|
Windows AD add Self to Group
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware
|
2026-06-01
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1133
T1190
|
Hunting
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Java Writing JSP File
|
Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
T1133
T1190
|
TTP
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SAP NetWeaver Exploitation
|
2026-05-13
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037.001
|
TTP
|
Data Destruction, VIP Keylogger, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Anomalous Registry Value Length in Environment Key
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
T1136.001
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
|
TTP
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows ESX Admins Group Creation Security Event
|
Windows Event Log Security 4727, Windows Event Log Security 4737, Windows Event Log Security 4730
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows TeamCity Payload Execution from Temp Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
T1190
T1505.003
|
TTP
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
XMRig, Windows Registry Abuse
|
2026-05-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Compromised Windows Host, Clop Ransomware
|
2026-05-13
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1055
T1134.004
T1543
|
Anomaly
|
WhisperGate, MuddyWater, Data Destruction, ShrinkLocker, Axios Supply Chain Post Compromise, FIN7, VIP Keylogger, XWorm, Unusual Processes, Remcos, 0bj3ctivity Stealer, NjRAT
|
2026-05-13
|
|
Windows Outlook Dialogs Disabled from Unusual Process
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows WSUS Spawning Shell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.003
|
TTP
|
Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
CMD Echo Pipe - Escalation
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.003
T1543.003
|
TTP
|
Cobalt Strike, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack
|
2026-05-13
|
|
Suspicious Scheduled Task from Public Directory
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Living Off The Land, Lokibot, XWorm, DarkCrystal RAT, Ryuk Ransomware, Windows Persistence Techniques, NetSupport RMM Tool Abuse, CISA AA24-241A, Medusa Ransomware, Azorult, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction
|
2026-05-13
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
Ransomware, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2026-05-13
|
|
Impacket Lateral Movement Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Salt Typhoon, Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
|
Anomaly
|
Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Cisco Isovalent - Cron Job Creation
|
Cisco Isovalent Process Exec
|
T1053.003
T1053.007
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Detect New Local Admin account
|
Windows Event Log Security 4732, Windows Event Log Security 4720
|
T1136.001
|
TTP
|
CISA AA24-241A, HAFNIUM Group, DHS Report TA18-074A, Scattered Lapsus$ Hunters, CISA AA22-257A
|
2026-05-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task with Highest Privileges
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Quasar RAT, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, AsyncRAT, Scheduled Tasks, RedLine Stealer, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Castle RAT
|
2026-05-13
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1112
T1566
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4699, Windows Event Log Security 4698
|
T1053.005
|
TTP
|
CISA AA23-347A, Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, China-Nexus Threat Activity, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Schtasks scheduling job on remote system
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Quasar RAT, Scheduled Tasks, Living Off The Land, RedLine Stealer, Prestige Ransomware, NOBELIUM Group, Compromised Windows Host, Active Directory Lateral Movement, Phemedrone Stealer
|
2026-05-13
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 13
|
T1112
|
TTP
|
SolarWinds WHD RCE Post Exploitation, RedLine Stealer, CISA AA23-347A
|
2026-05-13
|
|
Cisco Isovalent - Shell Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1133
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows AppCertDLL Modification Via Command Line
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.009
|
Anomaly
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-05-13
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 4909, Windows Event Log Printservice 808
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
|
Anomaly
|
Scheduled Tasks, Scattered Spider
|
2026-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 13, Sysmon EventID 14
|
T1112
|
Anomaly
|
ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A
|
2026-05-13
|
|
BITSAdmin Download File
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1105
T1197
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ingress Tool Transfer, Living Off The Land, Flax Typhoon, DarkSide Ransomware, BITS Jobs, Scattered Spider, Hellcat Ransomware, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware, CISA AA23-347A
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Azorult, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
Void Manticore, Windows Drivers, BlackByte Ransomware
|
2026-05-13
|
|
Linux Add User Account
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1136.001
|
Hunting
|
Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Service Creation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
TTP
|
Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Active Directory Lateral Movement, SnappyBee
|
2026-05-13
|
|
Svchost LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows COM Hijacking InprocServer32 Modification
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.015
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Startup Procedure
|
Windows Event Log Application 17135
|
T1505.001
|
Anomaly
|
SQL Server Abuse, Hellcat Ransomware
|
2026-05-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Detect Exchange Web Shell
|
Sysmon EventID 11
|
T1133
T1190
T1505.003
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, ProxyShell, Seashell Blizzard, Compromised Windows Host, ProxyNotShell, CISA AA22-257A, BlackByte Ransomware
|
2026-05-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Salt Typhoon, Medusa Ransomware, Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, SystemBC, China-Nexus Threat Activity, 0bj3ctivity Stealer, CISA AA22-257A, Winter Vivern, Castle RAT
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1197
|
TTP
|
BITS Jobs, Gozi Malware
|
2026-05-13
|
|
Windows Scheduled Task Created Via XML
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
MoonPeak, CISA AA23-347A, Scheduled Tasks, Lokibot, Malicious Inno Setup Loader, Winter Vivern
|
2026-05-13
|
|
Windows Suspicious Child Process Spawned From WebServer
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.003
|
Anomaly
|
Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, WS FTP Server Critical Vulnerabilities, ProxyShell, Microsoft WSUS CVE-2025-59287, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, CISA AA22-264A, Compromised Windows Host, Microsoft SharePoint Vulnerabilities, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, CISA AA22-257A, BlackByte Ransomware
|
2026-05-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Downdate Registry Activity
|
Sysmon EventID 13, Sysmon EventID 12, Sysmon EventID 14
|
T1112
T1689
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
T1098
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Level RMM Watchdog Task Created
|
Windows Event Log Security 4698
|
T1053
T1219
|
Anomaly
|
Remote Monitoring and Management Software
|
2026-05-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
|
Anomaly
|
Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
PromptLock, Microsoft WSUS CVE-2025-59287, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Shell Process from CrushFTP
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059.001
T1059.003
T1190
T1505
|
TTP
|
CrushFTP Vulnerabilities
|
2026-05-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
T1053
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 13
|
T1098
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.004
T1685.001
|
Anomaly
|
IIS Components, Compromised Windows Host, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
T1133
|
Anomaly
|
Spearphishing Attachments, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Water Gamayun, ValleyRAT
|
2026-05-13
|
|
Windows Modify Registry Regedit Silent Reg Import
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Command
|
Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700
|
T1053.005
|
TTP
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Seashell Blizzard, Ryuk Ransomware, Windows Persistence Techniques, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1685
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Sandworm Tools, Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
|
Anomaly
|
Linux Privilege Escalation, Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
T1543
|
TTP
|
Quasar RAT, Swift Slicer, Qakbot, Lokibot, SesameOp, Prestige Ransomware, Remcos, SystemBC, Brute Ratel C4, BlackByte Ransomware, Phemedrone Stealer, Graceful Wipe Out Attack, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Water Gamayun, Earth Alux, Rhysida Ransomware, RedLine Stealer, XWorm, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, RoguePlanet, Volt Typhoon, Double Zero Destructor, PlugX, Industroyer2, China-Nexus Threat Activity, NailaoLocker Ransomware, SnappyBee, ValleyRAT
|
2026-06-25
|
|
Windows Shell or Script Execution From IIS Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.004
|
Anomaly
|
ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
T1547.012
|
TTP
|
Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Disable Internet Explorer Addons
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1176.001
|
Anomaly
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer, CISA AA23-347A
|
2026-05-13
|
|
Windows Local LLM Framework Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows SnappyBee Create Test Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
China-Nexus Threat Activity, Salt Typhoon, SnappyBee
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Hellcat Ransomware, Outlook RCE CVE-2024-21378
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1036.005
T1543
|
Anomaly
|
Gh0st RAT, PromptLock, Axios Supply Chain Post Compromise, AgentTesla, Trickbot, Ransomware, Qakbot, Lokibot, XWorm, SesameOp, RoguePlanet, Ryuk Ransomware, Remcos, Salat Stealer, PathWiper, NjRAT
|
2026-06-08
|
|
Windows Remote Create Service
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
Anomaly
|
CISA AA23-347A, BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Active Directory Discovery, Rhysida Ransomware, Active Directory Privilege Escalation
|
2026-05-13
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Privileged Group Modification
|
Windows Event Log Security 4749, Windows Event Log Security 4744, Windows Event Log Security 4783, Windows Event Log Security 4756, Windows Event Log Security 4790, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4727, Windows Event Log Security 4731
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1098.004
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Change File Association Command To Notepad
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.001
|
TTP
|
Prestige Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows IIS Components Add New Module
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.004
|
Anomaly
|
IIS Components, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12
|
T1053.005
T1685
|
Anomaly
|
Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Disable Registry Tool
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Outlook LoadMacroProviderOnBoot Persistence
|
Sysmon EventID 13
|
T1112
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Schtasks used for forcing a reboot
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Ransomware, Windows Persistence Techniques, Scheduled Tasks
|
2026-05-13
|
|
Windows Outlook Macro Security Modified
|
Sysmon EventID 13
|
T1008
T1137
|
TTP
|
Windows Registry Abuse, NotDoor Malware
|
2026-05-13
|
|
Windows Routing and Remote Access Service Registry Key Change
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Gh0st RAT
|
2026-05-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
Sysmon EventID 13
|
T1053.005
T1546
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
T1133
T1190
|
TTP
|
Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
MacOS LoginHook Persistence
|
Osquery Results
|
T1037.002
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Service Create Kernel Mode Driver
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1068
T1543.003
|
TTP
|
Windows Drivers, CISA AA22-320A
|
2026-05-13
|
|
Windows SQL Server Configuration Option Hunt
|
Windows Event Log Application 15457
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Linux Privilege Escalation, Linux Rootkit, XorDDos, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows SharePoint Spinstall0 Webshell File Creation
|
Sysmon EventID 11
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053.005
|
Hunting
|
0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Industroyer2, Gomir, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 13, Sysmon EventID 1
|
T1112
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows Scheduled Task Created in a Group Policy Object
|
Windows Event Log Security 5145
|
T1053.005
T1484.001
|
TTP
|
Scheduled Tasks, Windows Persistence Techniques, Living Off The Land
|
2026-05-13
|
|
LLM Model File Creation
|
Sysmon EventID 11
|
T1543
|
Hunting
|
Suspicious Local LLM Frameworks
|
2026-05-13
|
|
Disabling ControlPanel
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Schtasks Run Task On Demand
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053
|
Anomaly
|
XMRig, Data Destruction, Medusa Ransomware, Scheduled Tasks, Qakbot, Industroyer2, CISA AA22-257A
|
2026-05-13
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Service Initiation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
TTP
|
CISA AA23-347A, Active Directory Lateral Movement
|
2026-05-13
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
T1547.003
|
TTP
|
Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 13
|
T1003
T1112
|
TTP
|
Credential Dumping, CISA AA22-320A, Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Writing a DLL
|
Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
|
Hunting
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Quasar RAT, Emotet Malware DHS Report TA18-201A, Ransomware, Qakbot, Lokibot, Braodo Stealer, Snake Keylogger, Remcos, SystemBC, Salat Stealer, WinDealer RAT, BlackByte Ransomware, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Interlock Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AsyncRAT, RedLine Stealer, XWorm, Suspicious Windows Registry Activities, DarkGate Malware, DarkCrystal RAT, Windows Persistence Techniques, Derusbi, NetSupport RMM Tool Abuse, Warzone RAT, Castle RAT, Gh0st RAT, BlackSuit Ransomware, Suspicious MSHTA Activity, Phantom Stealer, DHS Report TA18-074A, Sneaky Active Directory Persistence Tricks, Azorult, Cactus Ransomware, Chaos Ransomware, Salt Typhoon, MoonPeak, CISA AA23-347A, IcedID, Amadey, Windows Registry Abuse, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT
|
2026-06-25
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
T1546.001
|
Hunting
|
Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Prestige Ransomware, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path, Linux Auditd Cwd
|
T1546.004
|
TTP
|
Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Scheduled Task with Suspicious Name
|
Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700
|
T1053.005
|
TTP
|
Scheduled Tasks, Ransomware, Ryuk Ransomware, Windows Persistence Techniques, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT
|
2026-05-13
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, Crypto Stealer, CISA AA22-320A
|
2026-05-13
|
|
Web or Application Server Spawning a Shell
|
Sysmon EventID 1, Sysmon for Linux EventID 1
|
T1133
T1190
|
TTP
|
HAFNIUM Group, Flax Typhoon, Cleo File Transfer Software, WS FTP Server Critical Vulnerabilities, Log4Shell CVE-2021-44228, CISA AA22-257A, BlackByte Ransomware, Data Destruction, ProxyShell, Spring4Shell CVE-2022-22965, PHP-CGI RCE Attack on Japanese Organizations, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, CISA AA22-264A, ProxyNotShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, SAP NetWeaver Exploitation, Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Interlock Ransomware, Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
|
TTP
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Rundll32 Shimcache Flush
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
|
TTP
|
Compromised Windows Host, Living Off The Land, Unusual Processes
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Services LOLBAS Execution Process Spawn
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
|
TTP
|
CISA AA23-347A, Qakbot, Living Off The Land, Hellcat Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
|
Anomaly
|
Linux Privilege Escalation, Linux Rootkit, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2026-05-13
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
|
Anomaly
|
Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Data Destruction, Hellcat Ransomware, Scheduled Tasks, Compromised Windows Host, Industroyer2, Cactus Ransomware, Active Directory Discovery, CISA AA22-257A, Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows TeamCity Plugin Installed
|
Sysmon EventID 11
|
T1059
T1190
T1505.003
|
Anomaly
|
JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2026-05-13
|
|
Revil Registry Entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
|
Anomaly
|
Linux Privilege Escalation, Linux Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ValleyRAT
|
2026-05-13
|
|
Windows Sqlservr Spawning Shell
|
Windows Event Log Security 4688, Sysmon EventID 1
|
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows NorthStar C2 Agent Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1204.002
T1547.001
T1608
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
T1546.002
|
TTP
|
Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Security Support Provider Reg Query
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1547.005
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2026-05-13
|
|
Windows MsMpEng Writing to System32
|
Sysmon EventID 15, Sysmon EventID 11
|
T1068
T1543.003
|
TTP
|
RedSun, Windows Drivers, BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
T1218.010
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement
|
2026-05-13
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
T1547.014
|
TTP
|
Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
T1547.001
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2026-05-13
|
|
BITS Job Persistence
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1197
|
TTP
|
BITS Jobs, Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 13
|
T1112
|
TTP
|
RedLine Stealer, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
|
TTP
|
Suspicious WMI Use
|
2026-05-13
|
|
Windows RunMRU Registry Key or Value Deleted
|
Sysmon EventID 12
|
T1112
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2026-05-13
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
|
TTP
|
XMRig, Interlock Ransomware, AgentTesla, CISA AA22-320A, Snake Keylogger, APT37 Rustonotto and FadeStealer, BlackByte Ransomware
|
2026-05-13
|
|
Windows Schtasks Create Run As System
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Scheduled Tasks, Qakbot, Windows Persistence Techniques, Castle RAT
|
2026-05-13
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 13
|
T1556
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Suspicious Reg exe Process
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5137, Windows Event Log Security 5136
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505.004
|
Anomaly
|
IIS Components, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2026-05-13
|
|
Windows AD Privileged Group Modification
|
Windows Event Log Security 4728
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
|
Anomaly
|
Active Directory Discovery
|
2026-05-13
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Compromised Windows Host
|
2026-05-13
|
|
Windows SQL Server xp_cmdshell Config Change
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
Seashell Blizzard, SQL Server Abuse, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Remcos client registry install entry
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
|
TTP
|
Windows Registry Abuse, Remcos
|
2026-05-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
|
Anomaly
|
Chaos Ransomware, Quasar RAT, Interlock Ransomware, BlankGrabber Stealer, Phantom Stealer, Gozi Malware, RedLine Stealer, XWorm, PromptFlux, Crypto Stealer, APT37 Rustonotto and FadeStealer, NjRAT
|
2026-06-25
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
|
Anomaly
|
Linux Privilege Escalation, XorDDos, Linux Rootkit, Linux Persistence Techniques
|
2026-05-13
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2026-05-13
|
|
Suspicious PlistBuddy Usage
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2026-05-13
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2026-05-13
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
|
TTP
|
Suspicious WMI Use, Hellcat Ransomware
|
2026-05-13
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows SQL Server Extended Procedure DLL Loading Hunt
|
Windows Event Log Application 8128
|
T1059.009
T1505.001
|
Hunting
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker, Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
MacOS Account Created
|
Osquery Results
|
T1136
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Create Local Account
|
Windows Event Log Security 4720
|
T1136.001
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
FodHelper UAC Bypass
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1112
T1548.002
|
TTP
|
BlankGrabber Stealer, IcedID, Compromised Windows Host, ValleyRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1505.004
T1685.001
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2026-05-13
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
|
TTP
|
Quasar RAT, Ransomware, Scheduled Tasks, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, XWorm, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, Winter Vivern, Castle RAT, Medusa Ransomware, Malicious Inno Setup Loader, Active Directory Lateral Movement, Salt Typhoon, CISA AA23-347A, IcedID, Industroyer2, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT
|
2026-05-13
|
|
MacOS Kextload Usage
|
Osquery Results
|
T1543
|
TTP
|
MacOS Persistence Techniques, MacOS Privilege Escalation
|
2026-05-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Admin Password Changed by Non-Admin
|
Windows Event Log Security 4723
|
T1068
T1543.003
|
TTP
|
BlueHammer, Windows Privilege Escalation
|
2026-04-27
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4726, Windows Event Log System 4720
|
T1078.003
T1136.001
|
TTP
|
Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Scheduled Task Initiation on Remote Endpoint
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
TTP
|
Medusa Ransomware, Scheduled Tasks, Living Off The Land, Seashell Blizzard, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows PaperCut NG Spawn Shell
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1059
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability, Compromised Windows Host
|
2026-05-13
|
|
Shim Database Installation With Suspicious Parameters
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.011
|
TTP
|
Windows Persistence Techniques, Compromised Windows Host
|
2026-05-13
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2026-05-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546.008
|
TTP
|
Flax Typhoon, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2026-05-13
|
|
Suspicious PlistBuddy Usage via OSquery
|
Osquery Results
|
T1543.001
|
TTP
|
Silver Sparrow
|
2026-05-13
|
|
Windows Create Local Administrator Account Via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1136.001
|
Anomaly
|
CISA AA24-241A, Medusa Ransomware, GhostRedirector IIS Module and Rungan Backdoor, DHS Report TA18-074A, Azorult, DarkGate Malware, Scattered Lapsus$ Hunters, CISA AA22-257A
|
2026-05-13
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Hellcat Ransomware, Winter Vivern
|
2026-05-13
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505.004
|
TTP
|
IIS Components, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows MOF Event Triggered Execution via WMI
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1546.003
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2026-05-13
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2026-05-13
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Disabling CMD Application
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, NjRAT, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Privilege Escalation
|
2026-05-13
|
|
Cisco Isovalent - Late Process Execution
|
Cisco Isovalent Process Exec
|
T1543
|
Anomaly
|
Cisco Isovalent Suspicious Activity
|
2026-05-13
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Trickbot, IcedID, Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Castle RAT
|
2026-05-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1059.001
T1546.015
|
TTP
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078.002
|
Hunting
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
T1547.010
|
TTP
|
Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Disable Notification Center
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12
|
T1112
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2026-05-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Metasploit Confluence Plugin Execution
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1190
T1505.003
T1608
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2026-05-13
|
|
Windows Cloud Files Filter Loaded by Uncommon Process
|
Sysmon EventID 7
|
T1543.003
|
Anomaly
|
RedSun, BlueHammer
|
2026-05-18
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
|
Anomaly
|
Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Windows PowerShell MSIX Package Installation
|
Powershell Script Block Logging 4104
|
T1059.001
T1547.001
|
TTP
|
Malicious PowerShell, MSIX Package Abuse
|
2026-05-13
|
|
Scheduled Task Deleted Or Created via CMD
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.005
|
Anomaly
|
Quasar RAT, SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Living Off The Land, Lokibot, Prestige Ransomware, NOBELIUM Group, Remcos, CISA AA22-257A, Phemedrone Stealer, NjRAT, AsyncRAT, Rhysida Ransomware, RedLine Stealer, XWorm, DarkCrystal RAT, Windows Persistence Techniques, NetSupport RMM Tool Abuse, Winter Vivern, ShrinkLocker, AgentTesla, CISA AA24-241A, Trickbot, Medusa Ransomware, DHS Report TA18-074A, Azorult, Scattered Spider, Salt Typhoon, MoonPeak, CISA AA23-347A, Amadey, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT
|
2026-05-13
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
T1546.011
|
TTP
|
Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, CISA AA23-347A, Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Server Software Component GACUtil Install to GAC
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1505.004
|
TTP
|
IIS Components
|
2026-05-13
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
T1136.001
|
Anomaly
|
Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543.003
|
Hunting
|
BlackSuit Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Disabling NoRun Windows App
|
Sysmon EventID 13
|
T1112
T1685
|
TTP
|
Windows Registry Abuse, Windows Defense Evasion Tactics
|
2026-05-13
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, DarkCrystal RAT, Windows Persistence Techniques, Winter Vivern, BlackSuit Ransomware, CISA AA24-241A, Malicious Inno Setup Loader, IcedID, Amadey, Industroyer2, PlugX, ValleyRAT
|
2026-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
|
TTP
|
Black Basta Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Snake Malware, Compromised Windows Host
|
2026-05-13
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1133
T1190
|
TTP
|
MOVEit Transfer Critical Vulnerability, Hellcat Ransomware
|
2026-05-13
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2026-05-13
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505.004
|
Anomaly
|
IIS Components
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2026-05-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
|
Anomaly
|
Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
Living Off The Land Detection
|
|
T1059
T1105
T1133
T1190
|
Correlation
|
Hellcat Ransomware, Living Off The Land
|
2026-05-13
|
|
Windows SQL Server Critical Procedures Enabled
|
Windows Event Log Application 15457
|
T1505.001
|
TTP
|
SQL Server Abuse
|
2026-05-13
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2026-05-13
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Void Manticore, Windows Drivers
|
2026-05-13
|
|
Scheduled Task Creation on Remote Endpoint using At
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1053.002
|
TTP
|
0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
T1547.014
|
Anomaly
|
Windows Audit Policy Tampering
|
2026-05-13
|
|
Windows Outlook Macro Created by Suspicious Process
|
Sysmon EventID 11
|
T1059.005
T1137
|
TTP
|
NotDoor Malware
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2026-05-13
|
|
Windows Computer Account Changed to Domain Controller
|
Windows Event Log Security 4742
|
T1136.002
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
ShrinkLocker, NetSupport RMM Tool Abuse, CISA AA24-241A
|
2026-05-13
|
|
Windows Service Create with Tscon
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1543.003
T1563.002
|
TTP
|
Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement
|
2026-05-13
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
T1546.012
|
TTP
|
Data Destruction, Cloud Federated Credential Abuse, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Suspicious Windows Registry Activities
|
2026-05-13
|
|
Windows ESX Admins Group Creation via Net
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2026-05-13
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2026-05-13
|
|
Spoolsv Spawning Rundll32
|
Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1547.012
|
TTP
|
Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Windows Potential Web Shell Creation For VMware Workspace ONE
|
Sysmon EventID 11
|
T1505.003
|
Anomaly
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085, VMware Aria Operations vRealize CVE-2023-20887, VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
T1112
|
TTP
|
Scattered Lapsus$ Hunters, ValleyRAT
|
2026-05-13
|
|
Windows Set Network Profile Category to Private via Registry
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Secret Blizzard
|
2026-05-13
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2026-05-13
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 13
|
T1112
|
TTP
|
ValleyRAT
|
2026-05-13
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
|
Anomaly
|
Linux Privilege Escalation, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques
|
2026-05-13
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1133
T1190
|
TTP
|
PaperCut MF NG Vulnerability
|
2026-05-13
|
|
Hunting for Log4Shell
|
Nginx Access
|
T1133
T1190
|
Hunting
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1133
T1190
|
Anomaly
|
Log4Shell CVE-2021-44228, CISA AA22-320A
|
2026-05-13
|
|
Tomcat Session Deserialization Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Supernova Webshell
|
|
T1133
T1505.003
|
TTP
|
Earth Alux, NOBELIUM Group, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1133
T1190
|
TTP
|
Seashell Blizzard, ProxyNotShell, ProxyShell, BlackByte Ransomware
|
2026-05-13
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1133
T1190
|
Correlation
|
Seashell Blizzard, ProxyNotShell, ProxyShell
|
2026-05-13
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1133
T1190
|
Anomaly
|
Log4Shell CVE-2021-44228, CISA AA22-257A, CISA AA22-320A
|
2026-05-13
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2026-05-13
|
|
Windows SharePoint Spinstall0 GET Request
|
Suricata
|
T1190
T1505.003
T1552
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1068
T1133
T1190
T1210
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2026-05-13
|
|
Tomcat Session File Upload Attempt
|
Nginx Access
|
T1190
T1505.003
|
Anomaly
|
Apache Tomcat Session Deserialization Attacks
|
2026-05-13
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1133
T1190
|
TTP
|
Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
Windows SharePoint ToolPane Endpoint Exploitation Attempt
|
Suricata
|
T1190
T1505.003
|
TTP
|
Microsoft SharePoint Vulnerabilities
|
2026-05-13
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
Fortinet FortiNAC CVE-2022-39952, Hellcat Ransomware
|
2026-05-13
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1133
T1190
T1505.003
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2026-05-13
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1133
T1190
T1505
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities, Atlassian Confluence Server and Data Center CVE-2022-26134
|
2026-05-13
|
|
Web JSP Request via URL
|
Nginx Access
|
T1133
T1190
T1505.003
|
TTP
|
Earth Alux, Spring4Shell CVE-2022-22965
|
2026-05-13
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1133
T1190
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1133
T1190
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2026-05-13
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1133
T1190
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID New MFA Method Registered For User
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556.006
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Java
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Os
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Devices Without Screen Lock
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Duo Policy Allow Old Flash
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Country
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco ASA - AAA Policy Tampering
|
Cisco ASA Logs
|
T1556.004
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Okta New Device Enrolled on Account
|
Okta
|
T1098.005
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Bypass Code Generation
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Skip 2FA for Other Countries
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Cisco IOS XE WebUI Programmatic Configuration
|
Cisco IOS Logs
|
T1078
T1190
|
Anomaly
|
Salt Typhoon
|
2026-05-19
|
|
Cisco Duo Bulk Policy Deletion
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco IOS XE WebUI Login From IOSd Local Port
|
Cisco IOS Logs
|
T1078
T1190
|
TTP
|
Salt Typhoon
|
2026-05-19
|
|
Cisco Duo Policy Allow Tampered Devices
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Set User Status to Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Deny Access
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Cisco Duo Policy Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
ESXi Malicious VIB Forced Install
|
VMWare ESXi Syslog
|
T1505.006
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise, China-Nexus Threat Activity
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Cisco Duo Policy Allow Network Bypass 2FA
|
Cisco Duo Administrator
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1098.005
T1556.006
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco Duo Admin Login Unusual Browser
|
Cisco Duo Activity
|
T1556
|
TTP
|
Cisco Duo Suspicious Activity
|
2026-05-13
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2026-05-13
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Privileged Role Assigned
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098.003
|
TTP
|
NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Privileged Role Assigned To Service Principal
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
GCP Multi-Factor Authentication Disabled
|
Google Workspace
|
T1556.006
T1586.003
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Circle CI Disable Security Job
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
O365 Service Principal New Client Credentials
|
O365
|
T1098.001
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 New Federated Domain Added
|
O365
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Circle CI Disable Security Step
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2026-05-13
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1098.003
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Added Service Principal
|
O365
|
T1136.003
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
T1136.003
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
T1136.003
|
TTP
|
NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Suspicious Okta Activity, Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
O365 SharePoint Allowed Domains Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
NOBELIUM Group, Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1556.006
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 External Guest User Invited
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Assigned
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098.001
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
O365 External Identity Policy Changed
|
Office 365 Universal Audit Log
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Application Available To Other Tenants
|
Office 365 Universal Audit Log
|
T1098.003
|
TTP
|
Data Exfiltration, Azure Active Directory Persistence, Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Storm-0501 Ransomware
|
2026-05-13
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098.005
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2026-05-13
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556.006
|
TTP
|
Compromised User Account, Scattered Lapsus$ Hunters, Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Hellcat Ransomware, Azure Active Directory Persistence
|
2026-05-13
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DeactivateMFADevice
|
T1556.006
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Update user, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin)
|
T1098
|
TTP
|
Scattered Lapsus$ Hunters, Azure Active Directory Persistence
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2026-05-13
|
|
O365 Elevated Mailbox Permission Assigned
|
O365 Add-MailboxPermission
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
T1136.003
|
Hunting
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Mailbox Folder Read Permission Granted
|
O365 ModifyFolderPermissions
|
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|