|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Rhysida Ransomware, Void Manticore, Ransomware, Chaos Ransomware, Prestige Ransomware, CISA AA22-264A, LockBit Ransomware, Compromised Windows Host, Clop Ransomware, Cactus Ransomware, DarkGate Malware, VanHelsing Ransomware, Medusa Ransomware, Storm-2460 CLFS Zero Day Exploitation, Windows Log Manipulation, Termite Ransomware, SamSam Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Rhysida Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, Ransomware, Chaos Ransomware, LockBit Ransomware, Black Basta Ransomware, Clop Ransomware, Medusa Ransomware, Storm-0501 Ransomware, Termite Ransomware, SamSam Ransomware, Ryuk Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Hellcat Ransomware, AcidRain
|
2026-05-13
|
|
Windows Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Scattered Lapsus$ Hunters, Prestige Ransomware, Graceful Wipe Out Attack, Gh0st RAT
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
XMRig, BlackByte Ransomware, Ransomware
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Scattered Lapsus$ Hunters, Ryuk Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host, Data Destruction, Industroyer2, AwfulShred
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
Rhysida Ransomware, Ransomware, Brute Ratel C4, ZOVWiper, Windows Registry Abuse, LockBit Ransomware, BlackMatter Ransomware, Revil Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
Void Manticore, Disk Wiper, Swift Slicer, Data Destruction, Handala Wiper
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows User Disabled Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1485
|
TTP
|
Void Manticore, Scattered Spider, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
Rhysida Ransomware, Ransomware, Windows Post-Exploitation, Prestige Ransomware, Graceful Wipe Out Attack, Azorult, XMRig
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
XMRig, Azorult
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
BlackByte Ransomware, WhisperGate, Data Destruction
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Sandworm Tools, Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, Data Destruction, AcidPour, AwfulShred
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Crypto Stealer, PlugX, Brute Ratel C4
|
2026-05-13
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Data Destruction, Industroyer2, AwfulShred
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction, Industroyer2, AwfulShred
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
Ransomware, VanHelsing Ransomware, DarkSide Ransomware, DarkGate Malware, Revil Ransomware, Cactus Ransomware
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
Hellcat Ransomware, Ransomware, LockBit Ransomware, Compromised Windows Host, Scattered Lapsus$ Hunters, Termite Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Windows Registry Abuse, Data Destruction, Ransomware, Hermetic Wiper
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Hunting
|
Quasar RAT, MoonPeak, XWorm, MuddyWater, DarkGate Malware, Scattered Lapsus$ Hunters, DarkCrystal RAT, NjRAT
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Ransomware, Chaos Ransomware, Prestige Ransomware, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation, Ryuk Ransomware
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, Security Solution Tampering
|
2026-05-13
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
Quasar RAT, MoonPeak, Sandworm Tools, XWorm, ZOVWiper, MuddyWater, DarkGate Malware, Scattered Lapsus$ Hunters, DarkCrystal RAT, NjRAT
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Rhysida Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, Chaos Ransomware, LockBit Ransomware, Clop Ransomware, DarkSide Ransomware, Medusa Ransomware, BlackMatter Ransomware, Termite Ransomware, Cactus Ransomware, Black Basta Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, NjRAT, XWorm, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2, AwfulShred
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Void Manticore, Ransomware, Compromised Windows Host, Storm-2460 CLFS Zero Day Exploitation, Ryuk Ransomware
|
2026-05-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackByte Ransomware, VanHelsing Ransomware, Compromised Windows Host, Clop Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Path, Linux Auditd Cwd
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows WBAdmin File Recovery From Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
Void Manticore, PathWiper, Caddy Wiper, BlackByte Ransomware, Disk Wiper, Hermetic Wiper, Graceful Wipe Out Attack, CISA AA22-264A, Data Destruction, WhisperGate, NjRAT
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Data Destruction, Industroyer2, Compromised Linux Host
|
2026-05-13
|
|
Windows User Deletion Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
DarkGate Malware, XMRig, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
Void Manticore, PathWiper, Caddy Wiper, BlackByte Ransomware, Disk Wiper, Hermetic Wiper, Graceful Wipe Out Attack, CISA AA22-264A, Data Destruction, NjRAT
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Void Manticore, Ransomware, Chaos Ransomware
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
Crypto Stealer, XMRig, BlackByte Ransomware, Ransomware
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
Anomaly
|
NailaoLocker Ransomware, Void Manticore, Sandworm Tools, ZOVWiper, Swift Slicer, Data Destruction, APT37 Rustonotto and FadeStealer, Clop Ransomware, WhisperGate, Medusa Ransomware, DynoWiper, Interlock Ransomware, DarkCrystal RAT, Black Basta Ransomware, Handala Wiper
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Rhysida Ransomware, NailaoLocker Ransomware, Ransomware, Prestige Ransomware, LockBit Ransomware, Black Basta Ransomware, Clop Ransomware, Medusa Ransomware, Termite Ransomware, SamSam Ransomware, Ryuk Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
Compromised Linux Host, Data Destruction, Industroyer2, AwfulShred
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Sandworm Tools, FIN7, Windows Post-Exploitation, Azorult, Netsh Abuse, Disabling Security Tools, DarkCrystal RAT, Volt Typhoon, Windows Defense Evasion Tactics, CISA AA23-347A, Qakbot, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Black Basta Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Rhysida Ransomware, NailaoLocker Ransomware, Hellcat Ransomware, BlackByte Ransomware, LockBit Ransomware, Clop Ransomware, Crypto Stealer, Medusa Ransomware, Snake Keylogger, Termite Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Crypto Stealer, Azorult, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Cactus Ransomware, Volt Typhoon, Suspicious WMI Use
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
Data Destruction, Industroyer2, AwfulShred
|
2026-05-13
|
|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
Data Destruction, AWS S3 Bucket Security Monitoring
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
Microsoft Intune Bulk Wipe
|
Azure Monitor Activity
|
T1561.001
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
TTP
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Suspicious Emails
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
NPM Supply Chain Compromise, GitHub Malicious Activity
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
Data Destruction, AWS S3 Bucket Security Monitoring
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
