|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Windows Group Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Cleo File Transfer Software, Medusa Ransomware, Volt Typhoon, Active Directory Discovery, Rhysida Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques, Azorult, Graceful Wipe Out Attack, Microsoft WSUS CVE-2025-59287, IcedID
|
2026-05-13
|
|
Windows Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5145, Windows Event Log Security 5140
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
BlackSuit Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Lotus Blossom Chrysalis Backdoor, LAMEHUG, PHP-CGI RCE Attack on Japanese Organizations, Winter Vivern, Active Directory Discovery, Rhysida Ransomware, Qakbot, CISA AA23-347A
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Hosts File Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Compromised Windows Host, Domain Trust Discovery, Active Directory Discovery
|
2026-05-13
|
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Net System Service Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1007
|
Hunting
|
Gh0st RAT, LAMEHUG
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Sensitive Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
BlackSuit Ransomware, Volt Typhoon, Active Directory Discovery, Rhysida Ransomware, Microsoft WSUS CVE-2025-59287, IcedID
|
2026-05-13
|
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
MacOS Network Share Discovery
|
Osquery Results
|
T1135
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Water Gamayun, Prestige Ransomware, Windows Post-Exploitation, Medusa Ransomware
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Advanced IP or Port Scanner Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic CPU Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Registry Entries Exported Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, CISA AA23-347A
|
2026-05-13
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Snake Keylogger, PXA Stealer, StealC Stealer, BlankGrabber Stealer
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Winter Vivern, Water Gamayun, Active Directory Discovery
|
2026-05-13
|
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Windows Discovery Techniques, Ransomware
|
2026-05-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
BlackSuit Ransomware, Medusa Ransomware, Active Directory Discovery, Rhysida Ransomware, CISA AA23-347A, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
T1016
T1590.005
|
Anomaly
|
Castle RAT, Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Windows PsTools Recon Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
T1046
T1082
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Salt Typhoon, China-Nexus Threat Activity, SnappyBee, RedLine Stealer
|
2026-05-13
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
XMRig, Compromised Windows Host, Water Gamayun
|
2026-05-13
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Industroyer2, Active Directory Discovery, CISA AA23-347A, Data Destruction, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2026-05-13
|
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Cleo File Transfer Software, Medusa Ransomware, Active Directory Discovery, Rhysida Ransomware, Qakbot, Storm-0501 Ransomware, Ryuk Ransomware, IcedID, Domain Trust Discovery
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos, Compromised Linux Host
|
2026-05-13
|
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Volt Typhoon, Active Directory Discovery, Interlock Ransomware, Qakbot, IcedID
|
2026-05-13
|
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Malicious Inno Setup Loader, Braodo Stealer, StealC Stealer, 0bj3ctivity Stealer, Meduza Stealer, MoonPeak, Amadey, DarkGate Malware, CISA AA23-347A, BlankGrabber Stealer, Phemedrone Stealer, RedLine Stealer
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Gh0st RAT, Warzone RAT, BlackByte Ransomware, Meduza Stealer, Quasar RAT, Data Destruction, WhisperGate, Void Manticore
|
2026-05-13
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Medusa Ransomware, Volt Typhoon, PlugX, Active Directory Discovery, Qakbot, CISA AA23-347A, CISA AA22-277A
|
2026-05-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2026-05-13
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Industroyer2, Data Destruction, Active Directory Discovery
|
2026-05-13
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
TTP
|
NjRAT, BlankGrabber Stealer
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Systeminfo Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor, LAMEHUG, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
StealC Stealer, RedLine Stealer, Meduza Stealer
|
2026-05-13
|
|
Windows Registry Entries Restored Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
BlackSuit Ransomware, Graceful Wipe Out Attack, NOBELIUM Group, IcedID, Domain Trust Discovery
|
2026-05-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Network Connection Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Prestige Ransomware, Azorult, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
Interlock Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Scattered Lapsus$ Hunters, Active Directory Discovery
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Compromised Windows Host, Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497.003
|
Anomaly
|
0bj3ctivity Stealer, Snake Keylogger, VIP Keylogger
|
2026-05-13
|
|
Linux System Network Discovery
|
Osquery Results, Sysmon for Linux EventID 1
|
T1016
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Network Discovery, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Wmic DiskDrive Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks
|
2026-05-13
|
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
TTP
|
Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, BlackSuit Ransomware, LAMEHUG, Medusa Ransomware, Gozi Malware, Interlock Ransomware, SolarWinds WHD RCE Post Exploitation, Windows Discovery Techniques, BlankGrabber Stealer, NetSupport RMM Tool Abuse
|
2026-05-13
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Potential System Network Configuration Discovery Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-05-13
|
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
TTP
|
FIN7
|
2026-05-13
|
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Scattered Lapsus$ Hunters, Active Directory Discovery
|
2026-05-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Memory Chip Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1654
|
Anomaly
|
Windows Discovery Techniques, BlankGrabber Stealer
|
2026-05-13
|
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Network Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Network Share Interaction Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1039
T1135
|
Hunting
|
Active Directory Privilege Escalation, Network Discovery, Active Directory Discovery
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Industroyer2, Data Destruction, Active Directory Discovery
|
2026-05-13
|
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
Gozi Malware, CISA AA22-320A, Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
MacOS List Firewall Rules
|
Osquery Results
|
T1016
|
Anomaly
|
Network Discovery
|
2026-05-13
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
BlackSuit Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, VIP Keylogger, Snake Keylogger, BlankGrabber Stealer
|
2026-05-13
|
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, MoonPeak, Amadey, Snake Keylogger, RedLine Stealer, Earth Alux, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, Meduza Stealer, PXA Stealer, Quasar RAT, Phemedrone Stealer
|
2026-06-08
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Braodo Stealer, MoonPeak, Amadey, Snake Keylogger, RedLine Stealer, Earth Alux, Warzone RAT, NjRAT, StealC Stealer, Salt Typhoon, DarkGate Malware, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, Malicious Inno Setup Loader, Lokibot, VIP Keylogger, Salat Stealer, 0bj3ctivity Stealer, Meduza Stealer, PXA Stealer, Quasar RAT, Phemedrone Stealer
|
2026-06-08
|
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Anomaly
|
LAMEHUG, Active Directory Discovery
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Qakbot
|
2026-05-13
|
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Hunting
|
CISA AA23-347A, Active Directory Discovery
|
2026-05-13
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
T1564.003
|
Anomaly
|
Forest Blizzard, Browser Hijacking
|
2026-05-13
|
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016.001
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery, Qakbot, CISA AA22-277A
|
2026-05-13
|
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
BlackSuit Ransomware, Windows Discovery Techniques, Ransomware
|
2026-05-13
|
|
Windows Netspy Network Scanner Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
T1595
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows System Remote Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Windows Defense Evasion Tactics, FIN7, Qakbot, Azorult, CISA AA23-347A, Netsh Abuse, Microsoft WSUS CVE-2025-59287, Sandworm Tools, Disabling Security Tools
|
2026-05-13
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Active Directory Kerberos Attacks
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Product Key Registry Query
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Winter Vivern, Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows User Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Sandworm Tools, Medusa Ransomware, Active Directory Discovery
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-05-13
|
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Malicious Inno Setup Loader, Lokibot, StealC Stealer
|
2026-05-13
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques, Ransomware
|
2026-05-13
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows WinPEAS PowerShell Script Execution
|
Powershell Script Block Logging 4104
|
T1007
T1016
T1033
T1082
T1590
T1592.002
T1592.004
T1615
|
TTP
|
Windows Post-Exploitation
|
2026-05-13
|
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.001
|
Hunting
|
Scattered Lapsus$ Hunters, Active Directory Discovery
|
2026-05-13
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Malicious Inno Setup Loader, Earth Alux, Scattered Spider, VIP Keylogger, Braodo Stealer, Salat Stealer, StealC Stealer, 0bj3ctivity Stealer, Meduza Stealer, MoonPeak, Salt Typhoon, PXA Stealer, Quasar RAT, Snake Keylogger, BlankGrabber Stealer, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee
|
2026-06-08
|
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
SamSam Ransomware, JBoss Vulnerability
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco IOS XE Remote Access Probe Burst
|
Cisco IOS Logs
|
T1018
T1021.004
T1046
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco ASA - Reconnaissance Command Activity
|
Cisco ASA Logs
|
T1082
T1590.001
T1590.005
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2026-05-13
|
|
Cisco IOS XE Reconnaissance Command Activity
|
Cisco IOS Logs
|
T1016
T1082
T1590
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
T1673
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1538
T1550.004
|
Hunting
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
T1082
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Kubernetes Scanner Image Pulling
|
|
T1526
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2026-05-13
|
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Amazon EKS Kubernetes cluster scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2026-05-13
|
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
T1526
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
T1087.004
T1526
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Password Policy Changes
|
AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
T1201
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Amazon EKS Kubernetes Pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Kubernetes cluster pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
T1580
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Vulnerability Scan
|
|
T1046
T1595.002
|
TTP
|
Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
