GitHub Repo

Command and Control Detections

Name Data Source Technique Type Analytic Story Date
Windows Potential Cloudflared Network Connection Sysmon EventID 3 T1572 Hunting Reverse Network Proxy 2026-05-13
Windows Level RMM PowerShell Script Installer Powershell Script Block Logging 4104 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Remote Access Software RMS Registry Sysmon EventID 13 T1219 TTP Azorult 2026-05-13
Windows Kerberos Coercion via DNS Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 4662 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Windows DNS Query Request To TinyUrl Sysmon EventID 22 T1105 Anomaly Malicious Inno Setup Loader 2026-05-13
Windows Proxy Via Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090.001 Anomaly Volt Typhoon 2026-05-13
Windows RMM Tool Execution Sysmon EventID 1 T1219 Anomaly NetSupport RMM Tool Abuse, Suspicious User Agents, Remote Monitoring and Management Software 2026-05-13
Curl Execution with Percent Encoded URL CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1027 T1105 Anomaly Living Off The Land, Compromised Windows Host, Ingress Tool Transfer 2026-05-13
Windows DLL Module Loaded in Temp Dir Sysmon EventID 7 T1105 Hunting Interlock Rat, Lokibot, SolarWinds WHD RCE Post Exploitation 2026-05-13
Windows TOR Client Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090.003 Anomaly Compromised Windows Host, Windows Post-Exploitation, Command And Control, Data Protection, Data Exfiltration 2026-05-13
Cisco NVM - Outbound Connection to Suspicious Port Cisco Network Visibility Module Flow Data T1571 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Detect Remote Access Software Usage Registry Sysmon EventID 13 T1219 Anomaly Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, Insider Threat, Scattered Lapsus$ Hunters 2026-05-13
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1197 TTP DarkSide Ransomware, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, Ingress Tool Transfer, Flax Typhoon, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, BITS Jobs 2026-05-13
Windows SSH Proxy Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.001 T1105 T1572 Anomaly Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware 2026-05-13
Windows Devtunnels Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090 Anomaly Reverse Network Proxy 2026-05-13
LOLBAS With Network Traffic Sysmon EventID 3 T1105 T1218 T1567 TTP Malicious Inno Setup Loader, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, NetSupport RMM Tool Abuse 2026-05-13
Windows Cabinet File Extraction Via Expand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP NetSupport RMM Tool Abuse, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Potential Cloudflared Tunnel Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Windows Process Execution From RDP Share CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1059 T1105 Anomaly Hidden Cobra Malware 2026-05-13
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 T1105 Hunting NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land, Axios Supply Chain Post Compromise 2026-05-13
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1105 TTP Compromised Windows Host, PromptLock, NPM Supply Chain Compromise, Ingress Tool Transfer, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, Axios Supply Chain Post Compromise 2026-05-13
Cisco NVM - Suspicious File Download via Headless Browser Cisco Network Visibility Module Flow Data T1059 T1105 TTP Cisco Network Visibility Module Analytics, BlankGrabber Stealer 2026-05-13
File Download or Read to Pipe Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2026-05-13
Windows Suspicious Defender Update Activity in INetCache Sysmon EventID 23, Sysmon EventID 11 T1068 T1105 Anomaly BlueHammer, Windows Persistence Techniques 2026-04-27
Windows Outlook Macro Security Modified Sysmon EventID 13 T1008 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1069.002 T1105 TTP Volt Typhoon 2026-05-13
Potential Telegram API Request Via CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1041 T1102.002 Anomaly XMRig, Water Gamayun, 0bj3ctivity Stealer, BlankGrabber Stealer, Hellcat Ransomware 2026-05-13
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware 2026-05-13
Download Files Using Telegram Sysmon EventID 15 T1105 TTP Crypto Stealer, XMRig, Water Gamayun, 0bj3ctivity Stealer, Snake Keylogger, Phemedrone Stealer 2026-05-13
Log4Shell CVE-2021-44228 Exploitation T1059 T1105 T1133 T1190 Correlation Log4Shell CVE-2021-44228, CISA AA22-320A 2026-05-13
Windows File Download Via CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1105 TTP DarkSide Ransomware, Living Off The Land, Compromised Windows Host, Ingress Tool Transfer, Forest Blizzard, Flax Typhoon, Cisco Network Visibility Module Analytics, CISA AA22-277A, ProxyNotShell 2026-05-13
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1105 TTP APT37 Rustonotto and FadeStealer, Compromised Windows Host, Black Basta Ransomware, Ingress Tool Transfer, NPM Supply Chain Compromise, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, Cisco Network Visibility Module Analytics, IcedID, China-Nexus Threat Activity 2026-05-13
Detect Remote Access Software Usage File Sysmon EventID 11 T1219 Anomaly Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters 2026-05-13
Linux Proxy Socks Curl Sysmon for Linux EventID 1 T1090 T1095 TTP Linux Living Off The Land, Ingress Tool Transfer 2026-06-04
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 T1071.003 Anomaly AgentTesla, Snake Keylogger, Hellcat Ransomware 2026-05-13
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 17, Sysmon EventID 18 T1071 TTP Azorult 2026-05-13
Windows Devtunnels Image Loaded Sysmon EventID 7 T1090 Anomaly Reverse Network Proxy 2026-05-13
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1219 Anomaly Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, Interlock Ransomware, Insider Threat, GhostRedirector IIS Module and Rungan Backdoor, Storm-0501 Ransomware, Scattered Lapsus$ Hunters 2026-05-13
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1090 T1102 T1572 Anomaly CISA AA22-320A, Reverse Network Proxy, CISA AA24-241A 2026-05-13
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 17, Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 T1059.001 T1105 TTP Hellcat Ransomware, Malicious PowerShell 2026-05-13
Windows AI Platform DNS Query Sysmon EventID 22 T1071.004 Anomaly LAMEHUG, PromptFlux, SesameOp 2026-05-13
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 Anomaly DarkCrystal RAT 2026-05-13
Windows Proxy Via Registry Sysmon EventID 13 T1090.001 Anomaly Volt Typhoon 2026-05-13
Detect Remote Access Software Usage FileInfo Sysmon EventID 1 T1219 Anomaly Command And Control, Ransomware, Remote Monitoring and Management Software, Cactus Ransomware, Scattered Spider, Gozi Malware, Seashell Blizzard, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters 2026-05-13
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Rootkit, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Sysmon EventID 1 T1036 T1572 TTP Linux Persistence Techniques, Flax Typhoon, Linux Privilege Escalation 2026-05-13
Cisco Isovalent - Curl Execution With Insecure Flags Cisco Isovalent Process Exec T1105 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1649 TTP Windows Certificate Services, Compromised Windows Host, Ingress Tool Transfer 2026-05-13
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1105 TTP APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware 2026-05-13
Windows File Download Via PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1059.001 T1105 Anomaly GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Ingress Tool Transfer, Winter Vivern, HAFNIUM Group, StealC Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, NPM Supply Chain Compromise, XWorm, Malicious PowerShell, APT37 Rustonotto and FadeStealer, PHP-CGI RCE Attack on Japanese Organizations, SolarWinds WHD RCE Post Exploitation, Data Destruction, Phemedrone Stealer, Tuoni 2026-05-13
Windows PowGoop Beacon Decoding CrowdStrike ProcessRollup2, Sysmon EventID 1 T1001 T1059.001 TTP Compromised Windows Host 2026-05-13
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 17, Sysmon EventID 18 T1071 Anomaly Qakbot 2026-05-13
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 TTP Flax Typhoon, SQL Server Abuse, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Short Lived DNS Record Windows Event Log Security 5137, Windows Event Log Security 5136 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Windows Non-System Process Querying Definition Update Sysmon EventID 22 T1068 T1071.001 Anomaly BlueHammer, Windows Privilege Escalation, RedSun 2026-04-27
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 T1105 Anomaly XorDDos, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer 2026-05-13
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.004 T1572 TTP CISA AA22-257A 2026-05-13
Windows Visual Basic Commandline Compiler DNSQuery Sysmon EventID 22 T1071.004 TTP Lokibot 2026-05-13
Living Off The Land Detection T1059 T1105 T1133 T1190 Correlation Living Off The Land, Hellcat Ransomware 2026-05-13
Linux Curl Upload File Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1105 TTP Data Exfiltration, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer 2026-05-13
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 T1003 T1219 Anomaly Brute Ratel C4 2026-05-13
Cisco NVM - Webserver Download From File Sharing Website Cisco Network Visibility Module Flow Data T1105 T1190 TTP GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics 2026-05-13
Windows Credential Target Information Structure in Commandline Sysmon EventID 1 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Juniper Networks Remote Code Execution Exploit Detection Suricata T1059 T1105 T1190 TTP Juniper JunOS Remote Code Execution 2026-05-13
HTTP Duplicated Header Suricata T1071.001 T1190 Anomaly HTTP Request Smuggling 2026-05-13
Detect Remote Access Software Usage URL Palo Alto Network Threat T1219 Anomaly Command And Control, Ransomware, Remote Monitoring and Management Software, CISA AA24-241A, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters 2026-05-13
HTTP Request to Reserved Name on IIS Server Suricata T1071.001 T1190 TTP HTTP Request Smuggling 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
HTTP Scripting Tool User Agent Nginx Access T1071.001 Anomaly Suspicious User Agents, HTTP Request Smuggling 2026-06-15
HTTP Possible Request Smuggling Suricata T1071.001 TTP HTTP Request Smuggling 2026-05-13
Cisco IOS XE Tunnel Interface Configuration Cisco IOS Logs T1090 T1572 Anomaly Salt Typhoon 2026-05-20
Ollama Abnormal Network Connectivity Ollama Server T1571 Anomaly Suspicious Ollama Activities 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Remote Employment Fraud, Suspicious Okta Activity 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly Interlock Ransomware, AgentTesla 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Suspicious User Agents, Remote Monitoring and Management Software 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Lokibot, Crypto Stealer, Meduza Stealer, Suspicious User Agents, Lumma Stealer, RedLine Stealer 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Malicious PowerShell, Brute Ratel C4, Cobalt Strike, Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Suspicious User Agents, Tuoni, Meterpreter 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly Command And Control, Ransomware, Remote Monitoring and Management Software, Scattered Spider, CISA AA24-241A, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall T1095 TTP China-Nexus Threat Activity, Cisco Secure Access Analytics, Command And Control, Backdoor Pingpong 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly Suspicious User Agents, Local Privilege Escalation With KrbRelayUp, BlackSuit Ransomware, Cactus Ransomware 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event T1090.003 TTP Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Command And Control, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly Crypto Stealer, 0bj3ctivity Stealer, VIP Keylogger, BlankGrabber Stealer 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Command And Control, Scattered Spider, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly Malicious Inno Setup Loader, NjRAT, BlankGrabber Stealer, CISA AA24-241A 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly CISA AA22-320A, Reverse Network Proxy, CISA AA24-241A 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1071.002 TTP DHS Report TA18-074A, Cisco Secure Access Analytics, Cisco Secure Firewall Threat Defense Analytics, Hidden Cobra Malware, NOBELIUM Group 2026-05-13
DNS Kerberos Coercion Suricata, Sysmon EventID 22 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco SA - Access to Anonymizer Services Cisco Secure Access DNS T1090.003 Anomaly Cisco Secure Access Analytics 2026-06-09