|
Windows Group Discovery Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
|
Hunting
|
SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Prestige Ransomware, Azorult, Cleo File Transfer Software, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery, Graceful Wipe Out Attack, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Password Policy Discovery with Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
T1135
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
System User Discovery With Whoami
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
PHP-CGI RCE Attack on Japanese Organizations, CISA AA23-347A, Rhysida Ransomware, Qakbot, Lotus Blossom Chrysalis Backdoor, Active Directory Discovery, LAMEHUG, Winter Vivern
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Hosts File Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer
|
2026-05-13
|
|
Domain Controller Discovery with Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Wmic Group Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
DSQuery Domain Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery
|
2026-05-13
|
|
System User Discovery With Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Windows Net System Service Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1007
|
Hunting
|
Gh0st RAT, LAMEHUG
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Sensitive Group Discovery With Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Anomaly
|
BlackSuit Ransomware, IcedID, Microsoft WSUS CVE-2025-59287, Rhysida Ransomware, Volt Typhoon, Active Directory Discovery
|
2026-05-13
|
|
GetLocalUser with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
MacOS Network Share Discovery
|
Osquery Results
|
T1135
|
Anomaly
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows System Network Config Discovery Display DNS
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1016
|
Anomaly
|
Prestige Ransomware, Water Gamayun, Windows Post-Exploitation, Medusa Ransomware
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Advanced IP or Port Scanner Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1046
T1135
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Domain Group Discovery With Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic CPU Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows Registry Entries Exported Via Reg
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1012
|
Hunting
|
CISA AA23-347A, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Phantom Stealer, BlankGrabber Stealer, PXA Stealer, Snake Keylogger, StealC Stealer
|
2026-06-25
|
|
GetWmiObject User Account with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery, Water Gamayun, Winter Vivern
|
2026-05-13
|
|
PowerShell Get LocalGroup Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, BlackSuit Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
Hunting
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows System Time Discovery W32tm Delay
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2026-05-13
|
|
Domain Controller Discovery with Nltest
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Medusa Ransomware, Rhysida Ransomware, NetSupport RMM Tool Abuse, Active Directory Discovery
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
T1016
T1590.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, Castle RAT
|
2026-05-13
|
|
Windows PsTools Recon Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
T1046
T1082
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
GetCurrent User with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2026-05-13
|
|
Windows Information Discovery Fsutil
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
China-Nexus Threat Activity, Salt Typhoon, RedLine Stealer, SnappyBee
|
2026-05-13
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
XMRig, Water Gamayun, Compromised Windows Host
|
2026-05-13
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Data Destruction, CISA AA23-347A, Scattered Lapsus$ Hunters, Industroyer2, Active Directory Discovery
|
2026-05-13
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2026-05-13
|
|
NLTest Domain Trust Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Medusa Ransomware, IcedID, Qakbot, Rhysida Ransomware, Storm-0501 Ransomware, Cleo File Transfer Software, Ryuk Ransomware, Active Directory Discovery, Domain Trust Discovery
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
XorDDos, Linux Rootkit, Compromised Linux Host
|
2026-05-13
|
|
Network Connection Discovery With Arp
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
Interlock Ransomware, IcedID, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
Elevated Group Discovery With Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System User Discovery Via Quser
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation, Crypto Stealer
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
MoonPeak, BlankGrabber Stealer, CISA AA23-347A, Phantom Stealer, Amadey, RedLine Stealer, Braodo Stealer, DarkGate Malware, StealC Stealer, Meduza Stealer, 0bj3ctivity Stealer, Malicious Inno Setup Loader, Phemedrone Stealer
|
2026-06-25
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Quasar RAT, WhisperGate, Data Destruction, Void Manticore, Gh0st RAT, Meduza Stealer, Warzone RAT, BlackByte Ransomware
|
2026-05-13
|
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2026-05-13
|
|
Network Connection Discovery With Netstat
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, Qakbot, Prestige Ransomware, Volt Typhoon, Windows Post-Exploitation, PlugX, Active Directory Discovery
|
2026-05-13
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2026-05-13
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Discovery, Rhysida Ransomware, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows System User Privilege Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
TTP
|
BlankGrabber Stealer, NjRAT
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Systeminfo Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG, BlankGrabber Stealer, Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows System Discovery Using ldap Nslookup
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Get-DomainTrust with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Ldifde Directory Object Behavior
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
T1105
|
TTP
|
Volt Typhoon
|
2026-05-13
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Remote System Discovery with Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Remote System Discovery with Dsquery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
GetWmiObject Ds Group with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
RedLine Stealer, StealC Stealer, Meduza Stealer
|
2026-05-13
|
|
Windows Registry Entries Restored Via Reg
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows AdFind Exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
BlackSuit Ransomware, IcedID, Domain Trust Discovery, NOBELIUM Group, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Network Connection Discovery Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Hunting
|
Azorult, Active Directory Discovery, Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Domain Group Discovery With Dsquery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
GetDomainController with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Domain Account Discovery with Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
TTP
|
Active Directory Discovery, Interlock Ransomware
|
2026-05-13
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetDomainComputer with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Snake Keylogger, 0bj3ctivity Stealer, VIP Keylogger
|
2026-05-13
|
|
Linux System Network Discovery
|
Osquery Results, Sysmon for Linux EventID 1
|
T1016
|
Anomaly
|
Data Destruction, VoidLink Cloud-Native Linux Malware, Network Discovery, Industroyer2
|
2026-05-13
|
|
Windows Wmic DiskDrive Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
System Information Discovery Detection
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
TTP
|
Interlock Ransomware, BlackSuit Ransomware, BlankGrabber Stealer, SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Gozi Malware, Lotus Blossom Chrysalis Backdoor, Cleo File Transfer Software, NetSupport RMM Tool Abuse, LAMEHUG, Windows Discovery Techniques
|
2026-05-13
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
GetAdGroup with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Potential System Network Configuration Discovery Activity
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1016
|
Anomaly
|
Unusual Processes
|
2026-05-13
|
|
Check Elevated CMD using whoami
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
TTP
|
FIN7
|
2026-05-13
|
|
Get DomainUser with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069.002
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Wmic Memory Chip Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Windows EventLog Recon Activity Using Log Query Utilities
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1654
|
Anomaly
|
BlankGrabber Stealer, Windows Discovery Techniques
|
2026-05-13
|
|
GetAdComputer with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Windows Wmic Network Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1082
|
Anomaly
|
LAMEHUG
|
2026-05-13
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2026-05-13
|
|
Windows Post Exploitation Risk Behavior
|
|
T1003
T1012
T1016
T1049
T1069
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Network Share Interaction Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1039
T1135
|
Hunting
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2026-05-13
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2026-05-13
|
|
Get-ForestTrust with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
Active Directory Discovery, Gozi Malware, Medusa Ransomware, CISA AA22-320A
|
2026-05-13
|
|
MacOS List Firewall Rules
|
Osquery Results
|
T1016
|
Anomaly
|
Network Discovery
|
2026-05-13
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Process Commandline Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1057
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087.002
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2026-05-13
|
|
Windows System Network Connections Discovery Netsh
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1049
|
Anomaly
|
BlankGrabber Stealer, VIP Keylogger, Phantom Stealer, Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2026-06-25
|
|
Get DomainPolicy with Powershell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1201
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Get WMIObject Group Discovery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
|
Hunting
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-06-25
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Quasar RAT, Lokibot, Braodo Stealer, Snake Keylogger, Salat Stealer, Phemedrone Stealer, NjRAT, BlankGrabber Stealer, Earth Alux, RedLine Stealer, DarkGate Malware, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Warzone RAT, Phantom Stealer, VIP Keylogger, PXA Stealer, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, Amadey, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-07-08
|
|
Domain Account Discovery with Dsquery
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087.001
|
Hunting
|
CISA AA23-347A
|
2026-05-13
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows System Discovery Using Qwinsta
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Qakbot
|
2026-05-13
|
|
Get ADUser with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2026-05-13
|
|
Headless Browser Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
T1564.003
|
Anomaly
|
Phantom Stealer, Browser Hijacking, Forest Blizzard
|
2026-06-25
|
|
Network Discovery Using Route Windows App
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1016.001
|
Hunting
|
CISA AA22-277A, Qakbot, Prestige Ransomware, Windows Post-Exploitation, Active Directory Discovery
|
2026-05-13
|
|
Detect SharpHound Command-Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, BlackSuit Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Netspy Network Scanner Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
T1595
|
Anomaly
|
Windows Discovery Techniques, Network Discovery
|
2026-05-13
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
TTP
|
Phantom Stealer, Malicious Inno Setup Loader
|
2026-06-25
|
|
Windows System Remote Discovery With Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1033
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
FIN7, CISA AA23-347A, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Azorult, DarkCrystal RAT, Volt Typhoon, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware, CISA AA23-347A
|
2026-05-13
|
|
GetWmiObject Ds Computer with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1018
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Product Key Registry Query
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
GetWmiObject DS User with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
GetDomainGroup with PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2026-05-13
|
|
Windows User Discovery Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery, Sandworm Tools, Medusa Ransomware
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
XorDDos, Linux Rootkit
|
2026-05-13
|
|
Detect AzureHound Command-Line Arguments
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497
|
Anomaly
|
Lokibot, Phantom Stealer, Malicious Inno Setup Loader, StealC Stealer
|
2026-06-25
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Detect SharpHound Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2026-05-13
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
|
Anomaly
|
BlackMatter Ransomware
|
2026-05-13
|
|
Windows WinPEAS PowerShell Script Execution
|
Powershell Script Block Logging 4104
|
T1007
T1016
T1033
T1082
T1590
T1592.002
T1592.004
T1615
|
TTP
|
Windows Post-Exploitation
|
2026-05-13
|
|
Local Account Discovery With Wmic
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1087.001
|
Hunting
|
Active Directory Discovery, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Quasar RAT, Braodo Stealer, Snake Keylogger, Salat Stealer, BlankGrabber Stealer, Earth Alux, Scattered Lapsus$ Hunters, StealC Stealer, Meduza Stealer, Phantom Stealer, VIP Keylogger, PXA Stealer, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, China-Nexus Threat Activity, 0bj3ctivity Stealer, SnappyBee
|
2026-06-25
|
|
Windows SOAPHound Binary Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1069.001
T1069.002
T1087.001
T1087.002
T1482
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2026-05-13
|
|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2026-06-24
|
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2026-06-24
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco IOS XE Remote Access Probe Burst
|
Cisco IOS Logs
|
T1018
T1021.004
T1046
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco ASA - Reconnaissance Command Activity
|
Cisco ASA Logs
|
T1082
T1590.001
T1590.005
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2026-05-13
|
|
Cisco IOS XE Reconnaissance Command Activity
|
Cisco IOS Logs
|
T1016
T1082
T1590
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco ASA - Packet Capture Activity
|
Cisco ASA Logs
|
T1040
T1557
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
T1673
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2026-06-24
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1538
T1550.004
|
Hunting
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
T1082
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Kubernetes Scanner Image Pulling
|
|
T1526
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2026-05-13
|
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory MicrosoftGraphActivityLogs
|
T1087.004
T1526
|
TTP
|
Compromised User Account, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Amazon EKS Kubernetes cluster scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
Compromised User Account, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
T1526
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
T1087.004
T1526
|
TTP
|
Compromised User Account, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS Password Policy Changes
|
AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail DeleteAccountPasswordPolicy
|
T1201
|
Hunting
|
Compromised User Account, AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Amazon EKS Kubernetes Pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2026-05-13
|
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
T1110
T1580
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Kubernetes cluster pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
T1580
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Vulnerability Scan
|
|
T1046
T1595.002
|
TTP
|
Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|