Defense Impairment Detections

Name Data Source Technique Type Analytic Story Date
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd File Permission Modification Via Chmod Linux Auditd Proctitle T1222.002 Anomaly Linux Persistence Techniques, XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host 2026-05-13
Windows Anomalous Registry Value Length in Environment Key Sysmon EventID 13 T1112 Anomaly VIP Keylogger 2026-05-13
Windows Impair Defense Disable Controlled Folder Access Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer 2026-05-13
Windows Defender ASR or Threat Configuration Tamper CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP Windows Defense Evasion Tactics 2026-05-13
ICACLS Grant Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 Anomaly Crypto Stealer, Ransomware, XMRig, Defense Evasion or Unauthorized Access Via SDDL Tampering, NetSupport RMM Tool Abuse 2026-05-13
Disable Windows App Hotkeys Sysmon EventID 13 T1112 T1685 TTP XMRig, Windows Registry Abuse 2026-05-13
Windows Impair Defense Disable Win Defender Signature Retirement Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters 2026-05-13
Windows Audit Policy Auditing Option Disabled via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Windows AD Suspicious Attribute Modification Windows Event Log Security 5136 T1222.001 T1550 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Impair Defense Define Win Defender Threat Action Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry Do Not Connect To Win Update Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows Outlook Dialogs Disabled from Unusual Process Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows SIP WinVerifyTrust Failed Trust Validation Windows Event Log CAPI2 81 T1553.003 Anomaly Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Modify Registry WuServer Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Disable Defender BlockAtFirstSeen Feature Sysmon EventID 13 T1685 TTP Windows Registry Abuse, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Azorult, IcedID 2026-05-13
Unload Sysmon Filter Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP CISA AA23-347A, Disabling Security Tools 2026-05-13
Windows Modify Registry DisAllow Windows App Sysmon EventID 13 T1112 TTP Azorult 2026-05-13
Windows Modify Registry EnableLinkedConnections Sysmon EventID 13 T1112 TTP BlackByte Ransomware 2026-05-13
Windows Impair Defense Override SmartScreen Prompt Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Overide Win Defender Phishing Filter Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows New Custom Security Descriptor Set On EventLog Channel Sysmon EventID 13 T1685.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware 2026-05-13
Windows File and Directory Permissions Enable Inheritance Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 Hunting NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Windows Impair Defense Delete Win Defender Context Menu Sysmon EventID 13 T1685 Hunting Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defenses Disable HVCI Sysmon EventID 13 T1685 TTP BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse 2026-05-13
Windows InProcServer32 New Outlook Form Sysmon EventID 13 T1112 T1566 Anomaly Outlook RCE CVE-2024-21378 2026-05-13
Disabling Firewall with Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly BlackByte Ransomware, Windows Defense Evasion Tactics 2026-05-13
Windows Audit Policy Cleared via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Modify Registry Disable WinDefender Notifications Sysmon EventID 13 T1112 TTP SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, RedLine Stealer 2026-05-13
Windows AppX Deployment Full Trust Package Installation Windows Event Log AppXDeployment-Server 400 T1204.002 T1553.005 Hunting MSIX Package Abuse 2026-05-13
Windows Impair Defense Delete Win Defender Profile Registry Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows AD Object Owner Updated Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Disable Defender Enhanced Notification Sysmon EventID 13 T1685 TTP IcedID, Azorult, CISA AA23-347A, Windows Registry Abuse 2026-05-13
Modify ACL permission To Files Or Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 Anomaly XMRig, Crypto Stealer, Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Global Object Access Audit List Cleared Via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 TTP Windows Audit Policy Tampering 2026-05-13
Windows Modify Registry to Add or Modify Firewall Rule Sysmon EventID 14, Sysmon EventID 13 T1112 Anomaly NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A 2026-05-13
Windows Modify Registry DisableSecuritySettings Sysmon EventID 13 T1112 TTP CISA AA23-347A, DarkGate Malware 2026-05-13
Disable Show Hidden Files Sysmon EventID 13 T1112 T1564.001 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult 2026-05-13
Windows AD Domain Root ACL Deletion Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Filtering Platform Policy Added to Block EDR Process Sysmon EventID 13 T1685 TTP Security Solution Tampering, Disabling Security Tools 2026-05-13
Windows AD Domain Controller Promotion Windows Event Log Security 4742 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Terminating Lsass Process Sysmon EventID 10 T1685 Anomaly Double Zero Destructor, Scattered Lapsus$ Hunters, Data Destruction 2026-05-13
Windows Impair Defense Disable Win Defender App Guard Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Disable Win Defender Report Infection Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Disable Realtime Signature Delivery Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Hiding Files And Directories With Attrib exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 TTP Malicious Inno Setup Loader, Crypto Stealer, Compromised Windows Host, VIP Keylogger, Windows Defense Evasion Tactics, Azorult, Windows Persistence Techniques 2026-05-13
Hide User Account From Sign-In Screen Sysmon EventID 13 T1685 TTP XMRig, Windows Registry Abuse, Warzone RAT, Azorult 2026-05-13
Windows Modify Registry Disable Restricted Admin Sysmon EventID 13 T1112 TTP GhostRedirector IIS Module and Rungan Backdoor, CISA AA23-347A, Medusa Ransomware 2026-05-13
Windows Audit Policy Restored via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Modify Registry ValleyRat PWN Reg Entry Sysmon EventID 13 T1112 TTP ValleyRAT 2026-05-13
Excessive number of service control start as disabled CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Windows Defense Evasion Tactics 2026-05-13
Windows Audit Policy Excluded Category via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2026-05-13
Windows Increase in User Modification Activity Windows Event Log Security 4720 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Downdate Registry Activity Sysmon EventID 14, Sysmon EventID 12, Sysmon EventID 13 T1112 T1689 Anomaly Windows Persistence Techniques 2026-05-13
Windows Disable Change Password Through Registry Sysmon EventID 13 T1112 Anomaly Windows Defense Evasion Tactics, Ransomware 2026-05-13
Windows AD Self DACL Assignment Windows Event Log Security 5136 T1098 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Powershell Disable Security Monitoring CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP Revil Ransomware, Ransomware, Salat Stealer, CISA AA24-241A, BlankGrabber Stealer 2026-06-08
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP ValleyRAT, Remcos, Compromised Windows Host, CISA AA22-320A, Crypto Stealer, XWorm, Windows Defense Evasion Tactics, Salat Stealer, AgentTesla, Data Destruction, WhisperGate, NetSupport RMM Tool Abuse 2026-06-08
Firewall Allowed Program Enable CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1686 Anomaly Medusa Ransomware, BlackByte Ransomware, PlugX, NjRAT, Windows Defense Evasion Tactics, Salat Stealer, Azorult 2026-06-08
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows AD Dangerous User ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Impair Defense Disable Win Defender Scan On Update Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1505.004 T1685.001 Anomaly Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A, IIS Components 2026-05-13
Windows Modify Registry Regedit Silent Reg Import CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1112 Anomaly Azorult 2026-05-13
Windows Modify Registry With MD5 Reg Key Name Sysmon EventID 13 T1112 TTP NjRAT 2026-05-13
Excessive Usage Of Taskkill CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Crypto Stealer, XMRig, NjRAT, AgentTesla, CISA AA22-264A, Azorult, BlankGrabber Stealer, CISA AA22-277A 2026-05-13
Windows AD Domain Replication ACL Addition Windows Event Log Security 5136 T1484 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Firewall Rule Deletion Windows Event Log Security 4948 T1686 Anomaly Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker 2026-05-13
Linux Auditd Disable Or Modify System Firewall Linux Auditd Service Stop T1686 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Windows Cisco Secure Endpoint Unblock File Via Sfc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Security Solution Tampering 2026-05-13
Disable Defender Submit Samples Consent Feature Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Salat Stealer, Azorult, CISA AA23-347A, BlankGrabber Stealer, IcedID 2026-06-08
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1218 T1553.005 TTP MSIX Package Abuse 2026-05-13
Windows Event For Service Disabled Windows Event Log System 7040 T1685 Hunting Windows Defense Evasion Tactics, RedLine Stealer 2026-05-13
Windows SIP Provider Inventory T1553.003 Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Impair Defense Disable PUA Protection Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters 2026-05-13
Linux Auditd File Permissions Modification Via Chattr Linux Auditd Execve T1222.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Windows AD GPO Deleted Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Disable ETW Through Registry Sysmon EventID 13 T1685 TTP Windows Registry Abuse, CISA AA23-347A, Ransomware 2026-05-13
Windows Modify Registry No Auto Update Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, RedLine Stealer 2026-05-13
Windows Defender ASR Registry Modification Windows Event Log Defender 5007 T1112 Hunting Windows Attack Surface Reduction 2026-05-13
Windows Developer-Signed MSIX Package Installation Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 Anomaly MSIX Package Abuse 2026-05-13
Windows SnappyBee Create Test Registry Sysmon EventID 13 T1112 TTP Salt Typhoon, China-Nexus Threat Activity, SnappyBee 2026-05-13
Windows New InProcServer32 Added Sysmon EventID 13 T1112 Hunting Outlook RCE CVE-2024-21378, Hellcat Ransomware 2026-05-13
Windows AD Dangerous Group ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Defender Exclusion Registry Entry Sysmon EventID 13 T1685 TTP ValleyRAT, Remcos, Warzone RAT, XWorm, Windows Defense Evasion Tactics, Salat Stealer, Qakbot, Azorult, NetSupport RMM Tool Abuse 2026-06-08
Windows SubInAcl Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Event Log Cleared Windows Event Log Security 1102, Windows Event Log System 104 T1685.005 TTP Compromised Windows Host, Ransomware, Salat Stealer, ShrinkLocker, CISA AA22-264A, Windows Log Manipulation, Clop Ransomware 2026-06-08
Windows Impair Defense Disable Win Defender Compute File Hashes Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Change Win Defender Quick Scan Interval Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Disabling Defender Services Sysmon EventID 13 T1685 TTP IcedID, Windows Registry Abuse, RedLine Stealer 2026-05-13
MacOS plutil Osquery Results T1647 TTP Living Off The Land 2026-05-13
Windows Modify Registry ProxyServer Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows Registry Delete Task SD Sysmon EventID 12 T1053.005 T1685 Anomaly Scheduled Tasks, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Disable Registry Tool Sysmon EventID 13 T1112 T1685 TTP NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Outlook LoadMacroProviderOnBoot Persistence Sysmon EventID 13 T1112 T1137 TTP Windows Registry Abuse, NotDoor Malware 2026-05-13
Windows Impair Defense Disable Win Defender Network Protection Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, BlankGrabber Stealer, Scattered Lapsus$ Hunters 2026-05-13
Windows Routing and Remote Access Service Registry Key Change Sysmon EventID 13 T1112 Anomaly Gh0st RAT 2026-05-13
Linux Auditd Change File Owner To Root Linux Auditd Proctitle T1222.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Disabling FolderOptions Windows Feature Sysmon EventID 13 T1685 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2026-05-13
Linux Impair Defenses Process Kill Sysmon for Linux EventID 1 T1685 Hunting Scattered Lapsus$ Hunters, AwfulShred, Data Destruction 2026-05-13
Linux Change File Owner To Root Sysmon for Linux EventID 1 T1222.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Windows Powershell Import Applocker Policy Powershell Script Block Logging 4104 T1059.001 T1685 TTP Azorult 2026-05-13
Disable Schedule Task CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Living Off The Land, IcedID 2026-05-13
Windows Modify Registry Qakbot Binary Data Registry Sysmon EventID 1, Sysmon EventID 13 T1112 Anomaly Qakbot 2026-05-13
Windows Scheduled Task Created in a Group Policy Object Windows Event Log Security 5145 T1053.005 T1484.001 TTP Living Off The Land, Scheduled Tasks, Windows Persistence Techniques 2026-05-13
Disabling ControlPanel Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry AuthenticationLevelOverride Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows Files and Dirs Access Rights Modification Via Icacls CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 Anomaly Amadey, Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Mark Of The Web Bypass Sysmon EventID 23 T1553.005 TTP Quasar RAT, Warzone RAT 2026-05-13
Enable WDigest UseLogonCredential Registry Sysmon EventID 13 T1003 T1112 TTP Credential Dumping, Windows Registry Abuse, CISA AA22-320A 2026-05-13
Windows Registry Dotnet ETW Disabled Via ENV Variable Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Deny Security Software With Applocker Sysmon EventID 13 T1685 TTP Azorult, Scattered Lapsus$ Hunters 2026-05-13
Windows Disable LogOff Button Through Registry Sysmon EventID 13 T1112 Anomaly Windows Registry Abuse, Ransomware 2026-05-13
Windows AD Hidden OU Creation Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Disable Lock Workstation Feature Through Registry Sysmon EventID 13 T1112 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware 2026-05-13
Windows Impair Defense Change Win Defender Throttle Rate Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Impair Defense Disable Defender Protocol Recognition Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters 2026-05-13
Windows Outlook WebView Registry Modification Sysmon EventID 13 T1112 Anomaly Suspicious Windows Registry Activities 2026-05-13
Windows Impair Defense Disable Defender Firewall And Network Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, Scattered Lapsus$ Hunters 2026-05-13
Linux Auditd Auditd Daemon Shutdown Linux Auditd Daemon End T1685.004 Anomaly Compromised Linux Host 2026-05-13
Unloading AMSI via Reflection Powershell Script Block Logging 4104 T1059.001 T1685 TTP Hermetic Wiper, Data Destruction, Malicious PowerShell 2026-05-13
Rundll32 Shimcache Flush CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1112 TTP Living Off The Land, Compromised Windows Host, Unusual Processes 2026-05-13
Windows New EventLog ChannelAccess Registry Value Set Sysmon EventID 13 T1685.001 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering, LockBit Ransomware 2026-05-13
Windows Modify Registry UpdateServiceUrlAlternate Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows Attempt To Stop Security Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP Azorult, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Trickbot, Disabling Security Tools 2026-05-13
Windows AD DCShadow Privileges ACL Addition Windows Event Log Security 5136 T1207 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD GPO Disabled Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD Short Lived Domain Controller SPN Attribute Windows Event Log Security 4624, Windows Event Log Security 5136 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Modify Registry Risk Behavior T1112 Correlation Windows Registry Abuse 2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1542 T1688 Anomaly Compromised Windows Host 2026-05-13
Revil Registry Entry Sysmon EventID 12, Sysmon EventID 13 T1112 TTP Revil Ransomware, Windows Registry Abuse, Ransomware 2026-05-13
Windows Eventlog Cleared Via Wevtutil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.005 Anomaly Ransomware, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, CISA AA23-347A, Clop Ransomware 2026-05-13
Powershell Windows Defender Exclusion Commands Powershell Script Block Logging 4104 T1685 TTP Remcos, CISA AA22-320A, Warzone RAT, Windows Defense Evasion Tactics, Salat Stealer, AgentTesla, BlankGrabber Stealer, Data Destruction, WhisperGate, NetSupport RMM Tool Abuse 2026-06-08
Windows Modify Registry Utilize ProgIDs Sysmon EventID 13 T1112 Anomaly ValleyRAT 2026-05-13
Windows Event Logging Service Has Shutdown Windows Event Log Security 1100 T1685.005 Hunting Clop Ransomware, Windows Log Manipulation, Scattered Lapsus$ Hunters, Ransomware 2026-05-13
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1686.001 TTP Revil Ransomware, Medusa Ransomware, Ransomware, BlackByte Ransomware, NjRAT, Hellcat Ransomware 2026-05-13
Disabling Task Manager Sysmon EventID 13 T1685 TTP NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Firewall Rule Modification Windows Event Log Security 4947 T1686 Anomaly Medusa Ransomware, NetSupport RMM Tool Abuse, ShrinkLocker 2026-05-13
Windows Registry SIP Provider Modification Sysmon EventID 13 T1553.003 TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2026-05-13
Windows Modify Registry MaxConnectionPerServer Sysmon EventID 13 T1112 Anomaly Warzone RAT 2026-05-13
Windows Registry Certificate Added Sysmon EventID 13 T1553.004 Anomaly Windows Drivers, Windows Registry Abuse 2026-05-13
Malicious InProcServer32 Modification Sysmon EventID 12, Sysmon EventID 13 T1112 T1218.010 TTP Remcos, Suspicious Regsvr32 Activity 2026-05-13
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.005 TTP Rhysida Ransomware, CISA AA23-347A, Ransomware 2026-05-13
Windows AD Domain Root ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Modify Registry USeWuServer Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows Delete or Modify System Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1686 Hunting NjRAT, ShrinkLocker 2026-05-13
Linux Auditd Auditd Daemon Abort Linux Auditd Daemon Abort T1685.004 Anomaly Compromised Linux Host 2026-05-13
Allow File And Printing Sharing In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1686.001 TTP BlackByte Ransomware, Hellcat Ransomware, Ransomware 2026-05-13
Disable Defender Spynet Reporting Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Qakbot, Azorult, CISA AA23-347A, IcedID 2026-05-13
Disable Defender AntiVirus Registry Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Cactus Ransomware, Black Basta Ransomware, Salat Stealer, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, IcedID 2026-06-08
Linux Stdout Redirection To Dev Null File Sysmon for Linux EventID 1 T1686 Anomaly Cyclops Blink, Data Destruction, Industroyer2 2026-05-13
Windows Modify Registry Tamper Protection Sysmon EventID 13 T1112 TTP Scattered Lapsus$ Hunters, RedLine Stealer 2026-05-13
Windows RunMRU Registry Key or Value Deleted Sysmon EventID 12 T1112 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Disable Shutdown Button Through Registry Sysmon EventID 13 T1112 Anomaly Windows Registry Abuse, Ransomware 2026-05-13
MacOS Gatekeeper Bypass Osquery Results T1553.001 Anomaly MacOS Privilege Escalation, MacOS Persistence Techniques, MacOS Post-Exploitation 2026-05-13
Disabling Windows Local Security Authority Defences via Registry Sysmon EventID 13 T1556 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry Suppress Win Defender Notif Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Suspicious Reg exe Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1112 Anomaly DHS Report TA18-074A, Windows Defense Evasion Tactics, Disabling Security Tools 2026-05-13
Windows Group Policy Object Created Windows Event Log Security 5137, Windows Event Log Security 5136 T1078.002 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows AD Short Lived Server Object Windows Event Log Security 5141, Windows Event Log Security 5137 T1207 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Admon Group Policy Object Created Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Modify Registry ProxyEnable Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2026-05-13
Windows File and Directory Enable ReadOnly Permissions Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 TTP NetSupport RMM Tool Abuse, Crypto Stealer 2026-05-13
Excessive Usage Of Cacls App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 Anomaly Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer, XMRig, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Defender ASR Rule Disabled Windows Event Log Defender 5007 T1112 TTP Windows Attack Surface Reduction 2026-05-13
Windows Impair Defense Configure App Install Control Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry DisableRemoteDesktopAntiAlias Sysmon EventID 13 T1112 TTP DarkGate Malware 2026-05-13
Remcos client registry install entry Sysmon EventID 12, Sysmon EventID 13 T1112 TTP Remcos, Windows Registry Abuse 2026-05-13
Windows File and Directory Permissions Remove Inheritance Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 Anomaly Crypto Stealer 2026-05-13
Permission Modification using Takeown App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 Anomaly Crypto Stealer, Sandworm Tools, Ransomware, Scattered Lapsus$ Hunters 2026-05-13
Windows Impair Defense Change Win Defender Health Check Intervals Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Suspicious wevtutil Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.005 TTP Ransomware, Scattered Spider, VoidLink Cloud-Native Linux Malware, ShrinkLocker, Rhysida Ransomware, Windows Log Manipulation, CISA AA23-347A, Storm-0501 Ransomware, Clop Ransomware, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Impair Defense Disable Win Defender Gen reports Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry Configure BitLocker Sysmon EventID 13 T1112 TTP ShrinkLocker 2026-05-13
Windows Important Audit Policy Disabled Windows Event Log Security 4719 T1685 TTP Windows Audit Policy Tampering 2026-05-13
Windows Modify Registry on Smart Card Group Policy Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2026-05-13
Windows Modify Registry Disable Toast Notifications Sysmon EventID 13 T1112 Anomaly Azorult 2026-05-13
Disable Security Logs Using MiniNt Registry Sysmon EventID 13 T1112 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2026-05-13
Windows Modify Registry Disable RDP Sysmon EventID 13 T1112 Anomaly Windows RDP Artifacts and Defense Evasion, ShrinkLocker 2026-05-13
Windows Modify Registry Auto Update Notif Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Linux Iptables Firewall Modification Sysmon for Linux EventID 1 T1686 Anomaly Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools 2026-05-13
Windows Symlink Evaluation Change via Fsutil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222.001 Anomaly Windows Post-Exploitation 2026-05-13
Windows Audit Policy Disabled via Legacy Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Powershell Remove Windows Defender Directory Powershell Script Block Logging 4104 T1685 TTP WhisperGate, Data Destruction 2026-05-13
Windows SymbolicLink-Testing-Tools Utility Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 T1564.004 TTP Windows Privilege Escalation, Windows Post-Exploitation, Windows Persistence Techniques 2026-05-13
Windows Impair Defenses Disable Win Defender Auto Logging Sysmon EventID 13 T1685 Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2026-05-13
Windows Impair Defense Disable Web Evaluation Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, Salat Stealer 2026-06-08
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1112 T1548.002 TTP ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, BlankGrabber Stealer, IcedID 2026-05-13
Windows PowerShell Disable HTTP Logging Powershell Script Block Logging 4104 T1505.004 T1685.001 TTP Windows Defense Evasion Tactics, IIS Components 2026-05-13
Windows MpCmdRun RemoveDefinitions Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly BlankGrabber Stealer 2026-05-13
Windows Modify Registry Disable Windows Security Center Notif Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Windows Disable or Stop Browser Process Sysmon EventID 1 T1685 TTP Castle RAT, Braodo Stealer, Salat Stealer, BlankGrabber Stealer, Hellcat Ransomware, Scattered Lapsus$ Hunters 2026-06-08
Windows Modify Registry No Auto Reboot With Logon User Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2026-05-13
Windows Modify Registry Auto Minor Updates Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows Modify Registry Default Icon Setting Sysmon EventID 13 T1112 Anomaly LockBit Ransomware 2026-05-13
Windows Snake Malware Registry Modification wav OpenWithProgIds Sysmon EventID 13 T1112 TTP Snake Malware 2026-05-13
Disabling CMD Application Sysmon EventID 13 T1112 T1685 TTP NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows AD Dangerous Deny ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Modify Show Compress Color And Info Tip Registry Sysmon EventID 13 T1112 TTP Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics, Data Destruction 2026-05-13
Windows Disable Notification Center Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2026-05-13
Windows Impair Defenses Disable Auto Logger Session Sysmon EventID 13 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Deleted Registry By A Non Critical Process File Path Sysmon EventID 1, Sysmon EventID 12 T1112 Anomaly Double Zero Destructor, Data Destruction 2026-05-13
Process Kill Base On File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP XMRig 2026-05-13
Windows AD Domain Controller Audit Policy Disabled Windows Event Log Security 4719 T1685 TTP Windows Audit Policy Tampering 2026-05-13
Disable Windows Behavior Monitoring Sysmon EventID 13 T1685 TTP Revil Ransomware, Windows Registry Abuse, Ransomware, Black Basta Ransomware, Cactus Ransomware, Windows Defense Evasion Tactics, Salat Stealer, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Azorult, Storm-0501 Ransomware, BlankGrabber Stealer, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, RedLine Stealer 2026-06-08
Windows Hide Notification Features Through Registry Sysmon EventID 13 T1112 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware 2026-05-13
Windows Excessive Disabled Services Event Windows Event Log System 7040 T1685 TTP Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A 2026-05-13
Icacls Deny Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 Anomaly Crypto Stealer, Compromised Windows Host, XMRig, Azorult, Defense Evasion or Unauthorized Access Via SDDL Tampering, Sandworm Tools 2026-05-13
Windows AppX Deployment Unsigned Package Installation Windows Event Log AppXDeployment-Server 855 T1204.002 T1553.005 TTP MSIX Package Abuse 2026-05-13
Windows AD GPO New CSE Addition Windows Event Log Security 5136 T1222.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Audit Policy Security Descriptor Tampering via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows Raccine Scheduled Task Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP Compromised Windows Host, Ransomware 2026-05-13
Windows Disable Windows Group Policy Features Through Registry Sysmon EventID 13 T1112 Anomaly Windows Defense Evasion Tactics, Windows Registry Abuse, CISA AA23-347A, Ransomware 2026-05-13
Disable Defender MpEngine Registry Sysmon EventID 13 T1685 TTP IcedID, Windows Registry Abuse 2026-05-13
Windows Firewall Rule Added Windows Event Log Security 4946 T1686 Anomaly Medusa Ransomware, NetSupport RMM Tool Abuse, Salat Stealer, ShrinkLocker 2026-06-08
Disabling NoRun Windows App Sysmon EventID 13 T1112 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Default Group Policy Object Modified Windows Event Log Security 5136 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Wmic NonInteractive App Uninstallation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Hunting IcedID, Azorult 2026-05-13
Windows Modify Registry Disabling WER Settings Sysmon EventID 13 T1112 TTP Azorult, CISA AA23-347A 2026-05-13
Windows Modify Registry wuStatusServer Sysmon EventID 13 T1112 Hunting RedLine Stealer 2026-05-13
Windows Impair Defense Change Win Defender Tracing Level Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Windows Modify Registry Disable Win Defender Raw Write Notif Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2026-05-13
Windows Disable or Modify Tools Via Taskkill CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly NjRAT, PXA Stealer, BlankGrabber Stealer, Crypto Stealer 2026-05-13
Windows Common Abused Cmd Shell Risk Behavior T1016 T1033 T1049 T1059 T1222 T1529 Correlation Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Windows Defense Evasion Tactics, FIN7, Qakbot, Azorult, CISA AA23-347A, Netsh Abuse, Microsoft WSUS CVE-2025-59287, Sandworm Tools, Disabling Security Tools 2026-05-13
Windows Modify Registry DontShowUI Sysmon EventID 13 T1112 TTP DarkGate Malware 2026-05-13
ETW Registry Disabled Sysmon EventID 13 T1127 T1685 TTP Windows Registry Abuse, Hermetic Wiper, CISA AA23-347A, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Disable Windows SmartScreen Protection Sysmon EventID 13 T1685 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse, Salat Stealer 2026-06-08
Windows Modify Registry NoChangingWallPaper Sysmon EventID 13 T1112 TTP Rhysida Ransomware 2026-05-13
Windows Modify Registry Delete Firewall Rules Sysmon EventID 12 T1112 TTP NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A 2026-05-13
Windows DISM Remove Defender CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 TTP Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A 2026-05-13
Windows Impair Defense Add Xml Applocker Rules CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Hunting Azorult 2026-05-13
Linux Auditd Auditd Daemon Start Linux Auditd Daemon Start T1685.004 Anomaly Compromised Linux Host 2026-05-13
Windows Modify System Firewall with Notable Process Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1686 TTP Compromised Windows Host, NjRAT, Medusa Ransomware 2026-05-13
Windows Impair Defenses Disable AV AutoStart via Registry Sysmon EventID 13 T1112 TTP ValleyRAT, Scattered Lapsus$ Hunters 2026-05-13
Windows Set Network Profile Category to Private via Registry Sysmon EventID 13 T1112 Anomaly Secret Blizzard 2026-05-13
Windows Modify Registry LongPathsEnabled Sysmon EventID 13 T1112 Anomaly BlackByte Ransomware 2026-05-13
Disable AMSI Through Registry Sysmon EventID 13 T1685 TTP Windows Registry Abuse, CISA AA23-347A, Ransomware 2026-05-13
Windows CrowdStrike Agent Registry Key Removal Sysmon EventID 12 T1685 Anomaly Windows Defense Evasion Tactics, Security Solution Tampering 2026-05-13
Windows Modify Registry ValleyRAT C2 Config Sysmon EventID 13 T1112 TTP ValleyRAT 2026-05-13
Windows EDRSilencer Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685 Anomaly Security Solution Tampering 2026-05-13
Windows Audit Policy Disabled via Auditpol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1685.001 Anomaly Windows Audit Policy Tampering 2026-05-13
Windows DisableAntiSpyware Registry Sysmon EventID 13 T1685 TTP Windows Registry Abuse, Windows Defense Evasion Tactics, SolarWinds WHD RCE Post Exploitation, Azorult, CISA AA22-264A, CISA AA23-347A, Ryuk Ransomware, RedLine Stealer 2026-05-13
M365 Copilot Impersonation Jailbreak Attack M365 Exported eDiscovery Prompts T1685 TTP Suspicious Microsoft 365 Copilot Activities 2026-06-04
ESXi Syslog Config Change VMWare ESXi Syslog T1690 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi Lockdown Mode Disabled VMWare ESXi Syslog T1685 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi Loghost Config Tampering VMWare ESXi Syslog T1685 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Cisco ASA - Logging Disabled via CLI Cisco ASA Logs T1685 TTP Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi Encryption Settings Modified VMWare ESXi Syslog T1685 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi Firewall Disabled VMWare ESXi Syslog T1686 TTP China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware 2026-05-13
PingID New MFA Method Registered For User PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Okta Multi-Factor Authentication Disabled Okta T1556.006 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Cisco Duo Policy Allow Old Java Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Admin Login Unusual Os Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Policy Allow Devices Without Screen Lock Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
M365 Copilot Non Compliant Devices Accessing M365 Copilot M365 Copilot Graph API T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Cisco Duo Policy Allow Old Flash Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Admin Login Unusual Country Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
M365 Copilot Jailbreak Attempts M365 Exported eDiscovery Prompts T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta Phishing Detection with FastPass Origin Check Okta T1078.001 T1556 TTP Okta Account Takeover 2026-05-13
Cisco ASA - AAA Policy Tampering Cisco ASA Logs T1556.004 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco Duo Bypass Code Generation Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco ASA - Logging Message Suppression Cisco ASA Logs T1070 T1685.001 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco Duo Policy Skip 2FA for Other Countries Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco ASA - Core Syslog Message Volume Drop Cisco ASA Logs T1685 Hunting ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID New MFA Method After Credential Reset PingID T1098.005 T1556.006 T1621 TTP Scattered Lapsus$ Hunters, Compromised User Account 2026-05-13
Cisco Duo Bulk Policy Deletion Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi VIB Acceptance Level Tampering VMWare ESXi Syslog T1685 TTP China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Cisco Duo Policy Allow Tampered Devices Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Set User Status to Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
M365 Copilot Information Extraction Jailbreak Attack M365 Exported eDiscovery Prompts T1685 TTP Suspicious Microsoft 365 Copilot Activities 2026-05-13
Cisco Duo Policy Deny Access Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco Duo Policy Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
Cisco ASA - Logging Filters Configuration Tampering Cisco ASA Logs T1685 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi Audit Tampering VMWare ESXi Syslog T1070 T1690 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
M365 Copilot Agentic Jailbreak Attack M365 Exported eDiscovery Prompts T1685 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Cisco Duo Policy Allow Network Bypass 2FA Cisco Duo Administrator T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
PingID Mismatch Auth Source and Verification Response PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Cisco Duo Admin Login Unusual Browser Cisco Duo Activity T1556 TTP Cisco Duo Suspicious Activity 2026-05-13
ESXi Download Errors VMWare ESXi Syslog T1601.001 T1685 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
AWS Defense Evasion Impair Security Services AWS CloudTrail DeleteRuleGroup, AWS CloudTrail DeleteLoggingConfiguration, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteWebACL T1685.002 TTP AWS Defense Evasion 2026-05-13
O365 Excessive SSO logon errors O365 UserLoginFailed T1556 Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2026-05-13
O365 Advanced Audit Disabled O365 Change user license. T1685.002 TTP Office 365 Persistence Mechanisms 2026-05-13
AWS Network Access Control List Created with All Open Ports AWS CloudTrail ReplaceNetworkAclEntry, AWS CloudTrail CreateNetworkAclEntry T1686.001 TTP AWS Network ACL Activity 2026-05-13
O365 Cross-Tenant Access Change Office 365 Universal Audit Log T1484.002 TTP Azure Active Directory Persistence 2026-05-13
ASL AWS New MFA Method Registered For User ASL AWS CloudTrail T1556.006 TTP AWS Identity and Access Management Account Takeover 2026-05-13
O365 Email Security Feature Changed Office 365 Universal Audit Log T1685.002 TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2026-05-13
GitHub Organizations Disable Dependabot GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication T1484.002 TTP Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Storm-0501 Ransomware, Hellcat Ransomware 2026-05-13
ASL AWS Defense Evasion Delete CloudWatch Log Group ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
O365 Bypass MFA via Trusted IP O365 Set Company Information. T1686.001 TTP Office 365 Persistence Mechanisms 2026-05-13
AWS Bedrock Delete Model Invocation Logging Configuration AWS CloudTrail DeleteModelInvocationLoggingConfiguration T1685.002 TTP AWS Bedrock Security 2026-05-13
ASL AWS Multi-Factor Authentication Disabled ASL AWS CloudTrail T1556.006 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover 2026-05-13
GitHub Enterprise Disable IP Allow List GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
AWS Defense Evasion Update Cloudtrail AWS CloudTrail UpdateTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
AWS Network Access Control List Deleted AWS CloudTrail DeleteNetworkAclEntry T1686.001 Anomaly AWS Network ACL Activity 2026-05-13
GitHub Organizations Delete Branch Ruleset GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
ASL AWS Network Access Control List Created with All Open Ports ASL AWS CloudTrail T1686.001 TTP AWS Network ACL Activity 2026-05-13
GitHub Enterprise Register Self Hosted Runner GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
ASL AWS Defense Evasion Update Cloudtrail ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
AWS Defense Evasion Delete CloudWatch Log Group AWS CloudTrail DeleteLogGroup T1685.002 TTP AWS Defense Evasion 2026-05-13
GCP Multi-Factor Authentication Disabled Google Workspace T1556.006 T1586.003 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
ASL AWS Defense Evasion Stop Logging Cloudtrail ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
GitHub Enterprise Delete Branch Ruleset GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
GitHub Organizations Disable 2FA Requirement GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. T1685 TTP Office 365 Account Takeover 2026-05-13
GitHub Enterprise Disable Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
O365 Disable MFA O365 Disable Strong Authentication. T1556 TTP Office 365 Persistence Mechanisms 2026-05-13
AWS Bedrock Delete GuardRails AWS CloudTrail DeleteGuardrail T1685.002 TTP AWS Bedrock Security 2026-05-13
ASL AWS Defense Evasion Impair Security Services ASL AWS CloudTrail T1685.002 Hunting AWS Defense Evasion 2026-05-13
ASL AWS Network Access Control List Deleted ASL AWS CloudTrail T1686.001 Anomaly AWS Network ACL Activity, Scattered Lapsus$ Hunters 2026-05-13
Cloud Compute Instance Created With Previously Unseen Instance Type AWS CloudTrail T1578.002 Anomaly Cloud Cryptomining 2026-05-13
Azure AD Block User Consent For Risky Apps Disabled Azure Active Directory Update authorization policy T1685 TTP Azure Active Directory Account Takeover 2026-05-13
AWS Defense Evasion Delete Cloudtrail AWS CloudTrail DeleteTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
GitHub Organizations Disable Classic Branch Protection Rule GitHub Organizations Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
GitHub Enterprise Modify Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
GitHub Enterprise Disable Dependabot GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
AWS New MFA Method Registered For User AWS CloudTrail CreateVirtualMFADevice T1556.006 TTP AWS Identity and Access Management Account Takeover 2026-05-13
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain T1484.002 TTP Azure Active Directory Persistence 2026-05-13
GitHub Enterprise Pause Audit Log Event Stream GitHub Enterprise Audit Logs T1195 T1685.002 Anomaly GitHub Malicious Activity, NPM Supply Chain Compromise 2026-05-13
AWS Defense Evasion PutBucketLifecycle AWS CloudTrail PutBucketLifecycle T1485.001 T1685.002 Hunting AWS Defense Evasion 2026-05-13
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication T1556.006 T1586.003 TTP Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
AWS Defense Evasion Stop Logging Cloudtrail AWS CloudTrail StopLogging T1685.002 TTP AWS Defense Evasion 2026-05-13
GitHub Enterprise Disable Classic Branch Protection Rule GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
ASL AWS Defense Evasion PutBucketLifecycle ASL AWS CloudTrail T1485.001 T1685.002 Hunting AWS Defense Evasion 2026-05-13
Azure AD New MFA Method Registered For User Azure Active Directory User registered security info T1556.006 TTP Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account 2026-05-13
ASL AWS Defense Evasion Delete Cloudtrail ASL AWS CloudTrail T1685.002 TTP AWS Defense Evasion 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice T1556.006 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover 2026-05-13
GitHub Enterprise Disable 2FA Requirement GitHub Enterprise Audit Logs T1195 T1685 Anomaly GitHub Malicious Activity 2026-05-13
Cloud Security Groups Modifications by User AWS CloudTrail T1578.005 Anomaly Suspicious Cloud User Activities 2026-05-13
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Windows AD Replication Service Traffic T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco SNMP Community String Configuration Changes Cisco IOS Logs T1040 T1552 T1685 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13