|
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
|
Splunk
|
T1552
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
T1649
|
Correlation
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host, Linux Living Off The Land, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4625, Windows Event Log Security 4624
|
T1110.004
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Crowdstrike Medium Severity Alert
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Rhysida Ransomware, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Kerberos Coercion via DNS
|
Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 4662
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558
|
Hunting
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
Scattered Lapsus$ Hunters, Braodo Stealer
|
2026-05-13
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
T1003.008
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Axios Supply Chain Post Compromise, Compromised Linux Host, China-Nexus Threat Activity, Salt Typhoon
|
2026-05-13
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 13
|
T1552.002
|
TTP
|
Windows Registry Abuse, BlackMatter Ransomware
|
2026-05-13
|
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Rhysida Ransomware, Credential Dumping, Graceful Wipe Out Attack, Compromised Windows Host, Storm-0501 Ransomware
|
2026-05-13
|
|
Windows Unusual Intelliform Storage Registry Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT, Lokibot
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, Volt Typhoon, Compromised Windows Host
|
2026-05-13
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558.001
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Multiple NTLM Null Domain Authentications
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2026-05-13
|
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Credential Dumping, Seashell Blizzard, Compromised Windows Host, CISA AA22-257A, HAFNIUM Group, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.003
|
Hunting
|
Remcos
|
2026-05-13
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Active Directory Kerberos Attacks, Interlock Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003
|
TTP
|
Scattered Spider, Sandworm Tools, Credential Dumping, CISA AA22-320A, Compromised Windows Host, Flax Typhoon, Volt Typhoon, CISA AA23-347A
|
2026-05-13
|
|
Cisco Isovalent - Access To Cloud Metadata Service
|
Cisco Isovalent Process Connect
|
T1552.005
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
Phemedrone Stealer, Warzone RAT, Quasar RAT, Lokibot, VIP Keylogger, 3CX Supply Chain Attack, SnappyBee, StealC Stealer, Salt Typhoon, AgentTesla, 0bj3ctivity Stealer, RedLine Stealer, Snake Keylogger, CISA AA23-347A, NjRAT, FIN7, China-Nexus Threat Activity, Malicious Inno Setup Loader, BlankGrabber Stealer, Azorult, DarkGate Malware, Remcos
|
2026-05-13
|
|
Detect Password Spray Attack Behavior On User
|
Windows Event Log Security 4625, Windows Event Log Security 4624
|
T1110.003
|
TTP
|
Crypto Stealer, Compromised User Account
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558.004
|
TTP
|
CISA AA23-347A, Active Directory Kerberos Attacks, Interlock Ransomware, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Kerberos Attacks, Active Directory Password Spraying
|
2026-05-13
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
|
TTP
|
Credential Dumping, Seashell Blizzard, CISA AA22-257A, Scattered Lapsus$ Hunters, Cactus Ransomware
|
2026-05-13
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Lokibot, Credential Dumping, Scattered Lapsus$ Hunters, CISA AA23-347A, Cactus Ransomware
|
2026-05-13
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.002
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host, Linux Living Off The Land
|
2026-05-13
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Scattered Lapsus$ Hunters, Active Directory Kerberos Attacks, Compromised Windows Host
|
2026-05-13
|
|
Detect Password Spray Attack Behavior From Source
|
Windows Event Log Security 4625, Windows Event Log Security 4624
|
T1110.003
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Crowdstrike Admin With Duplicate Password
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558.004
|
TTP
|
BlackSuit Ransomware, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 13
|
T1003.004
|
TTP
|
CISA AA23-347A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
Anomaly
|
Windows Post-Exploitation, NetSupport RMM Tool Abuse, Prestige Ransomware, DarkGate Malware
|
2026-05-13
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Lokibot, Credential Dumping, BlackSuit Ransomware, Scattered Lapsus$ Hunters, Detect Zerologon Attack, CISA AA23-347A
|
2026-05-13
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Kerberos Attacks, Active Directory Password Spraying
|
2026-05-13
|
|
Windows LAPS Password Gathering Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1003
T1552
|
Anomaly
|
Credential Dumping, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Privilege Escalation, Active Directory Kerberos Attacks, ZOVWiper, BlackSuit Ransomware, Scattered Lapsus$ Hunters, CISA AA23-347A
|
2026-05-13
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
|
Hunting
|
APT37 Rustonotto and FadeStealer, Brute Ratel C4
|
2026-05-13
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
|
TTP
|
Credential Dumping, VanHelsing Ransomware
|
2026-05-13
|
|
Crowdstrike Admin Weak Password Policy
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
T1550
T1649
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Destination
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.005
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
Anomaly
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Credential Dumping, Scattered Lapsus$ Hunters, Compromised Windows Host
|
2026-05-13
|
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Living Off The Land, Rhysida Ransomware, Credential Dumping, Prestige Ransomware, Volt Typhoon, HAFNIUM Group, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
StealC Stealer, Lokibot, Meduza Stealer, Snake Keylogger, VIP Keylogger, 0bj3ctivity Stealer
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Credential Dumping, Windows Registry Abuse, CISA AA22-320A
|
2026-05-13
|
|
Windows Sensitive Registry Hive Dump Via CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
|
TTP
|
Credential Dumping, Windows Registry Abuse, Data Destruction, Compromised Windows Host, CISA AA22-257A, Industroyer2, DarkSide Ransomware, Seashell Blizzard, Volt Typhoon, CISA AA23-347A
|
2026-05-13
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Kerberos Attacks, Active Directory Password Spraying
|
2026-05-13
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1649
|
Anomaly
|
Scattered Lapsus$ Hunters, Water Gamayun, Windows Certificate Services
|
2026-05-13
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Active Directory Discovery, Compromised Windows Host
|
2026-05-13
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2026-05-13
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Gozi Malware, Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Compromised Windows Host
|
2026-05-13
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Hellcat Ransomware, Windows Certificate Services
|
2026-05-13
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
TTP
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
|
TTP
|
Sneaky Active Directory Persistence Tricks, Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2026-05-13
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
CISA AA23-347A, Credential Dumping, Scattered Lapsus$ Hunters, Lokibot
|
2026-05-13
|
|
Crowdstrike High Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
|
Hunting
|
CISA AA23-347A, Credential Dumping, Scattered Lapsus$ Hunters, Lokibot
|
2026-05-13
|
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
DarkGate Malware, NetSupport RMM Tool Abuse, Compromised Windows Host
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Kerberos Attacks, Active Directory Password Spraying
|
2026-05-13
|
|
Crowdstrike User with Duplicate Password
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Credentials Access via VaultCli Module
|
Sysmon EventID 7
|
T1555.004
|
Anomaly
|
Hellcat Ransomware, Meduza Stealer
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Destinations By User
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
|
TTP
|
Credential Dumping, CISA AA22-264A, CISA AA22-257A, DarkSide Ransomware, Scattered Lapsus$ Hunters, Detect Zerologon Attack, CISA AA23-347A
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
Hellcat Ransomware, Scattered Spider, Sandworm Tools, Hermetic Wiper, CISA AA22-264A, CISA AA22-320A, Malicious PowerShell, Data Destruction, CISA AA23-347A
|
2026-05-13
|
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
TTP
|
Living Off The Land, Windows Certificate Services, Windows Persistence Techniques, Compromised Windows Host, Storm-2460 CLFS Zero Day Exploitation, Cloud Federated Credential Abuse
|
2026-05-13
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
MacOS Keychains Dumped
|
Osquery Results
|
T1555.001
|
TTP
|
MacOS Privilege Escalation
|
2026-05-13
|
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
|
Hunting
|
Rhysida Ransomware, Credential Dumping, Graceful Wipe Out Attack
|
2026-05-13
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555.003
|
Anomaly
|
Phemedrone Stealer, Warzone RAT, Quasar RAT, Lokibot, VIP Keylogger, 3CX Supply Chain Attack, SnappyBee, StealC Stealer, Salt Typhoon, AgentTesla, RedLine Stealer, Snake Keylogger, CISA AA23-347A, NjRAT, FIN7, China-Nexus Threat Activity, Malicious Inno Setup Loader, BlankGrabber Stealer, DarkGate Malware, Remcos
|
2026-05-13
|
|
Linux Auditd Private Keys and Certificate Enumeration
|
Linux Auditd Execve
|
T1552.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
T1555.005
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
T1649
|
TTP
|
Windows Certificate Services
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Hellcat Ransomware, Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Hermetic Wiper, Data Destruction, Compromised Windows Host, Windows Privilege Escalation
|
2026-05-13
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
|
TTP
|
BlackSuit Ransomware, Credential Dumping, Lokibot
|
2026-05-13
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1552.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.004
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Unusual FileZilla XML Config Access
|
Windows Event Log Security 4663
|
T1552.001
|
Anomaly
|
Quasar RAT
|
2026-05-13
|
|
Crowdstrike User Weak Password Policy
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1649
|
TTP
|
Ingress Tool Transfer, Windows Certificate Services, Compromised Windows Host
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1003
T1036.005
T1595
|
TTP
|
Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, XMRig, CISA AA22-264A, Compromised Windows Host, Unusual Processes, SamSam Ransomware, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
Sysmon EventID 11
|
T1555.003
|
TTP
|
BlankGrabber Stealer, Scattered Lapsus$ Hunters, Braodo Stealer
|
2026-05-13
|
|
Windows Short Lived DNS Record
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Theme File Creation in Unusual Location
|
Sysmon EventID 11
|
T1021.002
T1187
T1557.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Storm-2460 CLFS Zero Day Exploitation, Windows Certificate Services
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.005
|
Anomaly
|
Windows Post-Exploitation, Scattered Spider, Prestige Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
Anomaly
|
Volt Typhoon, Active Directory Kerberos Attacks, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
CISA AA23-347A, Sandworm Tools, Windows Certificate Services
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
T1003.008
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity, Salt Typhoon, XorDDos
|
2026-05-13
|
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Living Off The Land, Credential Dumping, Volt Typhoon, Compromised Windows Host
|
2026-05-13
|
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
|
Hunting
|
Living Off The Land, Credential Dumping
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Kerberos Attacks, Active Directory Password Spraying
|
2026-05-13
|
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Living Off The Land, Hellcat Ransomware, Credential Dumping, Prestige Ransomware, CISA AA22-264A, Data Destruction, Industroyer2, CISA AA22-257A, Compromised Windows Host, Scattered Lapsus$ Hunters, Volt Typhoon, HAFNIUM Group, Flax Typhoon, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Unusual NTLM Authentication Users By Source
|
NTLM Operational 8006, NTLM Operational 8005, NTLM Operational 8004
|
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Detect Certipy File Modifications
|
Sysmon EventID 11
|
T1560
T1649
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2026-05-13
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
|
Anomaly
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
|
TTP
|
Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2026-05-13
|
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
|
TTP
|
Credential Dumping, Compromised Windows Host
|
2026-05-13
|
|
Crowdstrike Medium Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1003
T1219
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2026-05-13
|
|
Windows Credential Target Information Structure in Commandline
|
Sysmon EventID 1
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Insider Threat, Volt Typhoon, Active Directory Password Spraying
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
CrushFTP Max Simultaneous Users From IP
|
CrushFTP
|
T1110.001
T1110.004
|
Anomaly
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Okta Multiple Accounts Locked Out
|
Okta
|
T1110
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
T1110.003
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi SSH Brute Force
|
VMWare ESXi Syslog
|
T1110
|
Anomaly
|
Hellcat Ransomware, Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi Sensitive Files Accessed
|
VMWare ESXi Syslog
|
T1003.008
T1005
|
TTP
|
China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
T1539
|
Anomaly
|
Suspicious Okta Activity, Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
|
TTP
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
M365 Copilot Failed Authentication Patterns
|
M365 Copilot Graph API
|
T1110
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Sensitive System File Search
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Github Suspicious Operation
|
MCP Server
|
T1552.001
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Compromised User Account
|
2026-05-13
|
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
T1621
|
Anomaly
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
T1110.003
|
Hunting
|
Compromised User Account, Active Directory Password Spraying
|
2026-05-13
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
MCP Postgres Suspicious Query
|
MCP Server
|
T1555
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Okta MFA Exhaustion Hunt
|
Okta
|
T1110
|
Hunting
|
Scattered Lapsus$ Hunters, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - User Account Lockout Threshold Exceeded
|
Cisco ASA Logs
|
T1110.001
T1110.003
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Office 365 Account Takeover, Cloud Federated Credential Abuse
|
2026-05-13
|
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
T1552
T1586.003
|
Hunting
|
Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 SharePoint Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1213.002
T1552
|
Anomaly
|
Office 365 Account Takeover, Compromised User Account, CISA AA22-320A, Office 365 Collection Techniques
|
2026-05-13
|
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Nginx Ingress LFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Nginx Ingress RFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
T1586.003
T1621
|
TTP
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
Office 365 Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
AWS Credential Access Failed Login
|
AWS CloudTrail ConsoleLogin
|
T1110.001
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
T1003.002
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-05-13
|
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
T1110.001
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1003.002
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
NOBELIUM Group, Azure Active Directory Account Takeover, Compromised User Account
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
T1110
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
GCP Account Takeover
|
2026-05-13
|
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
ASL AWS Credential Access RDS Password reset
|
ASL AWS CloudTrail
|
T1110
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
ASL AWS Credential Access GetPasswordData
|
ASL AWS CloudTrail
|
T1110.001
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Email Suspicious Search Behavior
|
Office 365 Universal Audit Log
|
T1114.002
T1552
|
Anomaly
|
Office 365 Account Takeover, Compromised User Account, CISA AA22-320A, Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Multiple OS Vendors Authenticating From User
|
Office 365 Universal Audit Log
|
T1110
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110.003
T1110.004
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Excessive Authentication Failures Alert
|
|
T1110
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
T1003.002
|
TTP
|
NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
T1621
|
TTP
|
Office 365 Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
T1110.003
T1110.004
T1586.003
|
Hunting
|
NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
T1110.001
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
T1110.001
T1110.003
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
T1110.003
T1110.004
T1586.003
|
TTP
|
Office 365 Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
T1110.003
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 User Consent Denied for OAuth Application
|
O365
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
T1110.001
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2026-05-13
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Cisco Secure Access Firewall, Sysmon EventID 3
|
T1110.001
|
Anomaly
|
Cisco Secure Access Analytics, Compromised User Account, Windows RDP Artifacts and Defense Evasion, SamSam Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
DNS Kerberos Coercion
|
Sysmon EventID 22, Suricata
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
