|
ESXi Shell Access Enabled
|
VMWare ESXi Syslog
|
Remote Services
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
|
ESXi SSH Enabled
|
VMWare ESXi Syslog
|
SSH
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise, Hellcat Ransomware
|
2025-10-14
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2025-05-02
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE PDFgen Render
|
Splunk
|
Exploitation of Remote Services
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Splunk RCE via User XSLT
|
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
Valid Accounts
Use Alternate Authentication Material
|
TTP
|
AWS Bedrock Security
|
2025-05-02
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
Cloud Services
Software Deployment Tools
System Shutdown/Reboot
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-05-02
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-06-10
|
|
Windows Default RDP File Creation
|
Sysmon EventID 11
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-10-27
|
|
Active Directory Lateral Movement Identified
|
|
Exploitation of Remote Services
|
Correlation
|
Active Directory Lateral Movement
|
2025-05-02
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
TTP
|
Azorult, Medusa Ransomware, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2025-05-02
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
Remote Desktop Protocol
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2025-05-02
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
Exploitation of Remote Services
|
Hunting
|
Detect Zerologon Attack
|
2025-05-02
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, Cactus Ransomware, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Medusa Ransomware, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Seashell Blizzard, VanHelsing Ransomware, Volt Typhoon
|
2025-05-02
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2025-05-02
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
Remote Services
|
TTP
|
Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch, Windows RDP Artifacts and Defense Evasion, Windows Registry Abuse
|
2025-08-07
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot, VanHelsing Ransomware
|
2025-05-02
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-05-02
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-05-02
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-05-02
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-06-24
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
SSH
|
TTP
|
Hellcat Ransomware, Linux Living Off The Land
|
2025-10-14
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Water Gamayun
|
2025-05-02
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Microsoft WSUS CVE-2025-59287, Scheduled Tasks
|
2025-10-24
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
DarkGate Malware
|
2025-06-24
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware, Windows RDP Artifacts and Defense Evasion
|
2025-08-07
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-05-02
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2025-06-24
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-05-02
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-06-24
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2025-05-02
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2025-05-02
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
Windows File and Directory Permissions Modification
Use Alternate Authentication Material
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-05-02
|
|
Windows Default RDP File Creation By Non MSTSC Process
|
Sysmon EventID 1, Sysmon EventID 11
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-10-27
|
|
Windows Default Rdp File Unhidden
|
Sysmon EventID 1
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows Excel ActiveMicrosoftApp Child Process
|
Sysmon EventID 1
|
Distributed Component Object Model
|
Anomaly
|
PathWiper
|
2025-08-20
|
|
Windows MSTSC RDP Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Anomaly
|
Medusa Ransomware, Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 1, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2025-09-18
|
|
Windows Process Execution From RDP Share
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Ingress Tool Transfer
Command and Scripting Interpreter
|
Anomaly
|
Hidden Cobra Malware
|
2025-10-21
|
|
Windows Process With NetExec Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Pass the Ticket
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2025-05-02
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2025-05-02
|
|
Windows RDP Bitmap Cache File Creation
|
Sysmon EventID 11
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows RDP Client Launched with Admin Session
|
Sysmon EventID 1
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
RDP Hijacking
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, Interlock Ransomware, Windows RDP Artifacts and Defense Evasion
|
2025-08-08
|
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Remote Desktop Protocol
|
TTP
|
Interlock Ransomware, Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion
|
2025-08-07
|
|
Windows RDP Login Session Was Established
|
Windows Event Log Security 4624
|
Remote Desktop Protocol
|
Anomaly
|
Scattered Lapsus$ Hunters, Windows RDP Artifacts and Defense Evasion
|
2025-10-14
|
|
Windows RDP Server Registry Entry Created
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-07-30
|
|
Windows Remote Host Computer Management Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
Anomaly
|
Medusa Ransomware
|
2025-05-02
|
|
Windows Remote Management Execute Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
Anomaly
|
Crypto Stealer
|
2025-10-07
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
TTP
|
Azorult, Compromised Windows Host, Scattered Lapsus$ Hunters, Windows RDP Artifacts and Defense Evasion
|
2025-10-14
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
|
Anomaly
|
Azorult, Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
Anomaly
|
Azorult
|
2025-05-02
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
Remote Desktop Protocol
|
TTP
|
Azorult, BlackSuit Ransomware, Medusa Ransomware, Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
Replication Through Removable Media
|
TTP
|
APT37 Rustonotto and FadeStealer, Chaos Ransomware, China-Nexus Threat Activity, Derusbi, NjRAT, PlugX, Salt Typhoon
|
2025-09-18
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
RDP Hijacking
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Windows RDP Artifacts and Defense Evasion
|
2025-08-01
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host
|
2025-05-02
|
|
Windows SpeechRuntime COM Hijacking DLL Load
|
Sysmon EventID 7
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2025-10-14
|
|
Windows SpeechRuntime Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-08-22
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Compromised Windows Host, Windows Certificate Services
|
2025-05-02
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2025-09-18
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Hardware Additions
Data from Removable Media
Replication Through Removable Media
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Data Protection
|
2025-09-18
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Hellcat Ransomware
|
2025-10-14
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
Modify Authentication Process
Remote Services
External Remote Services
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2025-08-21
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote Services
Process Injection
PowerShell
Ingress Tool Transfer
Remote Access Tools
Non-Standard Port
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploit Public-Facing Application
Exploitation of Remote Services
Obfuscated Files or Information
User Execution
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2025-04-28
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploit Public-Facing Application
Exploitation of Remote Services
Endpoint Denial of Service
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2025-08-21
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploit Public-Facing Application
Exploitation of Remote Services
PowerShell
LSASS Memory
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-04-14
|
|
Remote Desktop Network Traffic
|
Zeek Conn
|
Remote Desktop Protocol
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware, Windows RDP Artifacts and Defense Evasion
|
2025-08-07
|
|
SMB Traffic Spike
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2025-05-02
|
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2025-05-02
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2025-05-02
|
