|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Ransomware, Black Basta Ransomware, Cactus Ransomware, Medusa Ransomware, Storm-2460 CLFS Zero Day Exploitation, Rhysida Ransomware, VanHelsing Ransomware, CISA AA22-264A, Windows Log Manipulation, Chaos Ransomware, DarkGate Malware, LockBit Ransomware, Clop Ransomware, Termite Ransomware, Void Manticore, SamSam Ransomware
|
2026-05-13
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 13
|
T1490
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Medusa Ransomware, Ransomware, Ryuk Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, Storm-0501 Ransomware, Termite Ransomware, SamSam Ransomware
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-05-13
|
|
Windows Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Gh0st RAT, Prestige Ransomware, Scattered Lapsus$ Hunters, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
XMRig, BlackByte Ransomware, Ransomware
|
2026-05-13
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Compromised Windows Host, Scattered Lapsus$ Hunters, Ryuk Ransomware
|
2026-05-13
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction, Compromised Linux Host
|
2026-05-13
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
Revil Ransomware, Brute Ratel C4, Windows Registry Abuse, Ransomware, Black Basta Ransomware, Rhysida Ransomware, LockBit Ransomware, BlackMatter Ransomware, ZOVWiper
|
2026-05-13
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
Disk Wiper, Handala Wiper, Swift Slicer, Data Destruction, Void Manticore
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows User Disabled Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig
|
2026-05-13
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1485
|
TTP
|
Masquerading - Rename System Utilities, Void Manticore, Scattered Spider
|
2026-05-13
|
|
Windows Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation, Ransomware, XMRig, Rhysida Ransomware, Azorult, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 11
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
XMRig, Azorult
|
2026-05-13
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
TTP
|
WhisperGate, BlackByte Ransomware, Data Destruction
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Windows BootKits, BlackLotus Campaign, Sandworm Tools
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, AwfulShred, Data Destruction, AcidPour
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 13
|
T1489
|
Anomaly
|
Crypto Stealer, Brute Ratel C4, PlugX
|
2026-05-13
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows .Key File Creation in Root Directory
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
DarkSide Ransomware, Revil Ransomware, Cactus Ransomware, Ransomware, VanHelsing Ransomware, DarkGate Malware
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows Security And Backup Services Stop
|
Windows Event Log System 7036
|
T1490
|
TTP
|
Compromised Windows Host, Ransomware, Scattered Lapsus$ Hunters, LockBit Ransomware, Hellcat Ransomware, BlackMatter Ransomware, Termite Ransomware
|
2026-05-13
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 13
|
T1485
|
TTP
|
Hermetic Wiper, Data Destruction, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Hunting
|
XWorm, DarkCrystal RAT, NjRAT, MoonPeak, Quasar RAT, DarkGate Malware, MuddyWater, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Prestige Ransomware, Ransomware, Ryuk Ransomware, Chaos Ransomware, Storm-0501 Ransomware, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows Cisco Secure Endpoint Related Service Stopped
|
Windows Event Log System 7036
|
T1490
|
Anomaly
|
Hellcat Ransomware, Security Solution Tampering, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Compromised Linux Host
|
2026-05-13
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
XWorm, DarkCrystal RAT, NjRAT, MoonPeak, Quasar RAT, DarkGate Malware, Scattered Lapsus$ Hunters, MuddyWater, Sandworm Tools, ZOVWiper
|
2026-05-13
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
DarkSide Ransomware, Medusa Ransomware, Black Basta Ransomware, Cactus Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Termite Ransomware, Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, BlackMatter Ransomware
|
2026-05-13
|
|
Windows Defacement Modify Transcodedwallpaper File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2026-05-13
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, XWorm, NjRAT, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Compromised Windows Host, Ransomware, Ryuk Ransomware, Storm-2460 CLFS Zero Day Exploitation, Void Manticore
|
2026-05-13
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Compromised Windows Host, Medusa Ransomware, BlackByte Ransomware, VanHelsing Ransomware, Clop Ransomware
|
2026-05-13
|
|
Linux Magic SysRq Key Abuse
|
Linux Auditd Cwd, Linux Auditd Path
|
T1059.004
T1489
T1499
T1529
|
TTP
|
Compromised Linux Host
|
2026-05-13
|
|
Windows BitLocker Suspicious Command Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
T1490
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction
|
2026-05-13
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows WBAdmin File Recovery From Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
T1565.001
|
Anomaly
|
Credential Dumping
|
2026-05-13
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
|
TTP
|
Disk Wiper, BlackByte Ransomware, NjRAT, Hermetic Wiper, CISA AA22-264A, PathWiper, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Caddy Wiper, Void Manticore
|
2026-05-13
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows User Deletion Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
XMRig, DarkGate Malware, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction
|
2026-05-13
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
|
Anomaly
|
Disk Wiper, BlackByte Ransomware, NjRAT, Hermetic Wiper, CISA AA22-264A, PathWiper, Data Destruction, Graceful Wipe Out Attack, Caddy Wiper, Void Manticore
|
2026-05-13
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Void Manticore, Chaos Ransomware, Ransomware
|
2026-05-13
|
|
Windows Set Account Password Policy To Unlimited Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
XMRig, BlackByte Ransomware, Crypto Stealer, Ransomware
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23, Sysmon EventID 26
|
T1485
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Medusa Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, DarkCrystal RAT, Void Manticore, DynoWiper, Interlock Ransomware, Swift Slicer, Handala Wiper, Data Destruction, WhisperGate, Clop Ransomware, Sandworm Tools, ZOVWiper
|
2026-05-13
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
TTP
|
Prestige Ransomware, Medusa Ransomware, Ransomware, Ryuk Ransomware, Black Basta Ransomware, NailaoLocker Ransomware, Rhysida Ransomware, Interlock Ransomware, Clop Ransomware, LockBit Ransomware, Termite Ransomware, SamSam Ransomware
|
2026-05-13
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2026-05-13
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
Hunting
|
Compromised Linux Host, AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1016
T1033
T1049
T1059
T1222
T1529
|
Correlation
|
Windows Post-Exploitation, Volt Typhoon, DarkCrystal RAT, Windows Defense Evasion Tactics, FIN7, Qakbot, Azorult, CISA AA23-347A, Netsh Abuse, Microsoft WSUS CVE-2025-59287, Sandworm Tools, Disabling Security Tools
|
2026-05-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
T1059.001
T1531
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
Crypto Stealer, Medusa Ransomware, NailaoLocker Ransomware, BlackByte Ransomware, Rhysida Ransomware, Interlock Ransomware, Snake Keylogger, Clop Ransomware, LockBit Ransomware, Hellcat Ransomware, Termite Ransomware
|
2026-05-13
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
|
Hunting
|
Ransomware
|
2026-05-13
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Hunting
|
Crypto Stealer, Azorult, Graceful Wipe Out Attack
|
2026-05-13
|
|
Windows WMIC Shadowcopy Delete
|
Sysmon EventID 1
|
T1490
|
Anomaly
|
Suspicious WMI Use, Cactus Ransomware, Volt Typhoon
|
2026-05-13
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2026-05-13
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2026-05-13
|
|
Detect Web Access to Decommissioned S3 Bucket
|
AWS Cloudfront
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
T1499
T1529
T1673
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Ollama Abnormal Service Crash Availability Attack
|
Ollama Server
|
T1489
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Possible Memory Exhaustion Resource Abuse
|
Ollama Server
|
T1499
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Ollama Excessive API Requests
|
Ollama Server
|
T1498
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
ASL AWS Disable Bucket Versioning
|
ASL AWS CloudTrail
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
ASL AWS Detect Users creating keys with encrypt policy without MFA
|
ASL AWS CloudTrail
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Bedrock Delete Knowledge Base
|
AWS CloudTrail DeleteKnowledgeBase
|
T1485
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2026-05-13
|
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail PutKeyPolicy, AWS CloudTrail CreateKey
|
T1486
|
TTP
|
Ransomware Cloud
|
2026-05-13
|
|
Microsoft Intune Bulk Wipe
|
Azure Monitor Activity
|
T1561.001
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
TTP
|
Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques
|
2026-05-13
|
|
ASL AWS Defense Evasion PutBucketLifecycle
|
ASL AWS CloudTrail
|
T1485.001
T1685.002
|
Hunting
|
AWS Defense Evasion
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
