|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware
|
2026-06-01
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 1, Sysmon for Linux EventID 11
|
T1133
T1190
|
TTP
|
SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
VIP Keylogger, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
T1136.001
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4727, Windows Event Log Security 4730, Windows Event Log Security 4737
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
XMRig, Windows Registry Abuse
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
T1134.004
T1543
|
Anomaly
|
Remcos, VIP Keylogger, XWorm, NjRAT, 0bj3ctivity Stealer, Unusual Processes, ShrinkLocker, MuddyWater, Data Destruction, WhisperGate, FIN7, Axios Supply Chain Post Compromise
|
2026-05-13
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1543.003
|
TTP
|
BlackByte Ransomware, Compromised Windows Host, Cobalt Strike, Graceful Wipe Out Attack
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Crypto Stealer, Ransomware, MoonPeak, Ryuk Ransomware, NetSupport RMM Tool Abuse, Scheduled Tasks, Medusa Ransomware, DarkCrystal RAT, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, Lokibot, XWorm, CISA AA23-347A, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Azorult, Quasar RAT
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2026-05-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Earth Alux, XWorm, APT29 Diplomatic Deceptions with WINELOADER, Salt Typhoon, Derusbi, China-Nexus Threat Activity
|
2026-05-13
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
T1136.001
|
TTP
|
CISA AA22-257A, DHS Report TA18-074A, HAFNIUM Group, CISA AA24-241A, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, XWorm, AsyncRAT, Castle RAT, SolarWinds WHD RCE Post Exploitation, Quasar RAT, CISA AA23-347A, NetSupport RMM Tool Abuse, RedLine Stealer
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, China-Nexus Threat Activity, Gomir
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Prestige Ransomware, Compromised Windows Host, Quasar RAT, NOBELIUM Group, Phemedrone Stealer, RedLine Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Insider Threat, Credential Dumping
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Gomir
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AppCertDLL Modification Via Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.009
|
Anomaly
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 14, Sysmon EventID 13
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A
|
2026-05-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1197
|
TTP
|
DarkSide Ransomware, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, Ingress Tool Transfer, Flax Typhoon, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, BITS Jobs
|
2026-05-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
Windows Drivers, BlackByte Ransomware, Void Manticore
|
2026-05-13
|
|
Linux Add User Account
|
Sysmon for Linux EventID 1, Cisco Isovalent Process Exec
|
T1136.001
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.015
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
T1505.001
|
Anomaly
|
SQL Server Abuse, Hellcat Ransomware
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Persistence Techniques, Scheduled Tasks, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, CISA AA23-347A, Medusa Ransomware
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
Compromised Windows Host, CISA AA22-257A, BlackByte Ransomware, HAFNIUM Group, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Scheduled Tasks, Compromised Windows Host, Windows Error Reporting Service Elevation of Privilege Vulnerability, Medusa Ransomware, Ransomware, CISA AA22-257A, Castle RAT, Winter Vivern, 0bj3ctivity Stealer, Salt Typhoon, Ryuk Ransomware, Windows Persistence Techniques, China-Nexus Threat Activity, SystemBC
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
Malicious Inno Setup Loader, Scheduled Tasks, Lokibot, Winter Vivern, MoonPeak, CISA AA23-347A
|
2026-05-13
|
|
Windows Suspicious Child Process Spawned From WebServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.003
|
Anomaly
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability, Compromised Windows Host, WS FTP Server Critical Vulnerabilities, Medusa Ransomware, Citrix ShareFile RCE CVE-2023-24489, CISA AA22-257A, BlackByte Ransomware, Flax Typhoon, Microsoft SharePoint Vulnerabilities, HAFNIUM Group, GhostRedirector IIS Module and Rungan Backdoor, CISA AA22-264A, Microsoft WSUS CVE-2025-59287, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 14, Sysmon EventID 12, Sysmon EventID 13
|
T1112
T1689
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Defense Evasion Tactics, Ransomware
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
PromptLock, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Registry Abuse, Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
T1685.001
|
Anomaly
|
Windows Defense Evasion Tactics, Compromised Windows Host, CISA AA23-347A, IIS Components
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments
|
2026-05-13
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
ValleyRAT, Water Gamayun
|
2026-05-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Seashell Blizzard, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Ryuk Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Windows BootKits, BlackLotus Campaign, Sandworm Tools
|
2026-05-13
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
Backdoor Pingpong, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, China-Nexus Threat Activity
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
TTP
|
RoguePlanet, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, Water Gamayun, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, Prestige Ransomware, Earth Alux, Warzone RAT, DarkCrystal RAT, PlugX, StealC Stealer, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, Malicious Inno Setup Loader, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, Interlock Rat, XWorm, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, Phemedrone Stealer, SesameOp
|
2026-06-11
|
|
Windows Shell or Script Execution From IIS Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Internet Explorer Addons
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1176.001
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Salt Typhoon, China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Outlook RCE CVE-2024-21378, Hellcat Ransomware
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
Anomaly
|
RoguePlanet, Gh0st RAT, Remcos, Lokibot, Axios Supply Chain Post Compromise, PromptLock, Ransomware, XWorm, NjRAT, Salat Stealer, AgentTesla, Qakbot, PathWiper, Ryuk Ransomware, Trickbot, SesameOp
|
2026-06-08
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
Anomaly
|
BlackSuit Ransomware, CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4744, Windows Event Log Security 4790, Windows Event Log Security 4731, Windows Event Log Security 4727, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4749, Windows Event Log Security 4756, Windows Event Log Security 4783
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Cwd, Linux Auditd Path
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Scheduled Tasks, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Prestige Ransomware, Compromised Windows Host, Volt Typhoon, Industroyer2, Gozi Malware, CISA AA22-277A, Storm-0501 Ransomware, Data Destruction, Graceful Wipe Out Attack, WhisperGate, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1008
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Gh0st RAT
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
MacOS LoginHook Persistence
|
Osquery Results
|
T1037.002
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1543.003
|
TTP
|
Windows Drivers, CISA AA22-320A
|
2026-05-13
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
CISA AA22-257A, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Industroyer2, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Gomir
|
2026-05-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
T1112
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
|
Anomaly
|
Scheduled Tasks, Medusa Ransomware, Industroyer2, CISA AA22-257A, XMRig, Qakbot, Data Destruction
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Credential Dumping, Windows Registry Abuse, CISA AA22-320A
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Gh0st RAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, BlackSuit Ransomware, Ransomware, DHS Report TA18-074A, Braodo Stealer, AsyncRAT, Suspicious Windows Registry Activities, Castle RAT, MoonPeak, Amadey, Snake Keylogger, Derusbi, NetSupport RMM Tool Abuse, IcedID, RedLine Stealer, Warzone RAT, Cactus Ransomware, Suspicious MSHTA Activity, DarkCrystal RAT, NjRAT, Salt Typhoon, Chaos Ransomware, DarkGate Malware, Windows Persistence Techniques, MuddyWater, China-Nexus Threat Activity, SnappyBee, ValleyRAT, Lokibot, Windows Registry Abuse, WinDealer RAT, XWorm, Salat Stealer, 0bj3ctivity Stealer, Qakbot, CISA AA23-347A, Axios Supply Chain Post Compromise, SystemBC, Remcos, APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Emotet Malware DHS Report TA18-201A
|
2026-06-08
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Prestige Ransomware, Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Cwd, Linux Auditd Path
|
T1546.004
|
TTP
|
Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4700, Windows Event Log Security 4698, Windows Event Log Security 4702
|
T1053.005
|
TTP
|
Scheduled Tasks, APT37 Rustonotto and FadeStealer, Ransomware, Castle RAT, 0bj3ctivity Stealer, Ryuk Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, Crypto Stealer, CISA AA22-320A
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
T1133
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, Log4Shell CVE-2021-44228, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, HAFNIUM Group, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Microsoft SharePoint Vulnerabilities, CISA AA22-257A, Flax Typhoon, CISA AA22-264A, ProxyNotShell, ProxyShell, Cleo File Transfer Software, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Data Destruction
|
2026-05-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
TTP
|
Living Off The Land, Compromised Windows Host, Unusual Processes
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
|
TTP
|
Living Off The Land, Qakbot, CISA AA23-347A, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity, Compromised Linux Host
|
2026-05-13
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-05-13
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Rootkit, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Malicious Inno Setup Loader, Scheduled Tasks, Compromised Windows Host, Cactus Ransomware, Industroyer2, CISA AA22-257A, Active Directory Discovery, Data Destruction, Hellcat Ransomware
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Vulnerabilities, JetBrains TeamCity Unauthenticated RCE
|
2026-05-13
|
|
Revil Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Revil Ransomware, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-05-13
|
|
Windows Sqlservr Spawning Shell
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Windows Registry Abuse, Hermetic Wiper, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.005
|
Anomaly
|
Sneaky Active Directory Persistence Tricks, Prestige Ransomware, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Windows MsMpEng Writing to System32
|
Sysmon EventID 11, Sysmon EventID 15
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Drivers, Windows Privilege Escalation, RedSun
|
2026-04-27
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
T1218.010
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Scheduled Tasks, CISA AA24-241A, Hermetic Wiper, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Active Directory Lateral Movement
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Hermetic Wiper, Windows Privilege Escalation, Data Destruction, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Windows Drivers, Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, RedLine Stealer
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Ransomware
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
APT37 Rustonotto and FadeStealer, CISA AA22-320A, XMRig, BlackByte Ransomware, Interlock Ransomware, AgentTesla, Snake Keylogger
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Scheduled Tasks, Medusa Ransomware, Castle RAT, Qakbot, SolarWinds WHD RCE Post Exploitation, Windows Persistence Techniques
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Windows Defense Evasion Tactics, Disabling Security Tools
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505.004
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, BlankGrabber Stealer
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, SQL Server Abuse, Seashell Blizzard
|
2026-05-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos client registry install entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Remcos, Windows Registry Abuse
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
Crypto Stealer, APT37 Rustonotto and FadeStealer, PromptFlux, XWorm, Gozi Malware, NjRAT, Interlock Ransomware, Quasar RAT, Chaos Ransomware, BlankGrabber Stealer, RedLine Stealer
|
2026-05-13
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, XorDDos, Linux Rootkit
|
2026-05-13
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
|
Hunting
|
GhostRedirector IIS Module and Rungan Backdoor, WS FTP Server Critical Vulnerabilities, IIS Components
|
2026-05-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Suspicious WMI Use, Hellcat Ransomware
|
2026-05-13
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion, ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
MacOS Account Created
|
Osquery Results
|
T1136
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Create Local Account
|
Windows Event Log Security 4720
|
T1136.001
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters, GhostRedirector IIS Module and Rungan Backdoor, CISA AA24-241A
|
2026-05-13
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
T1548.002
|
TTP
|
ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics, BlankGrabber Stealer, IcedID
|
2026-05-13
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1685.001
|
TTP
|
Windows Defense Evasion Tactics, IIS Components
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Ransomware, Castle RAT, AsyncRAT, Ryuk Ransomware, IcedID, Active Directory Lateral Movement, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, Winter Vivern, PlugX, Salt Typhoon, Windows Persistence Techniques, China-Nexus Threat Activity, Malicious Inno Setup Loader, ValleyRAT, Compromised Windows Host, Industroyer2, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, CISA AA23-347A, SystemBC, APT37 Rustonotto and FadeStealer, Remcos, Quasar RAT, Data Destruction
|
2026-05-13
|
|
MacOS Kextload Usage
|
Osquery Results
|
T1543
|
TTP
|
MacOS Privilege Escalation, MacOS Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Admin Password Changed by Non-Admin
|
Windows Event Log Security 4723
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Medusa Ransomware, Seashell Blizzard, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1133
T1190
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.011
|
TTP
|
Compromised Windows Host, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Hermetic Wiper, Flax Typhoon, Windows Privilege Escalation, Data Destruction
|
2026-05-13
|
|
Suspicious PlistBuddy Usage via OSquery
|
Osquery Results
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Create Local Administrator Account Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.001
|
Anomaly
|
Medusa Ransomware, CISA AA22-257A, DHS Report TA18-074A, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Compromised Windows Host, Winter Vivern, Hellcat Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505.004
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, IIS Components
|
2026-05-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.003
|
TTP
|
Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-05-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
NjRAT, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
Compromised Windows Host, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Compromised Windows Host, Castle RAT, Windows Persistence Techniques, IcedID, Trickbot
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics, Data Destruction
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-13
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
T1112
|
Anomaly
|
Double Zero Destructor, Data Destruction
|
2026-05-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, Windows Defense Evasion Tactics, Ransomware
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows Cloud Files Filter Loaded by Uncommon Process
|
Sysmon EventID 7
|
T1543.003
|
Anomaly
|
BlueHammer, RedSun
|
2026-05-18
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
MSIX Package Abuse, Malicious PowerShell
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
|
Anomaly
|
DHS Report TA18-074A, AsyncRAT, MoonPeak, Amadey, NetSupport RMM Tool Abuse, Trickbot, RedLine Stealer, Scheduled Tasks, Prestige Ransomware, Medusa Ransomware, DarkCrystal RAT, Winter Vivern, NjRAT, PlugX, Rhysida Ransomware, Salt Typhoon, NOBELIUM Group, Windows Persistence Techniques, China-Nexus Threat Activity, ValleyRAT, Lokibot, CISA AA22-257A, XWorm, 0bj3ctivity Stealer, AgentTesla, Qakbot, CISA AA23-347A, Sandworm Tools, Living Off The Land, APT37 Rustonotto and FadeStealer, Remcos, Scattered Spider, ShrinkLocker, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Quasar RAT, Azorult, Phemedrone Stealer
|
2026-05-13
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Windows Registry Abuse, Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Privilege Escalation, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse, CISA AA23-347A, Ransomware
|
2026-05-13
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
T1136.001
|
Anomaly
|
Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host
|
2026-05-13
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
BlackSuit Ransomware, AsyncRAT, Amadey, IcedID, Prestige Ransomware, Scheduled Tasks, DarkCrystal RAT, Winter Vivern, PlugX, Windows Persistence Techniques, Malicious Inno Setup Loader, ValleyRAT, Industroyer2, CISA AA22-257A, Qakbot, Sandworm Tools, SystemBC, Remcos, CISA AA24-241A, SolarWinds WHD RCE Post Exploitation, Data Destruction
|
2026-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Compromised Windows Host, Snake Malware
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505.004
|
Anomaly
|
IIS Components
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Windows Drivers, Void Manticore
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.002
|
TTP
|
Living Off The Land, Scheduled Tasks, 0bj3ctivity Stealer, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2026-05-13
|
|
Windows Computer Account Changed to Domain Controller
|
Windows Event Log Security 4742
|
T1136.002
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
NetSupport RMM Tool Abuse, ShrinkLocker, CISA AA24-241A
|
2026-05-13
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Cloud Federated Credential Abuse, Windows Registry Abuse, Suspicious Windows Registry Activities, Hermetic Wiper, Data Destruction, Windows Privilege Escalation
|
2026-05-13
|
|
Windows ESX Admins Group Creation via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.012
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527, Black Basta Ransomware
|
2026-05-13
|
|
Windows Potential Web Shell Creation For VMware Workspace ONE
|
Sysmon EventID 11
|
T1505.003
|
Anomaly
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2026-05-13
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware
|
2026-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation
|
2026-05-13
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1133
T1190
|
Hunting
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1133
T1190
|
Anomaly
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Supernova Webshell
|
|
T1133
T1505.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Earth Alux, NOBELIUM Group
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
ProxyNotShell, BlackByte Ransomware, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1133
T1190
|
Correlation
|
ProxyNotShell, ProxyShell, Seashell Blizzard
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1133
T1190
|
Anomaly
|
CISA AA22-257A, Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
SamSam Ransomware, JBoss Vulnerability
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
Hellcat Ransomware, Fortinet FortiNAC CVE-2022-39952
|
2026-05-13
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-05-13
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1133
T1190
T1505
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965, Earth Alux
|
2026-05-13
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1133
T1190
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1133
T1190
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Compromised User Account
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta MFA Exhaustion, Suspicious Okta Activity, Okta Account Takeover
|
2026-05-13
|
|
Cisco IOS XE WebUI Programmatic Configuration
|
Cisco IOS Logs
|
T1078
T1190
|
Anomaly
|
Salt Typhoon
|
2026-05-19
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco IOS XE WebUI Login From IOSd Local Port
|
Cisco IOS Logs
|
T1078
T1190
|
TTP
|
Salt Typhoon
|
2026-05-19
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Malicious VIB Forced Install
|
VMWare ESXi Syslog
|
T1505.006
|
TTP
|
China-Nexus Threat Activity, ESXi Post Compromise, Black Basta Ransomware
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
T1098.003
|
TTP
|
Office 365 Account Takeover, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS CreateLoginProfile
|
AWS CloudTrail CreateLoginProfile, AWS CloudTrail ConsoleLogin
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Circle CI Disable Security Job
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Service Principal New Client Credentials
|
O365
|
T1098.001
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 New Federated Domain Added
|
O365
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Circle CI Disable Security Step
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1098.003
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Added Service Principal
|
O365
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
T1136.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
O365 SharePoint Allowed Domains Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2026-05-13
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 External Guest User Invited
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Assigned
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098.001
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
O365 External Identity Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2026-05-13
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters, Storm-0501 Ransomware, NOBELIUM Group
|
2026-05-13
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098.005
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098.002
|
TTP
|
Office 365 Collection Techniques, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence, Hellcat Ransomware
|
2026-05-13
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Update user, Azure Active Directory Reset password (by admin)
|
T1098
|
TTP
|
Azure Active Directory Persistence, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Elevated Mailbox Permission Assigned
|
O365 Add-MailboxPermission
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Granted
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
