GitHub Repo

Command and Control Detections

Name Data Source Technique Type Analytic Story Date
Windows Potential Cloudflared Network Connection Sysmon EventID 3 T1572 Hunting Reverse Network Proxy 2026-05-13
Windows Level RMM PowerShell Script Installer Powershell Script Block Logging 4104 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Remote Access Software RMS Registry Sysmon EventID 13 T1219 TTP Azorult 2026-05-13
Windows Kerberos Coercion via DNS Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 4662 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host 2026-05-13
Windows DNS Query Request To TinyUrl Sysmon EventID 22 T1105 Anomaly Malicious Inno Setup Loader 2026-05-13
Windows Proxy Via Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows RMM Tool Execution Sysmon EventID 1 T1219 Anomaly NetSupport RMM Tool Abuse, Suspicious User Agents, Remote Monitoring and Management Software 2026-05-13
Curl Execution with Percent Encoded URL CrowdStrike ProcessRollup2, Sysmon for Linux EventID 1, Sysmon EventID 1, Windows Event Log Security 4688 T1027 T1105 Anomaly Living Off The Land, Ingress Tool Transfer, Compromised Windows Host 2026-05-13
Windows DLL Module Loaded in Temp Dir Sysmon EventID 7 T1105 Hunting SolarWinds WHD RCE Post Exploitation, Lokibot, Interlock Rat 2026-05-13
Windows TOR Client Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090.003 Anomaly Windows Post-Exploitation, Command And Control, Data Protection, Compromised Windows Host, Data Exfiltration 2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port Cisco Network Visibility Module Flow Data T1571 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Detect Remote Access Software Usage Registry Sysmon EventID 13 T1219 Anomaly Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Gozi Malware 2026-05-13
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1197 TTP Living Off The Land, Scattered Spider, Hellcat Ransomware, Ingress Tool Transfer, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, DarkSide Ransomware, Flax Typhoon, BITS Jobs, Gozi Malware 2026-05-13
Windows SSH Proxy Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1105 T1572 Anomaly Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day 2026-05-13
Windows Devtunnels Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090 Anomaly Reverse Network Proxy 2026-05-13
LOLBAS With Network Traffic Sysmon EventID 3 T1105 T1218 T1567 TTP Living Off The Land, Hellcat Ransomware, Malicious Inno Setup Loader, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, NetSupport RMM Tool Abuse, Fake CAPTCHA Campaigns, Water Gamayun 2026-05-13
Windows Cabinet File Extraction Via Expand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Potential Cloudflared Tunnel Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Windows Process Execution From RDP Share CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 T1105 Hunting Axios Supply Chain Post Compromise, Ingress Tool Transfer, Linux Living Off The Land, NPM Supply Chain Compromise, XorDDos 2026-05-13
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1105 TTP Axios Supply Chain Post Compromise, Ingress Tool Transfer, Compromised Windows Host, PromptLock, NPM Supply Chain Compromise, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Cisco Network Visibility Module Flow Data T1059 T1105 TTP BlankGrabber Stealer, Cisco Network Visibility Module Analytics 2026-05-13
File Download or Read to Pipe Execution CrowdStrike ProcessRollup2, Sysmon for Linux EventID 1, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer, Linux Living Off The Land, Compromised Windows Host, Log4Shell CVE-2021-44228, NPM Supply Chain Compromise 2026-05-13
Windows Outlook Macro Security Modified Sysmon EventID 13 T1008 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1069.002 T1105 TTP Volt Typhoon 2026-05-13
Potential Telegram API Request Via CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1041 T1102.002 Anomaly Hellcat Ransomware, BlankGrabber Stealer, XMRig, 0bj3ctivity Stealer, Water Gamayun 2026-05-13
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP WinRAR Spoofing Attack CVE-2023-38831, Compromised Windows Host 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP PHP-CGI RCE Attack on Japanese Organizations, MoonPeak, Medusa Ransomware, Malicious PowerShell 2026-05-13
Download Files Using Telegram Sysmon EventID 15 T1105 TTP Phemedrone Stealer, XMRig, Crypto Stealer, Snake Keylogger, 0bj3ctivity Stealer, Water Gamayun 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2026-05-13
Windows File Download Via CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1105 TTP Living Off The Land, Forest Blizzard, Ingress Tool Transfer, Compromised Windows Host, CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, ProxyNotShell, Cisco Network Visibility Module Analytics 2026-05-13
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1105 TTP Forest Blizzard, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, IcedID, Salt Typhoon, NPM Supply Chain Compromise, Black Basta Ransomware 2026-05-13
Detect Remote Access Software Usage File Sysmon EventID 11 T1219 Anomaly Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Interlock Ransomware 2026-05-13
Linux Proxy Socks Curl Sysmon for Linux EventID 1 T1090 T1095 TTP Ingress Tool Transfer, Linux Living Off The Land 2026-05-13
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly Hellcat Ransomware, AgentTesla, Snake Keylogger 2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 18, Sysmon EventID 17 T1071 TTP Azorult 2026-05-13
Windows Devtunnels Image Loaded Sysmon EventID 7 T1090 Anomaly Reverse Network Proxy 2026-05-13
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1219 Anomaly Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Scattered Lapsus$ Hunters, Storm-0501 Ransomware, Cactus Ransomware, Gozi Malware, Interlock Ransomware 2026-05-13
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090 T1102 T1572 Anomaly Reverse Network Proxy, CISA AA24-241A, CISA AA22-320A 2026-05-13
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 18, Sysmon EventID 17 T1071 Anomaly Qakbot 2026-05-13
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 T1059.001 T1105 TTP Hellcat Ransomware, Malicious PowerShell 2026-05-13
Windows AI Platform DNS Query Sysmon EventID 22 T1071.004 Anomaly SesameOp, LAMEHUG, PromptFlux 2026-05-13
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 Anomaly DarkCrystal RAT 2026-05-13
Windows Proxy Via Registry Sysmon EventID 13 T1090.001 Anomaly Volt Typhoon 2026-05-13
Detect Remote Access Software Usage FileInfo Sysmon EventID 1 T1219 Anomaly Scattered Spider, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Gozi Malware, Interlock Ransomware 2026-05-13
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Privilege Escalation, Linux Rootkit, Compromised Linux Host, Linux Living Off The Land, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Sysmon EventID 1 T1036 T1572 TTP Linux Persistence Techniques, Linux Privilege Escalation, Flax Typhoon 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1649 TTP Ingress Tool Transfer, Windows Certificate Services, Compromised Windows Host 2026-05-13
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Sysmon for Linux EventID 1, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Hellcat Ransomware, Ingress Tool Transfer, APT37 Rustonotto and FadeStealer, Linux Living Off The Land, GhostRedirector IIS Module and Rungan Backdoor, Silver Sparrow 2026-05-13
Windows File Download Via PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1059.001 T1105 Anomaly Phemedrone Stealer, SolarWinds WHD RCE Post Exploitation, Ingress Tool Transfer, NetSupport RMM Tool Abuse, SysAid On-Prem Software CVE-2023-47246 Vulnerability, StealC Stealer, XWorm, Data Destruction, IcedID, HAFNIUM Group, Winter Vivern, NPM Supply Chain Compromise, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, PHP-CGI RCE Attack on Japanese Organizations, APT37 Rustonotto and FadeStealer, Malicious PowerShell, Tuoni, GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics 2026-05-13
Windows PowGoop Beacon Decoding CrowdStrike ProcessRollup2, Sysmon EventID 1 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 18, Sysmon EventID 17 T1071 Anomaly Qakbot 2026-05-13
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Flax Typhoon, Storm-2460 CLFS Zero Day Exploitation, SQL Server Abuse 2026-05-13
Windows Short Lived DNS Record Windows Event Log Security 5136, Windows Event Log Security 5137 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host 2026-05-13
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 T1105 Anomaly NPM Supply Chain Compromise, Linux Living Off The Land, XorDDos, Ingress Tool Transfer 2026-05-13
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery Sysmon EventID 22 T1071.004 TTP Lokibot 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Living Off The Land, Hellcat Ransomware 2026-05-13
Linux Curl Upload File Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1105 TTP Data Exfiltration, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land 2026-05-13
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 T1003 T1219 Anomaly Brute Ratel C4 2026-05-13
Cisco NVM - Webserver Download From File Sharing Website Cisco Network Visibility Module Flow Data T1105 T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics 2026-05-13
Windows Credential Target Information Structure in Commandline Sysmon EventID 1 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host 2026-05-13
Juniper Networks Remote Code Execution Exploit Detection Suricata T1059 T1105 T1190 TTP Juniper JunOS Remote Code Execution 2026-05-13
HTTP Duplicated Header Suricata T1071.001 T1190 Anomaly HTTP Request Smuggling 2026-05-13
Detect Remote Access Software Usage URL Palo Alto Network Threat T1219 Anomaly CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
HTTP Request to Reserved Name on IIS Server Suricata T1071.001 T1190 TTP HTTP Request Smuggling 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
HTTP Scripting Tool User Agent Nginx Access T1071.001 Anomaly HTTP Request Smuggling, Suspicious User Agents 2026-05-13
HTTP Possible Request Smuggling Suricata T1071.001 TTP HTTP Request Smuggling 2026-05-13
Ollama Abnormal Network Connectivity Ollama Server T1571 Anomaly Suspicious Ollama Activities 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Remote Employment Fraud, Suspicious Okta Activity 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly AgentTesla, Interlock Ransomware 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Suspicious User Agents, Remote Monitoring and Management Software 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Lokibot, Lumma Stealer, Suspicious User Agents, RedLine Stealer, Crypto Stealer, Meduza Stealer 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Brute Ratel C4, Meterpreter, Suspicious User Agents, Cobalt Strike, Malicious PowerShell, Tuoni 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall T1095 TTP China-Nexus Threat Activity, Command And Control, Cisco Secure Access Analytics, Backdoor Pingpong 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly BlackSuit Ransomware, Local Privilege Escalation With KrbRelayUp, Cactus Ransomware, Suspicious User Agents 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event T1090.003 TTP Cisco Secure Firewall Threat Defense Analytics, Ransomware, NOBELIUM Group, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Interlock Ransomware 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly 0bj3ctivity Stealer, Crypto Stealer, BlankGrabber Stealer, VIP Keylogger 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Scattered Spider, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly Malicious Inno Setup Loader, NjRAT, BlankGrabber Stealer, CISA AA24-241A 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly Reverse Network Proxy, CISA AA24-241A, CISA AA22-320A 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1071.002 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, NOBELIUM Group, Hidden Cobra Malware, DHS Report TA18-074A 2026-05-13
DNS Kerberos Coercion Sysmon EventID 22, Suricata T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13