548.002
|
TTP
|
DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Disable or Modify Tools Via Taskkill
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Crypto Stealer, NjRAT
|
2026-06-25
|
|
Windows MSTSC RDP Commandline
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Medusa Ransomware
|
2026-05-13
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
FIN7, CISA AA23-347A, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Azorult, DarkCrystal RAT, Volt Typhoon, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Regsvr32 Silent and Install Param Dll Loading
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.010
|
Anomaly
|
Data Destruction, AsyncRAT, Living Off The Land, Hermetic Wiper, Remcos, Suspicious Regsvr32 Activity
|
2026-06-09
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Void Manticore, Windows Drivers
|
2026-05-13
|
|
Windows File Association Modification via Ftype
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Anomaly
|
Windows File Extension and Association Abuse
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.002
|
TTP
|
0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Bypass UAC via Pkgmgr Tool
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Esentutl SAM Copy
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.002
|
Hunting
|
Credential Dumping, Living Off The Land
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
AgentTesla, IcedID, Amadey, Gozi Malware, Qakbot, Azorult, Remcos, Spearphishing Attachments, Brute Ratel C4, Warzone RAT, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Remote Service Rdpwinst Tool Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
TTP
|
Azorult, Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Remote Process Instantiation via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Salt Typhoon, Void Manticore, CISA AA23-347A, Ransomware, China-Nexus Threat Activity, Suspicious WMI Use, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows Archived Collected Data In TEMP Folder
|
Sysmon EventID 11
|
T1560
|
Anomaly
|
Braodo Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Cisco Network Visibility Module Flow Data, Sysmon EventID 3
|
T1218.004
|
Anomaly
|
Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Living Off The Land, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
TTP
|
Active Directory Kerberos Attacks, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Malicious PowerShell, Windows Persistence Techniques
|
2026-05-13
|
|
Dump LSASS via comsvcs DLL
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.001
|
TTP
|
Data Destruction, Hellcat Ransomware, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Flax Typhoon, CISA AA22-264A, Volt Typhoon, Compromised Windows Host, Credential Dumping, Industroyer2, Scattered Lapsus$ Hunters, Suspicious Rundll32 Activity, CISA AA22-257A
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Data Destruction, CISA AA23-347A, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Process Accessing Windows Recall Directory
|
Windows Event Log Security 4663
|
T1059
T1119
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Salat Stealer, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-06-08
|
|
File with Samsam Extension
|
Sysmon EventID 11
|
N/A
|
TTP
|
SamSam Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2026-05-13
|
|
SilentCleanup UAC Bypass
|
Sysmon EventID 13
|
T1548.002
|
TTP
|
Windows Registry Abuse, MoonPeak, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Unusual File Creation in Confluence Directory
|
Sysmon EventID 11
|
T1190
T1608.001
T1608.002
|
Anomaly
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Windows Computer Account Changed to Domain Controller
|
Windows Event Log Security 4742
|
T1136.002
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1490
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Detect MSHTA Url in Command Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, Cisco Network Visibility Module Analytics, Living Off The Land, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Lumma Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
T1021.002
|
TTP
|
Data Destruction, BlackSuit Ransomware, Trickbot, IcedID, Hermetic Wiper, Prestige Ransomware, Graceful Wipe Out Attack, VanHelsing Ransomware, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Product Key Registry Query
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Interlock Ransomware, LockBit Ransomware, Medusa Ransomware, Clop Ransomware, Rhysida Ransomware, Termite Ransomware, NailaoLocker Ransomware, Snake Keylogger, Crypto Stealer, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Service Create with Tscon
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
GetDomainGroup with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Detect Certipy File Modifications
|
Sysmon EventID 11
|
T1560
T1649
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2026-05-13
|
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
T1113
|
TTP
|
Remcos, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Data Destruction, Cloud Federated Credential Abuse, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Gh0st RAT, Salt Typhoon, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement, SnappyBee
|
2026-05-13
|
|
Windows ESX Admins Group Creation via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows DISM Remove Defender
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
TTP
|
Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Fsutil Zeroing File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1070
|
TTP
|
Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
Salat Stealer, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, AsyncRAT, XWorm, NetSupport RMM Tool Abuse, Hellcat Ransomware, Winter Vivern, Malicious PowerShell, Phantom Stealer, VIP Keylogger, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, IcedID, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer
|
2026-06-25
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2026-05-13
|
|
Windows Impair Defense Add Xml Applocker Rules
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Hunting
|
Azorult
|
2026-05-13
|
|
Windows User Discovery Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery, Sandworm Tools, Medusa Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying, Insider Threat
|
2026-05-13
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1489
|
Hunting
|
Azorult, Crypto Stealer, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Detect AzureHound Command-Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell, Data Destruction, Interlock Ransomware, CISA AA23-347A, Microsoft WSUS CVE-2025-59287, Hermetic Wiper
|
2026-06-28
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Malicious Inno Setup Loader, Qakbot, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
T1005
|
TTP
|
IcedID, Lokibot
|
2026-05-13
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 26, Sysmon EventID 23
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Lokibot, Phantom Stealer, Malicious Inno Setup Loader, StealC Stealer
|
2026-06-25
|
|
Windows NirSoft Utilities
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1588.002
|
Hunting
|
WhisperGate, Data Destruction
|
2026-05-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows Potential Web Shell Creation For VMware Workspace ONE
|
Sysmon EventID 11
|
T1505.003
|
Anomaly
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Detect SharpHound Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Gh0st RAT, Salt Typhoon, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, APT37 Rustonotto and FadeStealer, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement
|
2026-05-13
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1134, Windows Event Log Defender 1126, Windows Event Log Defender 1122, Windows Event Log Defender 1133, Windows Event Log Defender 1131, Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1121, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Credential Dumping via Symlink to Shadow Copy
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify System Firewall with Notable Process Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1686
|
TTP
|
Compromised Windows Host, Medusa Ransomware, NjRAT
|
2026-05-13
|
|
Windows WinPEAS PowerShell Script Execution
|
Powershell Script Block Logging 4104
|
T1007
T1016
T1033
T1082
T1590
T1592.002
T1592.004
T1615
|
TTP
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1003
T1219
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Local Account Discovery With Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Suspicious WMI Use, Volt Typhoon, Cactus Ransomware
|
2026-05-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, ValleyRAT
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2026-05-13
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Quasar RAT, Braodo Stealer, Snake Keylogger, Salat Stealer, BlankGrabber Stealer, Earth Alux, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Phantom Stealer, VIP Keylogger, PXA Stealer, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-06-25
|
|
Local LLM Framework DNS Query
|
Sysmon EventID 22
|
T1590
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
BlackSuit Ransomware, AgentTesla, CISA AA22-320A, Windows Drivers, BlackByte Ransomware
|
2026-05-13
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2026-05-13
|
|
Verclsid CLSID Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.012
|
Hunting
|
Unusual Processes
|
2026-05-13
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Ransomware, CISA AA23-347A, Windows Registry Abuse
|
2026-05-13
|
|
Windows CrowdStrike Agent Registry Key Removal
|
Sysmon EventID 12
|
T1685
|
Anomaly
|
Security Solution Tampering, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows Cloud Files Filter Log Created by Non-System Process
|
Sysmon EventID 11
|
T1068
|
TTP
|
RedSun, Windows Privilege Escalation
|
2026-05-01
|
|
Windows SOAPHound Binary Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows EDRSilencer Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-06-13
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.006
|
TTP
|
CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Audit Policy Disabled via Auditpol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Suspicious SQLite3 LSQuarantine Behavior
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1074
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Nishang PowershellTCPOneLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
TTP
|
HAFNIUM Group, Cleo File Transfer Software
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying, Insider Threat
|
2026-05-13
|
|
Windows RDP File Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
T1598.002
|
TTP
|
Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion, Interlock Ransomware
|
2026-05-13
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Windows Registry Abuse, RedLine Stealer, CISA AA22-264A, Azorult, Ryuk Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell Script TabExpansion Direct Call
|
Powershell Script Block Logging 4104
|
T1059.001
T1129
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell - Connect To Internet With Hidden Window
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Hunting
|
Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228
|
2026-06-04
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Brute Ratel C4, Earth Alux, Phantom Stealer
|
2026-06-29
|
|
Windows IIS Server PSWA Console Access
|
Windows IIS
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2026-05-13
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-06-23
|
|
Detect HTML Help Spawn Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.001
|
TTP
|
AgentTesla, Suspicious Compiled HTML Activity, Living Off The Land, Compromised Windows Host, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
T1114.001
|
TTP
|
Collection and Staging
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
T1071.003
|
Anomaly
|
Interlock Ransomware, AgentTesla
|
2026-05-13
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Sysmon EventID 3, Cisco Secure Access Firewall
|
T1110.001
|
Anomaly
|
Compromised User Account, SamSam Ransomware, Cisco Secure Access Analytics, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
T1048.003
|
Anomaly
|
Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware
|
2026-05-13
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
TTP
|
Trickbot
|
2026-05-13
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
T1219
|
Anomaly
|
Command And Control, Interlock Ransomware, CISA AA24-241A, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Insider Threat
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
Data Destruction, AWS S3 Bucket Security Monitoring
|
2026-05-13
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
T1071.004
T1102.002
|
Anomaly
|
Phantom Stealer, VIP Keylogger, BlankGrabber Stealer, Crypto Stealer, 0bj3ctivity Stealer
|
2026-06-25
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
WhisperGate, Data Destruction, BlankGrabber Stealer, Phantom Stealer, PXA Stealer, Cactus Ransomware
|
2026-06-25
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
Anomaly
|
Quasar RAT, Castle RAT, Void Manticore, Handala Wiper, BlankGrabber Stealer, VIP Keylogger, Water Gamayun, PXA Stealer, Snake Keylogger, Azorult, DarkCrystal RAT, Meduza Stealer, 0bj3ctivity Stealer, Phemedrone Stealer
|
2026-05-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
WhisperGate, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, PXA Stealer, RedLine Stealer, Snake Keylogger, Braodo Stealer, Remcos, Meduza Stealer, Malicious Inno Setup Loader, Phemedrone Stealer
|
2026-05-13
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
T1102
|
Anomaly
|
BlankGrabber Stealer, Malicious Inno Setup Loader, CISA AA24-241A, NjRAT
|
2026-05-13
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA24-241A, Reverse Network Proxy, CISA AA22-320A
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Command And Control, DNS Hijacking, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch, Dynamic DNS, Suspicious DNS Traffic
|
2026-05-13
|
|
DNS Kerberos Coercion
|
Suricata, Sysmon EventID 22
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
Spearphishing Attachments, MuddyWater, AsyncRAT
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Regsvr32 with Known Silent Switch Cmdline
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1218.010
|
Anomaly
|
AsyncRAT, IcedID, Qakbot, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2026-06-09
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-06-29
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2026-06-29
|