|
Windows Excel Spawning Microsoft Project Application
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
|
Anomaly
|
PathWiper
|
2026-05-13
|
|
Windows AD Suspicious Attribute Modification
|
Windows Event Log Security 5136
|
T1222.001
T1550
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows RDP Bitmap Cache File Creation
|
Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Remote Management Execute Shell
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1021.006
|
Anomaly
|
Crypto Stealer
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and Winrs
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Default RDP File Creation By Non MSTSC Process
|
Sysmon EventID 1, Sysmon EventID 11
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 13
|
T1021
|
TTP
|
Interlock Ransomware, Windows Registry Abuse, Prohibited Traffic Allowed or Protocol Mismatch, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows SpeechRuntime COM Hijacking DLL Load
|
Sysmon EventID 7
|
T1021.003
|
TTP
|
Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Process Execution From RDP Share
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
T1059
T1105
|
Anomaly
|
Hidden Cobra Malware
|
2026-05-13
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
T1021.004
|
TTP
|
Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
Chaos Ransomware, Salt Typhoon, Derusbi, PlugX, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-05-13
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-05-13
|
|
Windows Default Rdp File Unhidden
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows RDP Server Registry Entry Created
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows RDP Client Launched with Admin Session
|
Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Rubeus Command Line Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, ZOVWiper
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Remote Services Allow Rdp In Firewall
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Azorult, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
T1550
T1649
|
TTP
|
Windows Certificate Services, Compromised Windows Host
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Process Executed From Removable Media
|
Sysmon EventID 13, Sysmon EventID 1
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, APT37 Rustonotto and FadeStealer, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Mmc LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1218.014
|
TTP
|
Water Gamayun, Living Off The Land, XML Runner Loader, Active Directory Lateral Movement
|
2026-05-13
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4742
|
T1210
|
Hunting
|
Detect Zerologon Attack
|
2026-05-13
|
|
Windows RDP Login Session Was Established
|
Windows Event Log Security 4624
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Medusa Ransomware, Windows Registry Abuse, Azorult, Prohibited Traffic Allowed or Protocol Mismatch, PlugX, NjRAT
|
2026-05-13
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1021.002
T1087
T1135
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows SpeechRuntime Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
|
TTP
|
Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, CISA AA22-320A, Sandworm Tools, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows WPDBusEnum Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Detect PsExec With accepteula Flag
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
|
TTP
|
SamSam Ransomware, BlackByte Ransomware, Medusa Ransomware, CISA AA22-320A, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Storm-0501 Ransomware, Seashell Blizzard, DarkSide Ransomware, DarkGate Malware, Volt Typhoon, VanHelsing Ransomware, Cactus Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 13
|
T1021.001
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows Remote Host Computer Management Access
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1021.006
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 13
|
T1021.001
|
TTP
|
Azorult, Windows RDP Artifacts and Defense Evasion, BlackSuit Ransomware, Medusa Ransomware
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement
|
2026-05-13
|
|
Active Directory Lateral Movement Identified
|
|
T1210
|
Correlation
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Process With NetExec Command Line Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1550.003
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Detection of tools built by NirSoft
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1072
|
Anomaly
|
Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
T1563.002
|
Hunting
|
Interlock Ransomware, Windows RDP Artifacts and Defense Evasion, NetSupport RMM Tool Abuse, Active Directory Lateral Movement, BlackByte Ransomware
|
2026-05-13
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
T1021.001
|
TTP
|
NetSupport RMM Tool Abuse, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Remote Desktop Process Running On System
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
Hunting
|
Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement, Hidden Cobra Malware
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
TTP
|
Cobalt Strike, BlackByte Ransomware, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, Storm-0501 Ransomware, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat
|
2026-05-13
|
|
Windows USBSTOR Registry Key Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1025
T1091
T1200
|
Anomaly
|
Data Protection, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows PuTTY Suite Utility Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.004
|
Anomaly
|
Command And Control, Active Directory Lateral Movement
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Protocol Tunneling with Plink
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.004
T1572
|
TTP
|
CISA AA22-257A
|
2026-05-13
|
|
Windows Theme File Creation in Unusual Location
|
Sysmon EventID 11
|
T1021.002
T1187
T1557.001
|
Anomaly
|
Spearphishing Attachments
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1021.002
T1055
T1559
|
Anomaly
|
SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Seashell Blizzard, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, BlackByte Ransomware
|
2026-05-13
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
T1021.006
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Windows MSTSC RDP Commandline
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Medusa Ransomware
|
2026-05-13
|
|
Windows Remote Service Rdpwinst Tool Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
|
TTP
|
Azorult, Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
T1021.002
|
TTP
|
Data Destruction, BlackSuit Ransomware, Trickbot, IcedID, Hermetic Wiper, Prestige Ransomware, Graceful Wipe Out Attack, VanHelsing Ransomware, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Service Create with Tscon
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Remote Process Instantiation via WinRM and PowerShell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2026-05-13
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2026-05-13
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.006
|
TTP
|
CISA AA24-241A, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows RDP File Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.001
T1598.002
|
TTP
|
Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion, Interlock Ransomware
|
2026-05-13
|
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-06-24
|
|
Splunk RCE PDFgen Render
|
Splunk
|
T1210
|
TTP
|
Splunk Vulnerabilities
|
2026-06-24
|
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-06-24
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Cisco IOS XE Remote Access Probe Burst
|
Cisco IOS Logs
|
T1018
T1021.004
T1046
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
ESXi Shell Access Enabled
|
VMWare ESXi Syslog
|
T1021
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi SSH Enabled
|
VMWare ESXi Syslog
|
T1021.004
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise, Hellcat Ransomware
|
2026-05-13
|
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-06-23
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1538
T1550.004
|
Hunting
|
Okta Account Takeover
|
2026-05-13
|
|
Splunk RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Cisco IOS XE VTY Access Class Tampering
|
Cisco IOS Logs
|
T1021
T1562
|
Anomaly
|
Salt Typhoon
|
2026-05-20
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
T1021.007
T1072
T1529
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
T1021.007
T1072
T1484
T1685
T1686
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Remote Desktop Network Traffic
|
Zeek Conn
|
T1021.001
|
Anomaly
|
SamSam Ransomware, Hidden Cobra Malware, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - SSH Connection to Non-Standard Port
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-05-13
|
|
SMB Traffic Spike
|
|
T1021.002
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A, Ransomware, Hidden Cobra Malware
|
2026-05-13
|
|
Cisco Secure Firewall - SSH Connection to sshd_operns
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|