Collection Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Windows Screen Capture in TEMP folder	Sysmon EventID 11	T1113	TTP	StealC Stealer, Hellcat Ransomware, APT37 Rustonotto and FadeStealer, Braodo Stealer, Crypto Stealer, VIP Keylogger	2026-05-13
Windows Kerberos Coercion via DNS	Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 4662	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host	2026-05-13
Mailsniper Invoke functions	Powershell Script Block Logging 4104	T1114.001	TTP	Data Exfiltration	2026-05-13
Windows Chrome Auto-Update Disabled via Registry	Sysmon EventID 13	T1185	Anomaly	Browser Hijacking	2026-05-13
Windows Chrome Enable Extension Loading via Command-Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1185	Anomaly	Browser Hijacking	2026-05-13
Detect Renamed WinRAR	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	China-Nexus Threat Activity, Salt Typhoon, CISA AA22-277A, Collection and Staging	2026-05-13
7zip CommandLine To SMB Share Path	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Ransomware	2026-05-13
Windows Chrome Extension Allowed Registry Modification	Sysmon EventID 13	T1185	Anomaly	Browser Hijacking	2026-05-13
Windows Input Capture Using Credential UI Dll	Sysmon EventID 7	T1056.002	Hunting	APT37 Rustonotto and FadeStealer, Brute Ratel C4	2026-05-13
Windows Process Executed From Removable Media	Sysmon EventID 13, Sysmon EventID 1	T1025 T1091 T1200	Anomaly	APT37 Rustonotto and FadeStealer, Data Protection	2026-05-13
Suspicious WAV file in Appdata Folder	Sysmon EventID 1, Windows Event Log Security 4688, Sysmon EventID 11	T1113	TTP	Remcos	2026-05-13
Detect Renamed 7-Zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Hunting	Malicious Inno Setup Loader, Collection and Staging	2026-05-13
Windows Archive Collected Data via Powershell	Powershell Script Block Logging 4104	T1560	Anomaly	CISA AA23-347A, APT37 Rustonotto and FadeStealer	2026-05-13
Windows WPDBusEnum Registry Key Modification	Sysmon EventID 13, Sysmon EventID 12	T1025 T1091 T1200	Anomaly	APT37 Rustonotto and FadeStealer, Data Protection	2026-05-13
Windows Screen Capture Via Powershell	Powershell Script Block Logging 4104	T1113	TTP	Winter Vivern, BlankGrabber Stealer, Water Gamayun, APT37 Rustonotto and FadeStealer	2026-05-13
Windows Archive Collected Data via Rar	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Anomaly	China-Nexus Threat Activity, DarkGate Malware, APT37 Rustonotto and FadeStealer, Salt Typhoon	2026-05-13
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	T1115	Anomaly	Linux Living Off The Land, Compromised Linux Host	2026-05-13
Windows Browser Process Launched with Unusual Flags	Sysmon EventID 1	T1185	Anomaly	Castle RAT	2026-05-13
Windows Post Exploitation Risk Behavior		T1003 T1012 T1016 T1049 T1069 T1082 T1115 T1552	Correlation	Windows Post-Exploitation	2026-05-13
Windows Network Share Interaction Via Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1039 T1135	Hunting	Network Discovery, Active Directory Privilege Escalation, Active Directory Discovery	2026-05-13
Windows ClipBoard Data via Get-ClipBoard	Powershell Script Block Logging 4104	T1115	Anomaly	Windows Post-Exploitation, Prestige Ransomware, BlankGrabber Stealer	2026-05-13
Anomalous usage of 7zip	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1560.001	Anomaly	BlackByte Ransomware, NOBELIUM Group, Graceful Wipe Out Attack, Cobalt Strike, BlackSuit Ransomware	2026-05-13
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	T1115	Anomaly	Linux Living Off The Land	2026-05-13
Windows USBSTOR Registry Key Modification	Sysmon EventID 13, Sysmon EventID 12	T1025 T1091 T1200	Anomaly	APT37 Rustonotto and FadeStealer, Data Protection	2026-05-13
IcedID Exfiltrated Archived File Creation	Sysmon EventID 11	T1560.001	Hunting	IcedID, APT37 Rustonotto and FadeStealer	2026-05-13
Windows File Collection Via Copy Utilities	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1119	Anomaly	LAMEHUG	2026-05-13
Windows Short Lived DNS Record	Windows Event Log Security 5136, Windows Event Log Security 5137	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host	2026-05-13
Windows Theme File Creation in Unusual Location	Sysmon EventID 11	T1021.002 T1187 T1557.001	Anomaly	Spearphishing Attachments	2026-05-13
Shai-Hulud 2 Exfiltration Artifact Files	Sysmon for Linux EventID 11, Sysmon EventID 11	T1074.001 T1195.002 T1552.001	TTP	NPM Supply Chain Compromise	2026-05-13
Windows Chromium Process Loaded Extension via Command-Line	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1185	Anomaly	Browser Hijacking	2026-05-13
Remcos RAT File Creation in Remcos Folder	Sysmon EventID 11	T1113	TTP	Remcos	2026-05-13
Windows Archived Collected Data In TEMP Folder	Sysmon EventID 11	T1560	Anomaly	APT37 Rustonotto and FadeStealer, Braodo Stealer	2026-05-13
Windows Process Accessing Windows Recall Directory	Windows Event Log Security 4663	T1059 T1119	Anomaly	Windows Post-Exploitation	2026-05-13
Detect Certipy File Modifications	Sysmon EventID 11	T1560 T1649	TTP	Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services	2026-05-13
Suspicious Image Creation In Appdata Folder	Sysmon EventID 1, Sysmon EventID 11	T1113	TTP	APT37 Rustonotto and FadeStealer, Remcos	2026-05-13
Sqlite Module In Temp Folder	Sysmon EventID 11	T1005	TTP	IcedID, Lokibot	2026-05-13
Windows Credential Target Information Structure in Commandline	Sysmon EventID 1	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host	2026-05-13
Suspicious SQLite3 LSQuarantine Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	T1074	TTP	Silver Sparrow	2026-05-13
Cisco ASA - Device File Copy to Remote Location	Cisco ASA Logs	T1005 T1041 T1048.003	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor	2026-05-13
ESXi Sensitive Files Accessed	VMWare ESXi Syslog	T1003.008 T1005	TTP	China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise	2026-05-13
Zoom Rare Input Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
Email servers sending high volume traffic to hosts		T1114.002	Anomaly	HAFNIUM Group, Collection and Staging	2026-05-13
Zoom Rare Audio Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
Cisco ASA - Packet Capture Activity	Cisco ASA Logs	T1040 T1557	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor	2026-05-13
Email files written outside of the Outlook directory	Sysmon EventID 11	T1114.001	TTP	Collection and Staging	2026-05-13
ESXi VM Exported via Remote Tool	VMWare ESXi Syslog	T1005	TTP	Black Basta Ransomware, ESXi Post Compromise	2026-05-13
Cisco ASA - Device File Copy Activity	Cisco ASA Logs	T1005 T1530	Anomaly	Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor	2026-05-13
Zoom Rare Video Devices		T1123	Hunting	Remote Employment Fraud	2026-05-13
O365 Email Transport Rule Changed	Office 365 Universal Audit Log	T1114.003 T1564.008	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
O365 SharePoint Suspicious Search Behavior	Office 365 Universal Audit Log	T1213.002 T1552	Anomaly	Office 365 Account Takeover, Compromised User Account, CISA AA22-320A, Office 365 Collection Techniques	2026-05-13
O365 Mailbox Email Forwarding Enabled		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
AWS Concurrent Sessions From Different Ips	AWS CloudTrail DescribeEventAggregates	T1185	TTP	Scattered Lapsus$ Hunters, Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
O365 PST export alert	O365	T1114	TTP	Office 365 Collection Techniques, Data Exfiltration	2026-05-13
O365 New Forwarding Mailflow Rule Created		T1114	TTP	Office 365 Collection Techniques	2026-05-13
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	T1185	TTP	Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters	2026-05-13
AWS Exfiltration via Anomalous GetObject API Activity	AWS CloudTrail GetObject	T1119	Anomaly	Data Exfiltration	2026-05-13
O365 Multiple Mailboxes Accessed via API	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
Detect New Open S3 buckets	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2026-05-13
ASL AWS Concurrent Sessions From Different Ips	ASL AWS CloudTrail	T1185	Anomaly	Scattered Lapsus$ Hunters, Compromised User Account, AWS Identity and Access Management Account Takeover	2026-05-13
Detect S3 access from a new IP		T1530	Anomaly	Suspicious AWS S3 Activities	2026-05-13
O365 Email Suspicious Search Behavior	Office 365 Universal Audit Log	T1114.002 T1552	Anomaly	Office 365 Account Takeover, Compromised User Account, CISA AA22-320A, Office 365 Collection Techniques	2026-05-13
O365 OAuth App Mailbox Access via Graph API	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
AWS Exfiltration via Batch Service	AWS CloudTrail JobCreated	T1119	TTP	Data Exfiltration	2026-05-13
O365 Email Password and Payroll Compromise Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	TTP	Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails	2026-05-13
O365 Mailbox Read Access Granted to Application	O365 Update application.	T1098.003 T1114.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Exfiltration via File Sync Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
O365 Email Receive and Hard Delete Takeover Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails	2026-05-13
O365 Exfiltration via File Access	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
O365 Email Suspicious Behavior Alert	Office 365 Universal Audit Log	T1114.003	TTP	Office 365 Collection Techniques, Office 365 Account Takeover, Suspicious Emails	2026-05-13
O365 Compliance Content Search Started		T1114.002	TTP	Office 365 Collection Techniques	2026-05-13
O365 Email New Inbox Rule Created	Office 365 Universal Audit Log	T1114.003 T1564.008	Anomaly	Office 365 Collection Techniques	2026-05-13
Detect New Open S3 Buckets over AWS CLI	AWS CloudTrail	T1530	TTP	Suspicious AWS S3 Activities	2026-05-13
O365 New Email Forwarding Rule Enabled		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
O365 New Email Forwarding Rule Created		T1114.003	TTP	Office 365 Collection Techniques	2026-05-13
O365 Email Send and Hard Delete Exfiltration Behavior	Office 365 Reporting Message Trace, Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails	2026-05-13
AWS Exfiltration via DataSync Task	AWS CloudTrail CreateTask	T1119	TTP	Hellcat Ransomware, Data Exfiltration, Suspicious AWS S3 Activities	2026-05-13
Detect New Open GCP Storage Buckets		T1530	TTP	Suspicious GCP Storage Activities	2026-05-13
O365 OAuth App Mailbox Access via EWS	O365 MailItemsAccessed	T1114.002	TTP	Office 365 Collection Techniques, NOBELIUM Group	2026-05-13
Detect Spike in S3 Bucket deletion	AWS CloudTrail	T1530	Anomaly	Suspicious AWS S3 Activities	2026-05-13
O365 Email Access By Security Administrator	Office 365 Universal Audit Log	T1114.002 T1567	TTP	Office 365 Account Takeover, Data Exfiltration, Azure Active Directory Account Takeover	2026-05-13
O365 Concurrent Sessions From Different Ips	O365 UserLoggedIn	T1185	TTP	Office 365 Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
O365 Mailbox Inbox Folder Shared with All Users	O365 ModifyFolderPermissions	T1114.002	TTP	Office 365 Persistence Mechanisms	2026-05-13
O365 Exfiltration via File Download	Office 365 Universal Audit Log	T1530 T1567	Anomaly	Office 365 Account Takeover, Data Exfiltration	2026-05-13
Detect GCP Storage access from a new IP		T1530	Anomaly	Suspicious GCP Storage Activities	2026-05-13
O365 Email Send and Hard Delete Suspicious Behavior	Office 365 Universal Audit Log	T1070.008 T1114.001 T1485	Anomaly	Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails	2026-05-13
O365 Compliance Content Search Exported		T1114.002	TTP	Office 365 Collection Techniques	2026-05-13
Detect ARP Poisoning	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration	Cisco IOS Logs	T1005 T1567	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Detect Rogue DHCP Server	Cisco IOS Logs	T1200 T1498 T1557	TTP	Router and Infrastructure Security, Scattered Lapsus$ Hunters	2026-05-13
Detect Port Security Violation	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
DNS Kerberos Coercion	Sysmon EventID 22, Suricata	T1071.004 T1187 T1557.001	TTP	Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host	2026-05-13
Detect IPv6 Network Infrastructure Threats	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security, Scattered Lapsus$ Hunters	2026-05-13
Hosts receiving high volume of network traffic from email server		T1114.002	Anomaly	Collection and Staging	2026-05-13