|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Axios Supply Chain Post Compromise, Compromised Linux Host, China-Nexus Threat Activity, Linux Living Off The Land, Salt Typhoon, XorDDos
|
2026-05-13
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlankGrabber Stealer, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Defender ASR or Threat Configuration Tamper
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Ransomware, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, XMRig
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
T1222.001
T1550
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
T1553.003
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Azorult, IcedID, CISA AA23-347A
|
2026-05-13
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2026-05-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows New Custom Security Descriptor Set On EventLog Channel
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
LockBit Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows File and Directory Permissions Enable Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Hunting
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 13
|
T1685
|
Hunting
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, BlackLotus Campaign, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Audit Policy Cleared via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, RedLine Stealer
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Object Owner Updated
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, IcedID, Azorult
|
2026-05-13
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Global Object Access Audit List Cleared Via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
T1112
|
Anomaly
|
CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Windows Registry Abuse, Azorult, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Domain Root ACL Deletion
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Filtering Platform Policy Added to Block EDR Process
|
Sysmon EventID 13
|
T1685
|
TTP
|
Disabling Security Tools, Security Solution Tampering
|
2026-05-13
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
T1685
|
Anomaly
|
Scattered Lapsus$ Hunters, Data Destruction, Double Zero Destructor
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
Windows Persistence Techniques, Malicious Inno Setup Loader, Azorult, Compromised Windows Host, Crypto Stealer, VIP Keylogger, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 13
|
T1685
|
TTP
|
Warzone RAT, Windows Registry Abuse, XMRig, Azorult
|
2026-05-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CISA AA23-347A, Medusa Ransomware
|
2026-05-13
|
|
Windows Audit Policy Restored via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Audit Policy Excluded Category via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 13, Sysmon EventID 14, Sysmon EventID 12
|
T1112
T1689
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Revil Ransomware, BlankGrabber Stealer, CISA AA24-241A, Ransomware
|
2026-05-13
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
XWorm, ValleyRAT, CISA AA22-320A, Data Destruction, Compromised Windows Host, Crypto Stealer, AgentTesla, WhisperGate, Windows Defense Evasion Tactics, Remcos, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
Anomaly
|
BlackByte Ransomware, PlugX, Azorult, Medusa Ransomware, Windows Defense Evasion Tactics, NjRAT
|
2026-05-13
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows AD Dangerous User ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
T1685.001
|
Anomaly
|
CISA AA23-347A, IIS Components, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-05-13
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
BlankGrabber Stealer, Azorult, CISA AA22-264A, XMRig, CISA AA22-277A, Crypto Stealer, AgentTesla, NjRAT
|
2026-05-13
|
|
Windows AD Domain Replication ACL Addition
|
Windows Event Log Security 5136
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Firewall Rule Deletion
|
Windows Event Log Security 4948
|
T1686
|
Anomaly
|
NetSupport RMM Tool Abuse, Medusa Ransomware, ShrinkLocker
|
2026-05-13
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
T1686
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Unblock File Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlankGrabber Stealer, Windows Registry Abuse, Azorult, IcedID, CISA AA23-347A
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
T1685
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows SIP Provider Inventory
|
|
T1553.003
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Windows AD GPO Deleted
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Disable ETW Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, SnappyBee
|
2026-05-13
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Hellcat Ransomware, Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows AD Dangerous Group ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 13
|
T1685
|
TTP
|
Warzone RAT, XWorm, NetSupport RMM Tool Abuse, ValleyRAT, Azorult, Windows Defense Evasion Tactics, Remcos, Qakbot
|
2026-05-13
|
|
Windows SubInAcl Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102, Windows Event Log System 104
|
T1685.005
|
TTP
|
Ransomware, CISA AA22-264A, Compromised Windows Host, Clop Ransomware, Windows Log Manipulation, ShrinkLocker
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Disabling Defender Services
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Windows Registry Abuse, RedLine Stealer
|
2026-05-13
|
|
MacOS plutil
|
Osquery Results
|
T1647
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
BlankGrabber Stealer, Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Gh0st RAT
|
2026-05-13
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
T1685
|
Hunting
|
Scattered Lapsus$ Hunters, Data Destruction, AwfulShred
|
2026-05-13
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
T1222.002
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Azorult
|
2026-05-13
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 13, Sysmon EventID 1
|
T1112
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
T1553.005
|
TTP
|
Warzone RAT, Quasar RAT
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Credential Dumping, Windows Registry Abuse, CISA AA22-320A
|
2026-05-13
|
|
Windows Registry Dotnet ETW Disabled Via ENV Variable
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 13
|
T1685
|
TTP
|
Scattered Lapsus$ Hunters, Azorult
|
2026-05-13
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows AD Hidden OU Creation
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Shutdown
|
Linux Auditd Daemon End
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Hermetic Wiper, Data Destruction, Malicious PowerShell
|
2026-05-13
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
TTP
|
Living Off The Land, Unusual Processes, Compromised Windows Host
|
2026-05-13
|
|
Windows New EventLog ChannelAccess Registry Value Set
|
Sysmon EventID 13
|
T1685.001
|
Anomaly
|
LockBit Ransomware, Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Azorult, Graceful Wipe Out Attack, Data Destruction, Trickbot, Disabling Security Tools, WhisperGate
|
2026-05-13
|
|
Windows AD DCShadow Privileges ACL Addition
|
Windows Event Log Security 5136
|
T1207
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD GPO Disabled
|
Windows Event Log Security 5136
|
T1484.001
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Revil Registry Entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Revil Ransomware, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows Eventlog Cleared Via Wevtutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.005
|
Anomaly
|
Rhysida Ransomware, Ransomware, Clop Ransomware, Windows Log Manipulation, CISA AA23-347A, ShrinkLocker
|
2026-05-13
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
T1685
|
TTP
|
Warzone RAT, BlankGrabber Stealer, Data Destruction, CISA AA22-320A, Remcos, AgentTesla, WhisperGate, Windows Defense Evasion Tactics, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-05-13
|
|
Windows Event Logging Service Has Shutdown
|
Windows Event Log Security 1100
|
T1685.005
|
Hunting
|
Scattered Lapsus$ Hunters, Ransomware, Windows Log Manipulation, Clop Ransomware
|
2026-05-13
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686.001
|
TTP
|
Hellcat Ransomware, Ransomware, BlackByte Ransomware, Medusa Ransomware, Revil Ransomware, NjRAT
|
2026-05-13
|
|
Disabling Task Manager
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Firewall Rule Modification
|
Windows Event Log Security 4947
|
T1686
|
Anomaly
|
NetSupport RMM Tool Abuse, Medusa Ransomware, ShrinkLocker
|
2026-05-13
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 13
|
T1553.003
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2026-05-13
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Windows Registry Certificate Added
|
Sysmon EventID 13
|
T1553.004
|
Anomaly
|
Windows Registry Abuse, Windows Drivers
|
2026-05-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
T1218.010
|
TTP
|
Suspicious Regsvr32 Activity, Remcos
|
2026-05-13
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.005
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Ransomware
|
2026-05-13
|
|
Windows AD Domain Root ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
Hunting
|
NjRAT, ShrinkLocker
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Abort
|
Linux Auditd Daemon Abort
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686.001
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Ransomware
|
2026-05-13
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Azorult, IcedID, CISA AA23-347A, Qakbot
|
2026-05-13
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
SolarWinds WHD RCE Post Exploitation, CISA AA24-241A, Windows Registry Abuse, IcedID, Cactus Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
T1686
|
Anomaly
|
Data Destruction, Cyclops Blink, Industroyer2
|
2026-05-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, RedLine Stealer
|
2026-05-13
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
MacOS Gatekeeper Bypass
|
Osquery Results
|
T1553.001
|
Anomaly
|
MacOS Post-Exploitation, MacOS Persistence Techniques, MacOS Privilege Escalation
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Azorult
|
2026-05-13
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
Disabling Security Tools, DHS Report TA18-074A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows File and Directory Enable ReadOnly Permissions
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
TTP
|
NetSupport RMM Tool Abuse, Crypto Stealer
|
2026-05-13
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware, Azorult, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer
|
2026-05-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos client registry install entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Windows Registry Abuse, Remcos
|
2026-05-13
|
|
Windows File and Directory Permissions Remove Inheritance
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Crypto Stealer, Ransomware, Sandworm Tools, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.005
|
TTP
|
Rhysida Ransomware, Scattered Spider, Ransomware, Clop Ransomware, VoidLink Cloud-Native Linux Malware, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation, Windows Log Manipulation, CISA AA23-347A, ShrinkLocker
|
2026-05-13
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Windows Important Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
T1686
|
Anomaly
|
China-Nexus Threat Activity, Backdoor Pingpong, Sandworm Tools, Cyclops Blink
|
2026-05-13
|
|
Windows Symlink Evaluation Change via Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Audit Policy Disabled via Legacy Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
T1685
|
TTP
|
WhisperGate, Data Destruction
|
2026-05-13
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
T1564.004
|
TTP
|
Windows Post-Exploitation, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
T1548.002
|
TTP
|
BlankGrabber Stealer, ValleyRAT, Compromised Windows Host, IcedID, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1685.001
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows MpCmdRun RemoveDefinitions Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Azorult
|
2026-05-13
|
|
Windows Disable or Stop Browser Process
|
Sysmon EventID 1
|
T1685
|
TTP
|
Hellcat Ransomware, BlankGrabber Stealer, Braodo Stealer, Scattered Lapsus$ Hunters, Castle RAT
|
2026-05-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-05-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Dangerous Deny ACL Modification
|
Windows Event Log Security 5136
|
T1222.001
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defenses Disable Auto Logger Session
|
Sysmon EventID 13
|
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
T1112
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2026-05-13
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
XMRig
|
2026-05-13
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1685
|
TTP
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 13
|
T1685
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Ransomware, BlankGrabber Stealer, Windows Registry Abuse, Azorult, NetSupport RMM Tool Abuse, RedLine Stealer, Scattered Lapsus$ Hunters, Storm-0501 Ransomware, Windows Defense Evasion Tactics, CISA AA23-347A, Revil Ransomware, Cactus Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
T1685
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Sandworm Tools, Azorult, XMRig, Compromised Windows Host, Defense Evasion or Unauthorized Access Via SDDL Tampering, Crypto Stealer
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows AD GPO New CSE Addition
|
Windows Event Log Security 5136
|
T1222.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Audit Policy Security Descriptor Tampering via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Registry Abuse, Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
IcedID, Windows Registry Abuse
|
2026-05-13
|
|
Windows Firewall Rule Added
|
Windows Event Log Security 4946
|
T1686
|
Anomaly
|
NetSupport RMM Tool Abuse, Medusa Ransomware, ShrinkLocker
|
2026-05-13
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Hunting
|
IcedID, Azorult
|
2026-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Azorult
|
2026-05-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 13
|
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Azorult
|
2026-05-13
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Crypto Stealer, NjRAT, BlankGrabber Stealer, PXA Stealer
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Sandworm Tools, FIN7, Windows Post-Exploitation, Azorult, Netsh Abuse, Disabling Security Tools, DarkCrystal RAT, Volt Typhoon, Windows Defense Evasion Tactics, CISA AA23-347A, Qakbot, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Hermetic Wiper, Data Destruction, CISA AA23-347A, Windows Privilege Escalation
|
2026-05-13
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2026-05-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
CISA AA24-241A, NetSupport RMM Tool Abuse, ShrinkLocker
|
2026-05-13
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
TTP
|
CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Hunting
|
Azorult
|
2026-05-13
|
|
Linux Auditd Auditd Daemon Start
|
Linux Auditd Daemon Start
|
T1685.004
|
Anomaly
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
TTP
|
NjRAT, Medusa Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, ValleyRAT
|
2026-05-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2026-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2026-05-13
|
|
Disable AMSI Through Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
CISA AA23-347A, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows CrowdStrike Agent Registry Key Removal
|
Sysmon EventID 12
|
T1685
|
Anomaly
|
Security Solution Tampering, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows EDRSilencer Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685
|
Anomaly
|
Security Solution Tampering
|
2026-05-13
|
|
Windows Audit Policy Disabled via Auditpol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1685.001
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 13
|
T1685
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Azorult, CISA AA22-264A, RedLine Stealer, Windows Defense Evasion Tactics, CISA AA23-347A, Ryuk Ransomware
|
2026-05-13
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1686
|
Anomaly
|
Hellcat Ransomware, Azorult, Netsh Abuse, Disabling Security Tools, Volt Typhoon, Snake Keylogger, ShrinkLocker, DHS Report TA18-074A
|
2026-05-13
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1553.004
|
Anomaly
|
Disabling Security Tools
|
2026-05-13
|
|
M365 Copilot Impersonation Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
ESXi Syslog Config Change
|
VMWare ESXi Syslog
|
T1690
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi Lockdown Mode Disabled
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi Loghost Config Tampering
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco ASA - Logging Disabled via CLI
|
Cisco ASA Logs
|
T1685
|
TTP
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi Encryption Settings Modified
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi Firewall Disabled
|
VMWare ESXi Syslog
|
T1686
|
TTP
|
China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
M365 Copilot Non Compliant Devices Accessing M365 Copilot
|
M365 Copilot Graph API
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
M365 Copilot Jailbreak Attempts
|
M365 Exported eDiscovery Prompts
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
T1070
T1685.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - Core Syslog Message Volume Drop
|
Cisco ASA Logs
|
T1685
|
Hunting
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Compromised User Account
|
2026-05-13
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi VIB Acceptance Level Tampering
|
VMWare ESXi Syslog
|
T1685
|
TTP
|
China-Nexus Threat Activity, Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
M365 Copilot Information Extraction Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
TTP
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - Logging Filters Configuration Tampering
|
Cisco ASA Logs
|
T1685
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
T1070
T1690
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
M365 Copilot Agentic Jailbreak Attack
|
M365 Exported eDiscovery Prompts
|
T1685
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Download Errors
|
VMWare ESXi Syslog
|
T1601.001
T1685
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteWebACL, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Office 365 Account Takeover, Cloud Federated Credential Abuse
|
2026-05-13
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
T1685.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
T1686.001
|
TTP
|
AWS Network ACL Activity
|
2026-05-13
|
|
O365 Cross-Tenant Access Change
|
Office 365 Universal Audit Log
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Email Security Feature Changed
|
Office 365 Universal Audit Log
|
T1685.002
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
T1484.002
|
TTP
|
Hellcat Ransomware, Azure Active Directory Persistence, Storm-0501 Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
T1686.001
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS Bedrock Delete Model Invocation Logging Configuration
|
AWS CloudTrail DeleteModelInvocationLoggingConfiguration
|
T1685.002
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
T1686.001
|
Anomaly
|
AWS Network ACL Activity
|
2026-05-13
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
ASL AWS Network Access Control List Created with All Open Ports
|
ASL AWS CloudTrail
|
T1686.001
|
TTP
|
AWS Network ACL Activity
|
2026-05-13
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
T1685
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS Bedrock Delete GuardRails
|
AWS CloudTrail DeleteGuardrail
|
T1685.002
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
ASL AWS Defense Evasion Impair Security Services
|
ASL AWS CloudTrail
|
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
ASL AWS Network Access Control List Deleted
|
ASL AWS CloudTrail
|
T1686.001
|
Anomaly
|
Scattered Lapsus$ Hunters, AWS Network ACL Activity
|
2026-05-13
|
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
T1578.002
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
T1685
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
ASL AWS CloudTrail
|
T1685.002
|
TTP
|
AWS Defense Evasion
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
T1578.005
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
