|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1133
T1190
|
TTP
|
SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass, Hellcat Ransomware
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Office Product Spawned Child Process For Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, NjRAT, PlugX
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Office Product Spawned Rundll32 With No DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Crypto Stealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Graceful Wipe Out Attack
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Insider Threat, Credential Dumping
|
2026-05-13
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
Scattered Lapsus$ Hunters, AwfulShred, Data Destruction, Compromised Linux Host
|
2026-05-13
|
|
Windows Office Product Spawned Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Windows Office Product Loading VBE7 DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Remcos, Spearphishing Attachments, DarkCrystal RAT, PlugX, NjRAT, AgentTesla, Qakbot, Azorult, MuddyWater, IcedID, Trickbot
|
2026-05-13
|
|
Windows Office Product Loading Taskschd DLL
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Suspicious React or Next.js Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
Compromised Windows Host, CISA AA22-257A, BlackByte Ransomware, HAFNIUM Group, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Remcos, APT37 Rustonotto and FadeStealer, Spearphishing Attachments, Meduza Stealer, PXA Stealer, Amadey
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
APT37 Rustonotto and FadeStealer, PlugX, NjRAT, Salt Typhoon, Chaos Ransomware, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 11
|
T1566.002
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Spearphishing Attachments, Gozi Malware, Qakbot, Amadey, BlankGrabber Stealer, IcedID
|
2026-05-13
|
|
Windows Vulnerable 3CX Software
|
Sysmon EventID 1
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1134, Windows Event Log Defender 1132, Windows Event Log Defender 1122, Windows Event Log Defender 1126, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Shell or Script Execution From IIS Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows Office Product Dropped Cab or Inf File
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 1, Sysmon EventID 13
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 13
|
T1566.001
|
Hunting
|
Remcos, Brute Ratel C4, Warzone RAT, Gozi Malware, Qakbot, AgentTesla, Azorult, IcedID
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Linux Suspicious React or Next.js Child Process
|
Sysmon for Linux EventID 1
|
T1059.004
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
T1133
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, Log4Shell CVE-2021-44228, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, HAFNIUM Group, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Microsoft SharePoint Vulnerabilities, CISA AA22-257A, Flax Typhoon, CISA AA22-264A, ProxyNotShell, ProxyShell, Cleo File Transfer Software, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Data Destruction
|
2026-05-13
|
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2026-05-13
|
|
Windows Office Product Spawned Uncommon Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Trickbot, Remcos, Compromised Windows Host, APT37 Rustonotto and FadeStealer, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Warzone RAT, DarkCrystal RAT, NjRAT, PlugX, AgentTesla, Azorult, Qakbot, CVE-2023-21716 Word RTF Heap Corruption, MuddyWater, IcedID, FIN7
|
2026-05-13
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
|
TTP
|
Rhysida Ransomware, CISA AA23-347A, Unusual Processes, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Office Product Spawned MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Windows Office Product Loaded MSHTML Module
|
Sysmon EventID 7
|
T1566.001
|
Anomaly
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, MuddyWater, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Universal Data Link File Creation
|
Sysmon EventID 11
|
T1204.002
T1566.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1129, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1121, Windows Event Log Defender 1126
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
TTP
|
APT37 Rustonotto and FadeStealer, AsyncRAT, Compromised Windows Host, Spearphishing Attachments
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
APT37 Rustonotto and FadeStealer, DarkGate Malware
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1133
T1190
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
|
Anomaly
|
MuddyWater, Snake Keylogger, Spearphishing Attachments
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Compromised Windows Host, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows Office Product Dropped Uncommon File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566.001
|
Anomaly
|
Compromised Windows Host, Warzone RAT, PlugX, AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
Scattered Lapsus$ Hunters, AwfulShred, Data Destruction
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Shai-Hulud 2 Exfiltration Artifact Files
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1074.001
T1195.002
T1552.001
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1204.001
T1566.001
|
Hunting
|
Remcos, Brute Ratel C4, APT37 Rustonotto and FadeStealer, Warzone RAT, Spearphishing Attachments, Gozi Malware, Qakbot, AgentTesla, Azorult, Amadey, IcedID
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Unusual File Creation in Confluence Directory
|
Sysmon EventID 11
|
T1190
T1608.001
T1608.002
|
Anomaly
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1129, Windows Event Log Defender 5007, Windows Event Log Defender 1134, Windows Event Log Defender 1131, Windows Event Log Defender 1133, Windows Event Log Defender 1122, Windows Event Log Defender 1121, Windows Event Log Defender 1126, Windows Event Log Defender 1125
|
T1059
T1566.001
T1566.002
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Cisco NVM - Webserver Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1105
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1133
T1190
|
Hunting
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Windows IIS Server PSWA Console Access
|
Windows IIS
|
T1190
|
Hunting
|
CISA AA24-241A
|
2026-05-13
|
|
Zscaler Exploit Threat Blocked
|
|
T1566
|
TTP
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Malware Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Web Remote ShellServlet Access
|
Nginx Access
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler Behavior Analysis Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
SAP NetWeaver Visual Composer Exploitation Attempt
|
Suricata
|
T1190
|
Hunting
|
SAP NetWeaver Exploitation
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1133
T1190
|
Anomaly
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Zscaler Phishing Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats, Hellcat Ransomware
|
2026-05-13
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Zscaler Scam Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Cisco IOS XE Implant Access
|
Suricata
|
T1190
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2026-05-13
|
|
Zscaler Virus Download threat blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Zscaler Potentially Abused File Download
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1059
T1105
T1190
|
TTP
|
Juniper JunOS Remote Code Execution
|
2026-05-13
|
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
T1190
|
Anomaly
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2026-05-13
|
|
Zscaler Employment Search Web Activity
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Duplicated Header
|
Suricata
|
T1071.001
T1190
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Ivanti EPM Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2026-05-13
|
|
Supernova Webshell
|
|
T1133
T1505.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Earth Alux, NOBELIUM Group
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities, CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1133
T1190
|
Correlation
|
ProxyNotShell, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1133
T1190
|
Anomaly
|
CISA AA22-257A, Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
SamSam Ransomware, JBoss Vulnerability
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
WS FTP Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2026-05-13
|
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
T1190
|
TTP
|
Hellcat Ransomware, Scattered Lapsus$ Hunters, ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
T1190
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2026-05-13
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-05-13
|
|
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
|
Suricata
|
T1190
|
Anomaly
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
SQL Injection with Long URLs
|
|
T1190
|
TTP
|
SQL Injection, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
HTTP Request to Reserved Name on IIS Server
|
Suricata
|
T1071.001
T1190
|
TTP
|
HTTP Request Smuggling
|
2026-05-13
|
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
T1190
|
TTP
|
Jenkins Server Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
T1190
|
Hunting
|
Citrix Netscaler ADC CVE-2023-3519, CISA AA24-241A
|
2026-05-13
|
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities, CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2026-05-13
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
Hellcat Ransomware, Fortinet FortiNAC CVE-2022-39952
|
2026-05-13
|
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
T1190
|
Anomaly
|
Ivanti Connect Secure VPN Vulnerabilities, CISA AA24-241A
|
2026-05-13
|
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
T1190
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2026-05-13
|
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-05-13
|
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
T1190
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1133
T1190
T1505
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
CrushFTP Authentication Bypass Exploitation
|
CrushFTP
|
T1059.001
T1059.003
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
Zscaler Adware Activities Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
HTTP Rapid POST with Mixed Status Codes
|
Nginx Access
|
T1071.001
T1190
T1595
|
Anomaly
|
HTTP Request Smuggling
|
2026-05-13
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965, Earth Alux
|
2026-05-13
|
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
|
2026-05-13
|
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
T1190
|
TTP
|
WordPress Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1133
T1190
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Zscaler Legal Liability Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1133
T1190
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593, Scattered Lapsus$ Hunters, Hellcat Ransomware
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Cisco IOS XE Request Platform Package Describe Shell Pattern
|
Cisco IOS Logs
|
T1059
T1190
|
TTP
|
Salt Typhoon
|
2026-05-20
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
Ollama Possible RCE via Model Loading
|
Ollama Server
|
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Suspicious Okta Activity, Okta Account Takeover
|
2026-05-13
|
|
Cisco IOS XE WebUI Programmatic Configuration
|
Cisco IOS Logs
|
T1078
T1190
|
Anomaly
|
Salt Typhoon
|
2026-05-19
|
|
Suspicious Java Classes
|
|
T1190
|
Anomaly
|
Apache Struts Vulnerability
|
2026-05-13
|
|
PTC Windchill Gateway Command Execution
|
Windchill Log4j
|
T1005
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
Ollama Suspicious Prompt Injection Jailbreak
|
Ollama Server
|
T1059
T1190
|
Anomaly
|
Suspicious Ollama Activities
|
2026-05-13
|
|
Cisco IOS XE WebUI Login From IOSd Local Port
|
Cisco IOS Logs
|
T1078
T1190
|
TTP
|
Salt Typhoon
|
2026-05-19
|
|
Suspicious Email Attachment Extensions
|
|
T1566.001
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails, Data Destruction
|
2026-05-13
|
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
CrushFTP Vulnerabilities, Hellcat Ransomware
|
2026-05-13
|
|
PTC Windchill GW READY OK Probe
|
Windchill Log4j
|
T1059
T1190
|
Anomaly
|
PTC Windchill Exploitation
|
2026-06-14
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
O365 ZAP Activity Detection
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Email Reported By User Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
GitHub Organizations Disable Dependabot
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
GitHub Enterprise Disable IP Allow List
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GitHub Organizations Repository Archived
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
GitHub Organizations Delete Branch Ruleset
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
GitHub Enterprise Register Self Hosted Runner
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Repository Deleted
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
O365 Safe Links Detection
|
Office 365 Universal Audit Log
|
T1566.001
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Delete Branch Ruleset
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Gdrive suspicious file sharing
|
|
T1566
|
Hunting
|
Data Exfiltration, Scattered Lapsus$ Hunters, Spearphishing Attachments
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GitHub Organizations Disable 2FA Requirement
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
GitHub Organizations Disable Classic Branch Protection Rule
|
GitHub Organizations Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Modify Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Dependabot
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
GitHub Enterprise Pause Audit Log Event Stream
|
GitHub Enterprise Audit Logs
|
T1195
T1685.002
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GitHub Enterprise Disable Classic Branch Protection Rule
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
T1566.001
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Threat Intelligence Suspicious Email Delivered
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
Anomaly
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
GitHub Organizations Repository Deleted
|
GitHub Organizations Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
O365 Email Reported By Admin Found Malicious
|
Office 365 Universal Audit Log
|
T1566.001
T1566.002
|
TTP
|
Suspicious Emails, Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Remove Organization
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Gsuite suspicious calendar invite
|
|
T1566
|
Hunting
|
Spearphishing Attachments
|
2026-05-13
|
|
GitHub Enterprise Disable 2FA Requirement
|
GitHub Enterprise Audit Logs
|
T1195
T1685
|
Anomaly
|
GitHub Malicious Activity
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
GitHub Enterprise Repository Archived
|
GitHub Enterprise Audit Logs
|
T1195
T1485
|
Anomaly
|
GitHub Malicious Activity, NPM Supply Chain Compromise
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Correlation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco SD-WAN - Peering Activity
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - React Server Components RCE Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Smart Install Oversized Packet Detection
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Smart Install Port Discovery and Status
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1190
|
TTP
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco SD-WAN - Low Frequency Rogue Peer
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Anomaly
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Detect Zerologon Attack, Rhysida Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Command And Control, Data Protection, DNS Hijacking, Suspicious DNS Traffic, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
AsyncRAT, MuddyWater, Spearphishing Attachments
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics
|
2026-05-13
|
