|
Windows PowerShell Invoke-Sqlcmd Execution
|
Powershell Script Block Logging 4104
|
T1059.001
T1059.003
|
Hunting
|
SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Hunting
|
Braodo Stealer, Cleo File Transfer Software, Flax Typhoon, SystemBC, Salat Stealer, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, Water Gamayun, Rhysida Ransomware, XWorm, DarkGate Malware, Hellcat Ransomware, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Phantom Stealer, CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Cactus Ransomware, Scattered Spider, Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Lumma Stealer, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer
|
2026-06-25
|
|
Windows WMI Process And Service List
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.011
|
TTP
|
Windows Persistence Techniques, Windows Service Abuse, Living Off The Land
|
2026-05-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
Linux Privilege Escalation, Salt Typhoon, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Persistence Techniques
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Windows Crowdstrike RTR Script Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
Cobalt Strike, Malicious PowerShell, Suspicious MSHTA Activity, Living Off The Land
|
2026-05-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
MetaSploit
|
2026-05-13
|
|
Windows Explorer.exe Spawning PowerShell or Cmd
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
Hunting
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Windows Binary Execution from an Archive
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Execute Javascript With Jscript COM CLSID
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
Ransomware
|
2026-05-13
|
|
Suspicious msbuild path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1127.001
|
TTP
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
MuddyWater, Malicious PowerShell, Data Destruction, MoonPeak, Medusa Ransomware, AsyncRAT, IcedID, PXA Stealer, Hermetic Wiper, XWorm, Braodo Stealer, Salat Stealer, Hellcat Ransomware
|
2026-06-29
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1059.001
T1592
|
Anomaly
|
Quasar RAT, Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, MoonPeak, LockBit Ransomware, AsyncRAT, BlankGrabber Stealer, VIP Keylogger, Qakbot, Hermetic Wiper, Industroyer2, Scattered Spider, Malicious Inno Setup Loader
|
2026-05-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Data Destruction, MoonPeak, Malicious PowerShell, Medusa Ransomware, IcedID, Hermetic Wiper, Salat Stealer
|
2026-06-08
|
|
Windows Service Created with Suspicious Service Name
|
Windows Event Log System 7045
|
T1569.002
|
Anomaly
|
Gh0st RAT, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, Tuoni, PlugX, Brute Ratel C4, Active Directory Lateral Movement
|
2026-05-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Rhysida Ransomware, Compromised Windows Host, Malicious PowerShell
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
T1543.003
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Cisco Isovalent - Non Allowlisted Image Use
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Living Off The Land, Lokibot, XWorm, DarkCrystal RAT, Ryuk Ransomware, Windows Persistence Techniques, NetSupport RMM Tool Abuse, CISA AA24-241A, Medusa Ransomware, Azorult, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1127
|
TTP
|
Trusted Developer Utilities Proxy Execution, Living Off The Land
|
2026-05-13
|
|
Windows MSIX Package Interaction
|
Windows Event Log AppXPackaging 171
|
T1204.002
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Salt Typhoon, Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Cisco NVM - Susp Script From Archive Triggering Network Activity
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1204.002
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Quasar RAT, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, AsyncRAT, Scheduled Tasks, RedLine Stealer, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Castle RAT
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
CISA AA23-347A, Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, China-Nexus Threat Activity, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Windows AutoIt3 Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
DarkGate Malware, Void Manticore, Handala Wiper, Crypto Stealer
|
2026-05-13
|
|
Windows PowerShell FakeCAPTCHA Clipboard Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1059.001
T1059.003
T1204.001
|
TTP
|
Interlock Ransomware, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Scattered Lapsus$ Hunters, Fake CAPTCHA Campaigns
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Quasar RAT, Scheduled Tasks, Living Off The Land, RedLine Stealer, Prestige Ransomware, NOBELIUM Group, Compromised Windows Host, Active Directory Lateral Movement, Phemedrone Stealer
|
2026-05-13
|
|
Windows Suspicious VMWare Tools Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise
|
2026-05-13
|
|
Windows AppX Deployment Full Trust Package Installation
|
Windows Event Log AppXDeployment-Server 400
|
T1204.002
T1553.005
|
Hunting
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Powershell RemoteSigned File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
Amadey
|
2026-05-13
|
|
Detect Rare Executables
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
Anomaly
|
Salt Typhoon, Rhysida Ransomware, Unusual Processes, Crypto Stealer, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
MacOS AMOS Stealer - Virtual Machine Check Activity
|
Osquery Results
|
T1059.002
|
Anomaly
|
Hellcat Ransomware, AMOS Stealer
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
BITSAdmin Download File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
T1197
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, BITS Jobs, Scattered Spider, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows SSH Proxy Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1105
T1572
|
Anomaly
|
Living Off The Land, Hellcat Ransomware, ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.008
T1204.002
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Amadey, Water Gamayun, Unusual Processes, Snake Keylogger, Remcos, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Clop Common Exec Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Salt Typhoon, Medusa Ransomware, Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, SystemBC, China-Nexus Threat Activity, 0bj3ctivity Stealer, CISA AA22-257A, Winter Vivern, Castle RAT
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1197
|
TTP
|
BITS Jobs, Gozi Malware
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
MoonPeak, CISA AA23-347A, Scheduled Tasks, Lokibot, Malicious Inno Setup Loader, Winter Vivern
|
2026-05-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
Sysmon EventID 13
|
T1059.001
|
TTP
|
Malicious PowerShell, Data Destruction, SolarWinds WHD RCE Post Exploitation, HAFNIUM Group, Hermetic Wiper, DarkGate Malware, Credential Dumping, SystemBC
|
2026-05-13
|
|
Single Letter Process On Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
|
TTP
|
DHS Report TA18-074A, Compromised Windows Host
|
2026-05-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
Lokibot, NjRAT
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
PromptLock, Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Cobalt Strike PowerShell Loader
|
Powershell Script Block Logging 4104
|
T1059.001
T1608
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
DarkCrystal RAT, Compromised Windows Host
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Powershell Defender Threat Actions Set to Allow
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
TTP
|
Salat Stealer
|
2026-05-12
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Water Gamayun, ValleyRAT
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1027
T1059.004
|
TTP
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700
|
T1053.005
|
TTP
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Seashell Blizzard, Ryuk Ransomware, Windows Persistence Techniques, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1126, Windows Event Log Defender 1122, Windows Event Log Defender 1132, Windows Event Log Defender 1134, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204.002
|
Hunting
|
IcedID
|
2026-05-13
|
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2026-05-13
|
|
Windows XLL File Creation Outside of Typical Location
|
Sysmon EventID 11
|
T1059
T1129
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Cisco NVM - Suspicious File Download via Headless Browser
|
Cisco Network Visibility Module Flow Data
|
T1059
T1105
|
TTP
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Developer-Signed MSIX Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
MacOS LOLbin
|
Osquery Results
|
T1059.004
|
TTP
|
Axios Supply Chain Post Compromise, Hellcat Ransomware, Living Off The Land
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.009
|
TTP
|
Windows Persistence Techniques, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Process Execution via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
|
T1059.001
|
Anomaly
|
ProxyNotShell, ProxyShell, BlackByte Ransomware, Scattered Spider
|
2026-05-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1482
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Excessive number of taskhost processes
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Conti Common Exec parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
TTP
|
Ransomware, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Ransomware, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Windows PowerShell Script Block With Malicious String
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Anonymous Pipe Activity
|
Sysmon EventID 17, Sysmon EventID 18
|
T1559
|
Hunting
|
Castle RAT, Salt Typhoon, SnappyBee, China-Nexus Threat Activity, Interlock Rat
|
2026-05-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Hunting
|
Suspicious Command-Line Executions, NOBELIUM Group, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2026-05-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
Anomaly
|
Azorult
|
2026-06-29
|
|
Windows Remote Image Load
|
Sysmon EventID 7
|
T1059
T1068
T1129
T1203
|
Anomaly
|
Ransomware, LockBit Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, APT37 Rustonotto and FadeStealer, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Phantom Stealer, XWorm, VIP Keylogger, AsyncRAT
|
2026-06-25
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Industroyer2, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
PHP-CGI RCE Attack on Japanese Organizations, Malicious PowerShell, MoonPeak, Medusa Ransomware
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Living Off The Land
|
2026-05-13
|
|
Windows Apache Benchmark Binary
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
MetaSploit
|
2026-05-13
|
|
Windows WinRAR Launched Outside Default Installation Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053
|
Anomaly
|
XMRig, Data Destruction, Medusa Ransomware, Scheduled Tasks, Qakbot, Industroyer2, CISA AA22-257A
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Salt Typhoon, SolarWinds WHD RCE Post Exploitation, NailaoLocker Ransomware, XWorm, Lokibot, DarkGate Malware, Derusbi, PlugX, China-Nexus Threat Activity, Malicious Inno Setup Loader, SnappyBee
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.001
|
Anomaly
|
Earth Alux, Qakbot
|
2026-05-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
TTP
|
Remcos, FIN7
|
2026-05-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
Malicious PowerShell, CISA AA24-241A
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1574.006
|
TTP
|
Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows SQLCMD Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Hunting
|
SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Ryuk Ransomware, Windows Persistence Techniques, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT
|
2026-05-13
|
|
Linux Docker Shell Execution
|
Sysmon for Linux EventID 1
|
T1059.013
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land
|
2026-05-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.007
|
Anomaly
|
Gh0st RAT, BlankGrabber Stealer, CISA AA23-347A, CISA AA22-277A, Medusa Ransomware, FIN7, Water Gamayun, Gozi Malware, SolarWinds WHD RCE Post Exploitation, Qakbot, Rhysida Ransomware, DarkGate Malware, Tuoni, Volt Typhoon
|
2026-05-13
|
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
T1016
T1059.001
T1082
|
Anomaly
|
Water Gamayun
|
2026-05-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
T1685
|
TTP
|
Malicious PowerShell, Data Destruction, Hermetic Wiper
|
2026-05-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569.002
|
Anomaly
|
NOBELIUM Group, Windows Service Abuse, Orangeworm Attack Group
|
2026-05-13
|
|
Excessive Usage Of SC Service Utility
|
Sysmon EventID 1
|
T1569.002
|
Anomaly
|
Azorult, Ransomware, Crypto Stealer
|
2026-05-13
|
|
Windows AppX Deployment Package Installation Success
|
Windows Event Log AppXDeployment-Server 854
|
T1204.002
|
Anomaly
|
MSIX Package Abuse
|
2026-05-13
|
|
Excessive distinct processes from Windows Temp
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Anomaly
|
Meterpreter
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Data Destruction, Hellcat Ransomware, Scheduled Tasks, Compromised Windows Host, Industroyer2, Cactus Ransomware, Active Directory Discovery, CISA AA22-257A, Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059.001
T1649
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
|
Anomaly
|
Chaos Ransomware, Quasar RAT, XWorm, Snake Keylogger, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1127
|
Hunting
|
Cobalt Strike, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution, BlackByte Ransomware
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.001
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.005
|
TTP
|
Remcos, FIN7, AsyncRAT
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.003
T1127.001
|
Hunting
|
Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Living Off The Land, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Trusted Developer Utilities Proxy Execution MSBuild, BlackByte Ransomware
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1027.010
T1059.001
|
Anomaly
|
Deobfuscate-Decode Files or Information, Compromised Windows Host
|
2026-05-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
Malicious PowerShell, Data Destruction, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Hermetic Wiper, CISA AA22-264A, Scattered Spider, Hellcat Ransomware
|
2026-05-13
|
|
BITS Job Persistence
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1197
|
TTP
|
BITS Jobs, Living Off The Land
|
2026-05-13
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Anomaly
|
MuddyWater, Salt Typhoon, BlankGrabber Stealer, AsyncRAT, HAFNIUM Group, DHS Report TA18-074A, XWorm, DarkCrystal RAT, Volt Typhoon, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Cisco NVM - Installation of Typosquatted Python Package
|
Cisco Network Visibility Module Flow Data
|
T1059
|
TTP
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Scheduled Tasks, Qakbot, Windows Persistence Techniques, Castle RAT
|
2026-05-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Malicious PowerShell, Active Directory Lateral Movement, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Remote WMI Command Attempt
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
CISA AA23-347A, IcedID, Living Off The Land, Volt Typhoon, Suspicious WMI Use, Graceful Wipe Out Attack
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 7, Sysmon EventID 22
|
T1203
|
TTP
|
NOBELIUM Group
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Detect Renamed PSExec
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1569.002
|
Hunting
|
Salt Typhoon, SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Cactus Ransomware, China-Nexus Threat Activity, BlackByte Ransomware
|
2026-05-13
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Malicious PowerShell, Hellcat Ransomware
|
2026-05-13
|
|
Windows Default Cobalt Strike PowerShell Beacon
|
Powershell Script Block Logging 4104
|
T1059.001
T1204.002
|
TTP
|
Cobalt Strike
|
2026-05-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Path, Linux Auditd Cwd
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows Identify Protocol Handlers
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
T1203
T1218
|
TTP
|
Water Gamayun, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Revil Common Exec Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204
|
TTP
|
Ransomware, Revil Ransomware
|
2026-05-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1126, Windows Event Log Defender 1133, Windows Event Log Defender 1129, Windows Event Log Defender 1121, Windows Event Log Defender 1131
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Quasar RAT, Ransomware, Scheduled Tasks, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, XWorm, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, Winter Vivern, Castle RAT, Medusa Ransomware, Malicious Inno Setup Loader, Active Directory Lateral Movement, Salt Typhoon, CISA AA23-347A, IcedID, Industroyer2, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, BlackByte Ransomware, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, Storm-0501 Ransomware, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Post-Exploitation, Linux Privilege Escalation, Compromised Linux Host, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Rootkit
|
2026-05-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Medusa Ransomware, Scheduled Tasks, Living Off The Land, Seashell Blizzard, Active Directory Lateral Movement
|
2026-05-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059.001
|
TTP
|
CISA AA22-277A, ProxyShell, CISA AA22-264A, ProxyNotShell, Scattered Spider, BlackByte Ransomware
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability, Compromised Windows Host
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Brute Ratel C4, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
Phantom Stealer, VIP Keylogger
|
2026-06-25
|
|
Windows WMI Process Call Create
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Volt Typhoon, Cactus Ransomware, Suspicious WMI Use
|
2026-05-13
|
|
PowerShell Environment Variable Execution
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
VIP Keylogger
|
2026-06-29
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Hellcat Ransomware, Winter Vivern
|
2026-05-13
|
|
Ryuk Wake on LAN Command
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
TTP
|
Ryuk Ransomware, Hellcat Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Trickbot, IcedID, Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Castle RAT
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Suspicious Linux Discovery Commands
|
Sysmon for Linux EventID 1
|
T1059.004
|
TTP
|
Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Batch File Write to System32
|
Sysmon EventID 11
|
T1204.002
|
TTP
|
SamSam Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Azorult, Suspicious Command-Line Executions
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows File Download Via PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1, Cisco Network Visibility Module Flow Data
|
T1059.001
T1105
|
Anomaly
|
SolarWinds WHD RCE Post Exploitation, NPM Supply Chain Compromise, HAFNIUM Group, Phemedrone Stealer, Data Destruction, XWorm, NetSupport RMM Tool Abuse, StealC Stealer, Winter Vivern, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Ingress Tool Transfer, Hermetic Wiper, SysAid On-Prem Software CVE-2023-47246 Vulnerability, IcedID, Tuoni, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Service Execution RemCom
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1569.002
|
TTP
|
Active Directory Discovery
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-06-29
|
|
CMD Carry Out String Command Parameter
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Hunting
|
Quasar RAT, Qakbot, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, Data Destruction, AsyncRAT, Rhysida Ransomware, RedLine Stealer, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Warzone RAT, Winter Vivern, WhisperGate, Gh0st RAT, Hermetic Wiper, Azorult, ProxyNotShell, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, CISA AA23-347A, IcedID, Crypto Stealer, PlugX, 0bj3ctivity Stealer
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Software Discovery Via PowerShell
|
Powershell Script Block Logging 4104
|
T1012
T1059.001
T1518
|
Anomaly
|
Windows Discovery Techniques
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Ransomware, Revil Ransomware
|
2026-05-13
|
|
Windows AppX Deployment Unsigned Package Installation
|
Windows Event Log AppXDeployment-Server 855
|
T1204.002
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows WMI Reconnaissance Class Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
Anomaly
|
BlankGrabber Stealer
|
2026-05-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059.007
|
Anomaly
|
FIN7
|
2026-05-13
|
|
Windows PowGoop Beacon Decoding
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1001
T1059.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Living Off The Land, Lokibot, Prestige Ransomware, NOBELIUM Group, Remcos, CISA AA22-257A, Phemedrone Stealer, NjRAT, AsyncRAT, Rhysida Ransomware, RedLine Stealer, XWorm, DarkCrystal RAT, Windows Persistence Techniques, NetSupport RMM Tool Abuse, Winter Vivern, ShrinkLocker, AgentTesla, CISA AA24-241A, Trickbot, Medusa Ransomware, DHS Report TA18-074A, Azorult, Scattered Spider, Salt Typhoon, MoonPeak, CISA AA23-347A, Amadey, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Earth Alux, Derusbi, China-Nexus Threat Activity, Warzone RAT, NjRAT
|
2026-05-13
|
|
Script Execution via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Suspicious WMI Use, Scattered Spider
|
2026-05-13
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087.002
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Water Gamayun, Qakbot
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, DarkCrystal RAT, Windows Persistence Techniques, Winter Vivern, BlackSuit Ransomware, CISA AA24-241A, Malicious Inno Setup Loader, IcedID, Amadey, Industroyer2, PlugX, ValleyRAT
|
2026-05-13
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
Malicious PowerShell, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Hellcat Ransomware
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1574.001
|
TTP
|
Water Gamayun, Compromised Windows Host, Qakbot
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows WinDBG Spawning AutoIt3
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
|
TTP
|
DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Snake Malware, Compromised Windows Host
|
2026-05-13
|
|
Cisco Isovalent - Pods Running Offensive Tools
|
Cisco Isovalent Process Exec
|
T1204.003
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows PowerShell Process With Malicious String
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Axios Supply Chain Post Compromise, Malicious PowerShell, Data Destruction, AgentTesla, VIP Keylogger, AsyncRAT, Hermetic Wiper, 0bj3ctivity Stealer, Hellcat Ransomware, Winter Vivern
|
2026-06-29
|
|
Windows PowerShell Script From WindowsApps Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1204.002
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Seashell Blizzard, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Water Gamayun, Hellcat Ransomware, CISA AA23-347A
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Hellcat Ransomware, Living Off The Land
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
FIN7, CISA AA23-347A, Sandworm Tools, Microsoft WSUS CVE-2025-59287, Qakbot, Azorult, DarkCrystal RAT, Volt Typhoon, Netsh Abuse, Windows Post-Exploitation, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild, Living Off The Land
|
2026-05-13
|
|
Windows File Association Modification via Ftype
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
|
Anomaly
|
Windows File Extension and Association Abuse
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.002
|
TTP
|
0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
AgentTesla, IcedID, Amadey, Gozi Malware, Qakbot, Azorult, Remcos, Spearphishing Attachments, Brute Ratel C4, Warzone RAT, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Salt Typhoon, Void Manticore, CISA AA23-347A, Ransomware, China-Nexus Threat Activity, Suspicious WMI Use, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Malicious PowerShell, Windows Persistence Techniques
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Data Destruction, CISA AA23-347A, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Process Accessing Windows Recall Directory
|
Windows Event Log Security 4663
|
T1059
T1119
|
Anomaly
|
Windows Post-Exploitation
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
Gh0st RAT, Salt Typhoon, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement, SnappyBee
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
Salat Stealer, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Data Destruction, AsyncRAT, XWorm, NetSupport RMM Tool Abuse, Hellcat Ransomware, Winter Vivern, Malicious PowerShell, Phantom Stealer, VIP Keylogger, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, IcedID, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer
|
2026-06-25
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1059.001
T1087.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Malicious PowerShell, Data Destruction, Interlock Ransomware, CISA AA23-347A, Microsoft WSUS CVE-2025-59287, Hermetic Wiper
|
2026-06-28
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Malicious Inno Setup Loader, Qakbot, Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Explorer LNK Exploit Process Launch With Padding
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1059.001
T1204.002
|
TTP
|
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
|
2026-05-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569.002
|
TTP
|
Gh0st RAT, Salt Typhoon, Snake Malware, CISA AA23-347A, Clop Ransomware, Qakbot, Flax Typhoon, APT37 Rustonotto and FadeStealer, Derusbi, Crypto Stealer, PlugX, China-Nexus Threat Activity, Brute Ratel C4, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1134, Windows Event Log Defender 1126, Windows Event Log Defender 1122, Windows Event Log Defender 1133, Windows Event Log Defender 1131, Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1121, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Wmiprvse LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1569.002
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Nishang PowershellTCPOneLine
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
TTP
|
HAFNIUM Group, Cleo File Transfer Software
|
2026-05-13
|
|
Windows PowerShell Script TabExpansion Direct Call
|
Powershell Script Block Logging 4104
|
T1059.001
T1129
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
PowerShell - Connect To Internet With Hidden Window
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
|
Hunting
|
Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228
|
2026-06-04
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Cisco IOS XE Guestshell Activation and Destroy
|
Cisco IOS Logs
|
T1059
T1611
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Cisco IOS XE Request Platform Package Describe Shell Pattern
|
Cisco IOS Logs
|
T1059
T1190
|
TTP
|
Salt Typhoon
|
2026-05-20
|
|
ESXi Reverse Shell Patterns
|
VMWare ESXi Syslog
|
T1059
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
MCP Prompt Injection
|
MCP Server
|
T1059
|
TTP
|
Suspicious MCP Activities
|
2026-05-13
|
|
PTC Windchill Gateway Command Execution
|
Windchill Log4j
|
T1005
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
PTC Windchill GW READY OK Probe
|
Windchill Log4j
|
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
MCP Filesystem Server Suspicious Extension Write
|
MCP Server
|
T1059
|
Hunting
|
Suspicious MCP Activities
|
2026-05-13
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes newly seen UDP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 SharePoint Malware Detection
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Ransomware Cloud, Azure Active Directory Persistence, Office 365 Account Takeover
|
2026-05-13
|
|
Kubernetes Previously Unseen Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes newly seen TCP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious File Detected
|
Office 365 Universal Audit Log
|
T1204.002
|
TTP
|
Ransomware Cloud, Office 365 Account Takeover, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Shell Running on Worker Node
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Previously Unseen Container Image Name
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
|
TTP
|
Dev Sec Ops
|
2026-05-13
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Process Running From New Path
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2026-05-13
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
T1204.003
|
Correlation
|
Dev Sec Ops
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
WhisperGate, Data Destruction, BlankGrabber Stealer, Phantom Stealer, PXA Stealer, Cactus Ransomware
|
2026-06-25
|
|
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
WhisperGate, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, PXA Stealer, RedLine Stealer, Snake Keylogger, Braodo Stealer, Remcos, Meduza Stealer, Malicious Inno Setup Loader, Phemedrone Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
T1059
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
T1587.001
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall, Palo Alto Network Traffic
|
T1059
T1190
|
Hunting
|
Cisco Secure Access Analytics, Cisco Secure Firewall Threat Defense Analytics, Log4Shell CVE-2021-44228
|
2026-05-13
|