|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
Braodo Stealer, Water Gamayun, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, Cactus Ransomware, Medusa Ransomware, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, MuddyWater, China-Nexus Threat Activity, XWorm, Flax Typhoon, Salat Stealer, 0bj3ctivity Stealer, CISA AA23-347A, Lumma Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, SystemBC, APT37 Rustonotto and FadeStealer, Cleo File Transfer Software, Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, CISA AA24-241A, Interlock Ransomware, Data Destruction
|
2026-06-08
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.011
|
TTP
|
Windows Service Abuse, Living Off The Land, Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Scattered Lapsus$ Hunters, Suspicious WMI Use
|
2026-05-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Windows Crowdstrike RTR Script Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
Suspicious MSHTA Activity, Living Off The Land, Cobalt Strike, Malicious PowerShell
|
2026-05-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-05-13
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Windows Binary Execution from an Archive
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.005
|
TTP
|
Ransomware
|
2026-05-13
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
TTP
|
Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Medusa Ransomware, XWorm, Braodo Stealer, AsyncRAT, Salat Stealer, Hermetic Wiper, MoonPeak, PXA Stealer, MuddyWater, Data Destruction, Hellcat Ransomware, IcedID, Malicious PowerShell
|
2026-06-08
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1059.001
T1592
|
Anomaly
|
Malicious Inno Setup Loader, Scattered Spider, Industroyer2, VIP Keylogger, AsyncRAT, Hermetic Wiper, MoonPeak, Qakbot, Quasar RAT, BlankGrabber Stealer, Data Destruction, LockBit Ransomware, Axios Supply Chain Post Compromise, Malicious PowerShell
|
2026-05-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Medusa Ransomware, Salat Stealer, MoonPeak, Hermetic Wiper, Data Destruction, IcedID, Malicious PowerShell
|
2026-06-08
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Gh0st RAT, Brute Ratel C4, Snake Malware, Flax Typhoon, PlugX, Qakbot, CISA AA23-347A, Clop Ransomware, Tuoni, Active Directory Lateral Movement
|
2026-05-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1543.003
|
TTP
|
BlackByte Ransomware, Compromised Windows Host, Cobalt Strike, Graceful Wipe Out Attack
|
2026-05-13
|
|
Cisco Isovalent - Non Allowlisted Image Use
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Crypto Stealer, Ransomware, MoonPeak, Ryuk Ransomware, NetSupport RMM Tool Abuse, Scheduled Tasks, Medusa Ransomware, DarkCrystal RAT, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, Lokibot, XWorm, CISA AA23-347A, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Azorult, Quasar RAT
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Earth Alux, XWorm, APT29 Diplomatic Deceptions with WINELOADER, Salt Typhoon, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Cisco NVM - Susp Script From Archive Triggering Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1204.002
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, XWorm, AsyncRAT, Castle RAT, SolarWinds WHD RCE Post Exploitation, Quasar RAT, CISA AA23-347A, NetSupport RMM Tool Abuse, RedLine Stealer
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, China-Nexus Threat Activity, Gomir
|
2026-05-13
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Crypto Stealer, Void Manticore, Handala Wiper, DarkGate Malware
|
2026-05-13
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1059.001
T1059.003
T1204.001
|
TTP
|
Fake CAPTCHA Campaigns, Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Prestige Ransomware, Compromised Windows Host, Quasar RAT, NOBELIUM Group, Phemedrone Stealer, RedLine Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Suspicious VMWare Tools Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Anomaly
|
Amadey
|
2026-05-13
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
Anomaly
|
Crypto Stealer, Unusual Processes, Rhysida Ransomware, Salt Typhoon, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
MacOS AMOS Stealer - Virtual Machine Check Activity
|
Osquery Results
|
T1059.002
|
Anomaly
|
AMOS Stealer, Hellcat Ransomware
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Gomir
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1197
|
TTP
|
DarkSide Ransomware, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, Ingress Tool Transfer, Flax Typhoon, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, BITS Jobs
|
2026-05-13
|
|
Windows SSH Proxy Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day, Hellcat Ransomware
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Persistence Techniques, Scheduled Tasks, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.008
T1204.002
|
TTP
|
APT37 Rustonotto and FadeStealer, Remcos, Water Gamayun, Unusual Processes, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger
|
2026-05-13
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, Windows Error Reporting Service Elevation of Privilege Vulnerability, Medusa Ransomware, Ransomware, CISA AA22-257A, Castle RAT, Winter Vivern, 0bj3ctivity Stealer, Salt Typhoon, Ryuk Ransomware, Windows Persistence Techniques, China-Nexus Threat Activity, SystemBC
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Malicious Inno Setup Loader, Scheduled Tasks, Lokibot, Winter Vivern, MoonPeak, CISA AA23-347A
|
2026-05-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
Credential Dumping, HAFNIUM Group, Hermetic Wiper, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Data Destruction, Malicious PowerShell, SystemBC
|
2026-05-13
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
|
TTP
|
DHS Report TA18-074A, Compromised Windows Host
|
2026-05-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
Lokibot, NjRAT
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
PromptLock, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Cobalt Strike PowerShell Loader
|
Powershell Script Block Logging 4104
|
T1059.001
T1608
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
DarkCrystal RAT, Compromised Windows Host
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Powershell Defender Threat Actions Set to Allow
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Salat Stealer
|
2026-05-12
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
ValleyRAT, Water Gamayun
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1027
T1059.004
|
TTP
|
Linux Living Off The Land, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Ryuk Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1134, Windows Event Log Defender 1132, Windows Event Log Defender 1122, Windows Event Log Defender 1126, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-05-13
|
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Qakbot, Earth Alux
|
2026-05-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2026-05-13
|
|
Windows XLL File Creation Outside of Typical Location
|
Sysmon EventID 11
|
T1059
T1129
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1059
T1105
|
TTP
|
Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
MacOS LOLbin
|
Osquery Results
|
T1059.004
|
TTP
|
Living Off The Land, Axios Supply Chain Post Compromise, Hellcat Ransomware
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.009
|
TTP
|
Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
ProxyNotShell, BlackByte Ransomware, Scattered Spider, ProxyShell
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Scheduled Tasks, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Compromised Windows Host, Ransomware, Hellcat Ransomware
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
|
Hunting
|
Interlock Rat, Castle RAT, Salt Typhoon, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
Suspicious MSHTA Activity, Suspicious Zoom Child Processes, NOBELIUM Group, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Azorult
|
2026-05-13
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
BlackByte Ransomware, Ransomware, LockBit Ransomware
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter
|
2026-05-13
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
XWorm, AsyncRAT, VIP Keylogger
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
CISA AA22-257A, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Industroyer2, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Gomir
|
2026-05-13
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
MetaSploit
|
2026-05-13
|
|
Windows WinRAR Launched Outside Default Installation Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
|
Anomaly
|
Scheduled Tasks, Medusa Ransomware, Industroyer2, CISA AA22-257A, XMRig, Qakbot, Data Destruction
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Malicious Inno Setup Loader, Lokibot, NailaoLocker Ransomware, XWorm, PlugX, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Derusbi, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
Anomaly
|
Qakbot, Earth Alux
|
2026-05-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
TTP
|
Remcos, FIN7
|
2026-05-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA24-241A
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1574.006
|
TTP
|
Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows SQLCMD Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Castle RAT, 0bj3ctivity Stealer, Ryuk Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Docker Shell Execution
|
Sysmon for Linux EventID 1
|
T1059.013
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.007
|
Anomaly
|
Gh0st RAT, Medusa Ransomware, Volt Typhoon, Gozi Malware, Water Gamayun, Rhysida Ransomware, Qakbot, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, DarkGate Malware, BlankGrabber Stealer, CISA AA22-277A, FIN7, Tuoni
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Hermetic Wiper, Data Destruction, Malicious PowerShell
|
2026-05-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
Windows Service Abuse, Orangeworm Attack Group, NOBELIUM Group
|
2026-05-13
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Crypto Stealer, Azorult, Ransomware
|
2026-05-13
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Malicious Inno Setup Loader, Scheduled Tasks, Compromised Windows Host, Cactus Ransomware, Industroyer2, CISA AA22-257A, Active Directory Discovery, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Windows Certificate Services, Malicious PowerShell
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, XWorm, NjRAT, Quasar RAT, Snake Keylogger, Chaos Ransomware
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127
|
Hunting
|
Living Off The Land, Cobalt Strike, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution, Masquerading - Rename System Utilities, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
Remcos, FIN7, AsyncRAT
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Scheduled Tasks, CISA AA24-241A, Hermetic Wiper, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
Hunting
|
Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.010
T1059.001
|
Anomaly
|
Compromised Windows Host, Deobfuscate-Decode Files or Information
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
CISA AA22-320A, Scattered Spider, Hermetic Wiper, CISA AA22-264A, CISA AA23-347A, Hellcat Ransomware, Data Destruction, Sandworm Tools, Malicious PowerShell
|
2026-05-13
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Volt Typhoon, DHS Report TA18-074A, AsyncRAT, XWorm, DarkCrystal RAT, HAFNIUM Group, 0bj3ctivity Stealer, Salt Typhoon, BlankGrabber Stealer, MuddyWater, China-Nexus Threat Activity
|
2026-05-13
|
|
Cisco NVM - Installation of Typosquatted Python Package
|
Cisco Network Visibility Module Flow Data
|
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Medusa Ransomware, Castle RAT, Qakbot, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Scattered Lapsus$ Hunters, Malicious PowerShell, Active Directory Lateral Movement
|
2026-05-13
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Living Off The Land, Volt Typhoon, Suspicious WMI Use, CISA AA23-347A, Graceful Wipe Out Attack, IcedID
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 7, Sysmon EventID 22
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
Hunting
|
DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, HAFNIUM Group, Rhysida Ransomware, Salt Typhoon, VanHelsing Ransomware, DarkGate Malware, China-Nexus Threat Activity, Sandworm Tools, Active Directory Lateral Movement
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Hellcat Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Windows Default Cobalt Strike PowerShell Beacon
|
Powershell Script Block Logging 4104
|
T1059.001
T1204.002
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Cwd, Linux Auditd Path
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1203
T1218
|
TTP
|
Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1121, Windows Event Log Defender 1126
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, Castle RAT, AsyncRAT, Ryuk Ransomware, IcedID, Active Directory Lateral Movement, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, Winter Vivern, PlugX, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, ValleyRAT, Compromised Windows Host, Industroyer2, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, CISA AA23-347A, SystemBC, APT37 Rustonotto and FadeStealer, Remcos, Quasar RAT, Data Destruction
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Rootkit, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Medusa Ransomware, Seashell Blizzard, Active Directory Lateral Movement
|
2026-05-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Scattered Spider, BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1133
T1190
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, XWorm, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Hunting
|
Cactus Ransomware, Volt Typhoon, Qakbot, CISA AA23-347A, Suspicious WMI Use, IcedID
|
2026-05-13
|
|
PowerShell Environment Variable Execution
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Compromised Windows Host, Winter Vivern, Hellcat Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Ryuk Ransomware
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Compromised Windows Host, Castle RAT, Windows Persistence Techniques, IcedID, Trickbot
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Suspicious Linux Discovery Commands
|
Sysmon for Linux EventID 1
|
T1059.004
|
TTP
|
Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2026-05-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1059.001
T1105
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Ingress Tool Transfer, Winter Vivern, HAFNIUM Group, StealC Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, NPM Supply Chain Compromise, XWorm, Malicious PowerShell, APT37 Rustonotto and FadeStealer, PHP-CGI RCE Attack on Japanese Organizations, SolarWinds WHD RCE Post Exploitation, Data Destruction, Phemedrone Stealer, Tuoni
|
2026-05-13
|
|
Windows Service Execution RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Hunting
|
Gh0st RAT, Crypto Stealer, AsyncRAT, Hermetic Wiper, IcedID, Log4Shell CVE-2021-44228, RedLine Stealer, Warzone RAT, DarkCrystal RAT, Winter Vivern, PlugX, StealC Stealer, NjRAT, Rhysida Ransomware, DarkGate Malware, Chaos Ransomware, Malicious Inno Setup Loader, Interlock Rat, 0bj3ctivity Stealer, Qakbot, CISA AA23-347A, WhisperGate, ProxyNotShell, Living Off The Land, Azorult, Quasar RAT, Data Destruction
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows WMI Reconnaissance Class Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
DHS Report TA18-074A, AsyncRAT, MoonPeak, Amadey, NetSupport RMM Tool Abuse, Trickbot, RedLine Stealer, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, DarkCrystal RAT, Winter Vivern, NjRAT, PlugX, Rhysida Ransomware, Salt Typhoon, NOBELIUM Group, Windows Persistence Techniques, China-Nexus Threat Activity, ValleyRAT, Lokibot, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, AgentTesla, Qakbot, CISA AA23-347A, Sandworm Tools, Living Off The Land, APT37 Rustonotto and FadeStealer, Remcos, Scattered Spider, ShrinkLocker, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Azorult, Phemedrone Stealer
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Earth Alux, Warzone RAT, NjRAT, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Spider
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Qakbot, Water Gamayun
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
BlackSuit Ransomware, AsyncRAT, Amadey, IcedID, Prestige Ransomware, Scheduled Tasks, DarkCrystal RAT, Winter Vivern, PlugX, Windows Persistence Techniques, Malicious Inno Setup Loader, ValleyRAT, Industroyer2, CISA AA22-257A, Qakbot, Sandworm Tools, SystemBC, Remcos, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Data Destruction
|
2026-05-13
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Data Destruction, Hellcat Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Water Gamayun, Qakbot, Compromised Windows Host
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Compromised Windows Host, Snake Malware
|
2026-05-13
|
|
Cisco Isovalent - Pods Running Offensive Tools
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PowerShell Process With Malicious String
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger, Winter Vivern, AsyncRAT, 0bj3ctivity Stealer, Hermetic Wiper, AgentTesla, Data Destruction, Hellcat Ransomware, Axios Supply Chain Post Compromise, Malicious PowerShell
|
2026-05-13
|
|
Windows PowerShell Script From WindowsApps Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, Volt Typhoon, HAFNIUM Group, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, DarkGate Malware, IcedID, Sandworm Tools, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Water Gamayun, CISA AA23-347A, Hellcat Ransomware
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Windows Defense Evasion Tactics, FIN7, Qakbot, Azorult, CISA AA23-347A, Netsh Abuse, Microsoft WSUS CVE-2025-59287, Sandworm Tools, Disabling Security Tools
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows File Association Modification via Ftype
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Anomaly
|
Windows File Extension and Association Abuse
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.002
|
TTP
|
Living Off The Land, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Remcos, Brute Ratel C4, APT37 Rustonotto and FadeStealer, Warzone RAT, Spearphishing Attachments, Gozi Malware, Qakbot, AgentTesla, Azorult, Amadey, IcedID
|
2026-05-13
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Ransomware, Salt Typhoon, Suspicious WMI Use, CISA AA23-347A, China-Nexus Threat Activity, Void Manticore, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Malicious PowerShell, Windows Persistence Techniques
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, CISA AA23-347A, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Process Accessing Windows Recall Directory
|
Windows Event Log Security 4663
|
T1059
T1119
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Gh0st RAT, Crypto Stealer, Windows Registry Abuse, Brute Ratel C4, PlugX, Suspicious Windows Registry Activities, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Derusbi, Windows Persistence Techniques, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
AsyncRAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Medusa Ransomware, Winter Vivern, NjRAT, MuddyWater, VIP Keylogger, XWorm, Salat Stealer, 0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, APT37 Rustonotto and FadeStealer, Data Destruction
|
2026-06-08
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Winter Vivern, Malicious PowerShell, Active Directory Discovery
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Hermetic Wiper, Interlock Ransomware, CISA AA23-347A, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell
|
2026-05-13
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Malicious Inno Setup Loader, Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Gh0st RAT, Crypto Stealer, Brute Ratel C4, Snake Malware, APT37 Rustonotto and FadeStealer, Flax Typhoon, PlugX, Qakbot, Salt Typhoon, CISA AA23-347A, Derusbi, Clop Ransomware, China-Nexus Threat Activity, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1134, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1122, Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
TTP
|
Cleo File Transfer Software, HAFNIUM Group
|
2026-05-13
|
|
Windows PowerShell Script TabExpansion Direct Call
|
Powershell Script Block Logging 4104
|
T1059.001
T1129
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
|
Hunting
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, HAFNIUM Group, Hermetic Wiper, AgentTesla, Data Destruction, Log4Shell CVE-2021-44228, Malicious PowerShell
|
2026-06-04
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Cisco IOS XE Guestshell Activation and Destroy
|
Cisco IOS Logs
|
T1059
T1611
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Request Platform Package Describe Shell Pattern
|
Cisco IOS Logs
|
T1059
T1190
|
TTP
|
Salt Typhoon
|
2026-05-20
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
T1059
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
MCP Prompt Injection
|
MCP Server
|
T1059
|
TTP
|
Suspicious MCP Activities
|
2026-05-13
|
|
PTC Windchill Gateway Command Execution
|
Windchill Log4j
|
T1005
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
PTC Windchill GW READY OK Probe
|
Windchill Log4j
|
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
MCP Filesystem Server Suspicious Extension Write
|
MCP Server
|
T1059
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes newly seen UDP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2026-05-13
|
|
Kubernetes Previously Unseen Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes newly seen TCP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Previously Unseen Container Image Name
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Process Running From New Path
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
T1204.003
|
Correlation
|
Dev Sec Ops
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
Cactus Ransomware, PXA Stealer, BlankGrabber Stealer, Data Destruction, WhisperGate
|
2026-05-13
|
|
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
Malicious Inno Setup Loader, Remcos, Cactus Ransomware, Braodo Stealer, Meduza Stealer, PXA Stealer, Snake Keylogger, Data Destruction, BlankGrabber Stealer, WhisperGate, Phemedrone Stealer, RedLine Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
T1059
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
T1587.001
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics
|
2026-05-13
|
