Privilege Escalation Detections

Name Data Source Technique Type Analytic Story Date
Windows AD add Self to Group Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation, Medusa Ransomware 2026-06-01
Windows Potato Privilege Escalation Tool Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP Windows Privilege Escalation 2026-05-13
Windows Rasautou DLL Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055.001 T1218 TTP Hellcat Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Service Restarted Linux Auditd Proctitle T1053.006 Anomaly Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Logon Script Event Trigger Execution Sysmon EventID 13 T1037.001 TTP Data Destruction, VIP Keylogger, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve T1547.006 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 T1548.003 Hunting Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, Linux Persistence Techniques 2026-05-13
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Visudo Utility Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Clop Ransomware Known Service Name Windows Event Log System 7045 T1543 TTP Compromised Windows Host, Clop Ransomware 2026-05-13
Spoolsv Writing a DLL - Sysmon Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows DnsAdmins New Member Added Windows Event Log Security 4732 T1098 TTP Active Directory Privilege Escalation 2026-05-13
Windows Drivers Loaded by Signature Sysmon EventID 6 T1014 T1068 Hunting Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A 2026-05-13
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 T1135 Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows Entra User Management Via Azure CLI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1078.004 T1098 T1136 Anomaly Azure Active Directory Persistence 2026-05-13
Wscript Or Cscript Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 T1134.004 T1543 Anomaly WhisperGate, MuddyWater, Data Destruction, ShrinkLocker, Axios Supply Chain Post Compromise, FIN7, VIP Keylogger, XWorm, Unusual Processes, Remcos, 0bj3ctivity Stealer, NjRAT 2026-05-13
Print Spooler Adding A Printer Driver Windows Event Log Printservice 316 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Process Injection into Commonly Abused Processes Sysmon EventID 10 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Remote Assistance Spawning Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Compromised Windows Host, Unusual Processes 2026-05-13
Windows AD SID History Attribute Modified Windows Event Log Security 5136 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Process With NamedPipe CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 Anomaly Windows Defense Evasion Tactics 2026-05-13
CMD Echo Pipe - Escalation Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1059.003 T1543.003 TTP Cobalt Strike, BlackByte Ransomware, Compromised Windows Host, Graceful Wipe Out Attack 2026-05-13
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Suspicious Scheduled Task from Public Directory Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 Anomaly Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Living Off The Land, Lokibot, XWorm, DarkCrystal RAT, Ryuk Ransomware, Windows Persistence Techniques, NetSupport RMM Tool Abuse, CISA AA24-241A, Medusa Ransomware, Azorult, Scattered Spider, Malicious Inno Setup Loader, Salt Typhoon, MoonPeak, CISA AA23-347A, Crypto Stealer, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer 2026-05-13
Powershell Execute COM Object Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Ransomware, Hermetic Wiper, Malicious PowerShell, Data Destruction 2026-05-13
WSReset UAC Bypass Sysmon EventID 13, Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, MoonPeak, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Linux Doas Tool Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Spoolsv Suspicious Process Access Sysmon EventID 10 T1068 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Impacket Lateral Movement Commandline Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Windows Suspicious Child Process of TieringEngineService.exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 T1547 T1574.001 Anomaly Salt Typhoon, Earth Alux, XWorm, Derusbi, China-Nexus Threat Activity, APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 T1546.004 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Cisco Isovalent - Cron Job Creation Cisco Isovalent Process Exec T1053.003 T1053.007 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Child Processes of Spoolsv exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1055 TTP Hellcat Ransomware, Trickbot 2026-05-13
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows AD Short Lived Domain Account ServicePrincipalName Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Auditd At Application Execution Linux Auditd Syscall T1053.002 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Scheduled Task with Highest Privileges Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Quasar RAT, CISA AA23-347A, SolarWinds WHD RCE Post Exploitation, AsyncRAT, Scheduled Tasks, RedLine Stealer, XWorm, Compromised Windows Host, NetSupport RMM Tool Abuse, Castle RAT 2026-05-13
Short Lived Scheduled Task Windows Event Log Security 4699, Windows Event Log Security 4698 T1053.005 TTP CISA AA23-347A, Scheduled Tasks, Compromised Windows Host, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Windows AD Cross Domain SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Compatibility Telemetry Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 T1053.006 Anomaly Linux Privilege Escalation, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, China-Nexus Threat Activity, Gomir, Linux Persistence Techniques 2026-05-13
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Schtasks scheduling job on remote system Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Quasar RAT, Scheduled Tasks, Living Off The Land, RedLine Stealer, Prestige Ransomware, NOBELIUM Group, Compromised Windows Host, Active Directory Lateral Movement, Phemedrone Stealer 2026-05-13
Cisco Isovalent - Shell Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Potential password in username Linux Secure T1078.003 T1552.001 Hunting Credential Dumping, Insider Threat 2026-05-13
Linux Service Started Or Enabled Sysmon for Linux EventID 1 T1053.006 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Gomir, Linux Persistence Techniques 2026-05-13
SLUI Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 TTP DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Linux Docker Root Directory Mount Sysmon for Linux EventID 1 T1611 TTP Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows AD Object Owner Updated Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Services Escalate Exe Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548 TTP Cobalt Strike, CISA AA23-347A, Graceful Wipe Out Attack, Compromised Windows Host, BlackByte Ransomware 2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Path, Linux Auditd Cwd T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows AppCertDLL Modification Via Command Line Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.009 Anomaly Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Print Spooler Failed to Load a Plug-in Windows Event Log Printservice 4909, Windows Event Log Printservice 808 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 T1053.005 T1059.001 Anomaly Scheduled Tasks, Scattered Spider 2026-05-13
Windows System File on Disk Sysmon EventID 11 T1068 Hunting CISA AA22-264A, Windows Drivers, Crypto Stealer 2026-05-13
Windows AD Domain Root ACL Deletion Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Vulnerable Driver Loaded Sysmon EventID 6 T1543.003 Hunting Void Manticore, Windows Drivers, BlackByte Ransomware 2026-05-13
Linux Telnet Authentication Bypass Sysmon for Linux EventID 1 T1548 TTP Telnetd CVE-2026-24061 2026-05-13
Linux Doas Conf File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Suspicious Burst of Password Changes Windows Event Log Security 4723, Windows Event Log Security 4724 T1068 TTP BlueHammer, Windows Privilege Escalation 2026-04-29
Linux Auditd Doas Conf File Creation Linux Auditd Path, Linux Auditd Cwd T1548.003 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Service Creation on Remote Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 TTP Salt Typhoon, CISA AA23-347A, China-Nexus Threat Activity, Active Directory Lateral Movement, SnappyBee 2026-05-13
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Sdclt UAC Bypass Sysmon EventID 13, Sysmon EventID 12 T1548.002 TTP Windows Registry Abuse, Windows Defense Evasion Tactics 2026-05-13
Linux Suspicious Namespace Creation Linux Auditd Syscall, Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation 2026-05-12
Svchost LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Living Off The Land, Scheduled Tasks, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Windows COM Hijacking InprocServer32 Modification Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.015 TTP Compromised Windows Host, Living Off The Land 2026-05-13
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques 2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Node Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Driver Inventory T1068 Hunting Windows Drivers 2026-05-13
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 T1053.005 TTP Salt Typhoon, Medusa Ransomware, Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, SystemBC, China-Nexus Threat Activity, 0bj3ctivity Stealer, CISA AA22-257A, Winter Vivern, Castle RAT 2026-05-13
Windows Scheduled Task Created Via XML Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 Anomaly MoonPeak, CISA AA23-347A, Scheduled Tasks, Lokibot, Malicious Inno Setup Loader, Winter Vivern 2026-05-13
Notepad with no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2026-05-13
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2026-05-13
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Privilege Escalation, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Increase in User Modification Activity Windows Event Log Security 4720 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD Self DACL Assignment Windows Event Log Security 5136 T1098 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Level RMM Watchdog Task Created Windows Event Log Security 4698 T1053 T1219 Anomaly Remote Monitoring and Management Software 2026-05-13
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Service Restarted Sysmon for Linux EventID 1 T1053.006 Anomaly Linux Privilege Escalation, Data Destruction, Scheduled Tasks, AwfulShred, Linux Living Off The Land, Gomir, Linux Persistence Techniques 2026-05-13
NET Profiler UAC bypass Sysmon EventID 13 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Disable UAC Remote Restriction Sysmon EventID 13 T1548.002 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, CISA AA23-347A, Windows Defense Evasion Tactics 2026-05-13
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 T1053 TTP ValleyRAT 2026-05-13
Windows Default Group Policy Object Modified with GPME Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows AD Dangerous User ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD DSRM Account Changes Sysmon EventID 13 T1098 TTP Windows Persistence Techniques, Windows Registry Abuse, Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware, China-Nexus Threat Activity, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Windows Event Log Security 4698 T1053 TTP Water Gamayun, ValleyRAT 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Privilege Escalation, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Windows Event Triggered Image File Execution Options Injection Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2026-05-13
Windows AD Domain Replication ACL Addition Windows Event Log Security 5136 T1484 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Scheduled Task with Suspicious Command Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700 T1053.005 TTP Quasar RAT, SolarWinds WHD RCE Post Exploitation, Scheduled Tasks, Ransomware, Seashell Blizzard, Ryuk Ransomware, Windows Persistence Techniques, APT37 Rustonotto and FadeStealer 2026-05-13
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 T1218.014 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 T1098 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Auditd Doas Tool Execution Linux Auditd Syscall T1548.003 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Eventvwr UAC Bypass Sysmon EventID 13 T1548.002 TTP IcedID, Windows Registry Abuse, Living Off The Land, Windows Defense Evasion Tactics, ValleyRAT 2026-05-13
Windows Suspicious Defender Engine or Signature Files Created Sysmon EventID 11 T1068 Anomaly BlueHammer, Windows Privilege Escalation 2026-04-27
Windows AD GPO Deleted Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 T1037.004 Anomaly Linux Privilege Escalation, Backdoor Pingpong, XorDDos, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Windows Suspicious Process File Path Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.005 T1543 TTP Quasar RAT, Swift Slicer, Qakbot, Lokibot, SesameOp, Prestige Ransomware, Remcos, SystemBC, Brute Ratel C4, BlackByte Ransomware, Phemedrone Stealer, Graceful Wipe Out Attack, Axios Supply Chain Post Compromise, Data Destruction, Interlock Ransomware, LockBit Ransomware, Handala Wiper, AsyncRAT, Void Manticore, Water Gamayun, Earth Alux, Rhysida Ransomware, RedLine Stealer, XWorm, DarkGate Malware, DarkCrystal RAT, StealC Stealer, Meduza Stealer, Warzone RAT, Castle RAT, WhisperGate, XMRig, AgentTesla, Trickbot, GhostRedirector IIS Module and Rungan Backdoor, VIP Keylogger, Phantom Stealer, Hermetic Wiper, Azorult, Malicious Inno Setup Loader, Interlock Rat, Chaos Ransomware, Salt Typhoon, PromptLock, MoonPeak, CISA AA23-347A, IcedID, Amadey, RoguePlanet, Volt Typhoon, Double Zero Destructor, PlugX, Industroyer2, China-Nexus Threat Activity, NailaoLocker Ransomware, SnappyBee, ValleyRAT 2026-06-25
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Print Processor Registry Autostart Sysmon EventID 13 T1547.012 TTP Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Winhlp32 Spawning a Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Compromised Windows Host, Remcos 2026-05-13
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows Local LLM Framework Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows AD Dangerous Group ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows UAC Bypass Suspicious Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 TTP Living Off The Land, Castle RAT, Windows Defense Evasion Tactics 2026-05-13
Windows Process Execution in Temp Dir Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1036.005 T1543 Anomaly Gh0st RAT, PromptLock, Axios Supply Chain Post Compromise, AgentTesla, Trickbot, Ransomware, Qakbot, Lokibot, XWorm, SesameOp, RoguePlanet, Ryuk Ransomware, Remcos, Salat Stealer, PathWiper, NjRAT 2026-06-08
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve T1548.001 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Remote Create Service Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 Anomaly CISA AA23-347A, BlackSuit Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Guest Account Enabled Via Net.EXE Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1078.001 Anomaly Windows Persistence Techniques 2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 T1134.001 Anomaly Brute Ratel C4, PathWiper 2026-05-13
Linux Make Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 T1069 T1078.002 TTP Active Directory Discovery, Rhysida Ransomware, Active Directory Privilege Escalation 2026-05-13
Impacket Lateral Movement smbexec CommandLine Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Windows AD Same Domain SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Compromised Windows Host 2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Path, Linux Auditd Cwd T1098.004 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Change File Association Command To Notepad Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.001 TTP Prestige Ransomware, Compromised Windows Host 2026-05-13
Windows Multiple Accounts Deleted Windows Event Log Security 4726 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Suspicious Defender Update Activity in INetCache Sysmon EventID 11, Sysmon EventID 23 T1068 T1105 Anomaly Windows Persistence Techniques, BlueHammer 2026-04-27
Cisco NVM - Suspicious Network Connection From Process With No Args Cisco Network Visibility Module Flow Data T1055 T1218 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Linux Find Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Registry Delete Task SD Sysmon EventID 12 T1053.005 T1685 Anomaly Windows Registry Abuse, Windows Persistence Techniques, Scheduled Tasks 2026-05-13
Windows Bluetooth Service Installed From Uncommon Location Windows Event Log System 7045 T1036 T1543.003 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
Impacket Lateral Movement WMIExec Commandline Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.002 T1021.003 T1047 T1543.003 TTP WhisperGate, Data Destruction, CISA AA22-277A, Gozi Malware, Storm-0501 Ransomware, Prestige Ransomware, Graceful Wipe Out Attack, Volt Typhoon, Compromised Windows Host, Industroyer2, Active Directory Lateral Movement 2026-05-13
Schtasks used for forcing a reboot Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Ransomware, Windows Persistence Techniques, Scheduled Tasks 2026-05-13
Windows Compatibility Telemetry Tampering Through Registry Sysmon EventID 13 T1053.005 T1546 TTP Windows Persistence Techniques 2026-05-13
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2026-06-29
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle T1548.003 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
MacOS LoginHook Persistence Osquery Results T1037.002 TTP MacOS Post-Exploitation 2026-05-13
Linux pkexec Privilege Escalation Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Service Create Kernel Mode Driver Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 T1543.003 TTP Windows Drivers, CISA AA22-320A 2026-05-13
Windows Remote Image Load Sysmon EventID 7 T1059 T1068 T1129 T1203 Anomaly Ransomware, LockBit Ransomware, BlackByte Ransomware 2026-05-13
Windows Uncommon Remote Thread Creation In Browser Process Sysmon EventID 8 T1055.001 Anomaly IcedID, Qakbot, Living Off The Land 2026-06-29
Windows Suspicious Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP Cobalt Strike, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, APT37 Rustonotto and FadeStealer, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, XorDDos, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Dirty Frag Kernel Privilege Escalation Linux Auditd Syscall T1068 T1548.001 TTP Linux Privilege Escalation 2026-07-06
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 T1548.001 Hunting Linux Privilege Escalation, Salt Typhoon, Axios Supply Chain Post Compromise, Linux Living Off The Land, China-Nexus Threat Activity, Linux Persistence Techniques 2026-05-13
Linux Auditd Copy Fail Privilege Escalation Linux Auditd Syscall T1068 TTP Linux Privilege Escalation 2026-05-13
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 T1053.005 Hunting 0bj3ctivity Stealer, Scheduled Tasks, CISA AA22-257A, Active Directory Lateral Movement 2026-05-13
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Scheduled Tasks, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Industroyer2, Gomir, Linux Persistence Techniques 2026-05-13
Windows VSSVC Process Accessing Defender Engine Sysmon EventID 10 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Windows Scheduled Task Created in a Group Policy Object Windows Event Log Security 5145 T1053.005 T1484.001 TTP Scheduled Tasks, Windows Persistence Techniques, Living Off The Land 2026-05-13
LLM Model File Creation Sysmon EventID 11 T1543 Hunting Suspicious Local LLM Frameworks 2026-05-13
Windows Process Injection into Notepad Sysmon EventID 10 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework, Earth Alux, APT37 Rustonotto and FadeStealer 2026-05-13
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 T1055 T1059.001 TTP Malicious PowerShell, Hellcat Ransomware, Hermetic Wiper, Data Destruction 2026-05-13
Schtasks Run Task On Demand Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053 Anomaly XMRig, Data Destruction, Medusa Ransomware, Scheduled Tasks, Qakbot, Industroyer2, CISA AA22-257A 2026-05-13
Shim Database File Creation Sysmon EventID 11 T1546.011 TTP Windows Persistence Techniques 2026-05-13
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle T1548.001 Anomaly Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly China-Nexus Threat Activity, Salt Typhoon, Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Service Initiation on Remote Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 TTP CISA AA23-347A, Active Directory Lateral Movement 2026-05-13
Time Provider Persistence Registry Sysmon EventID 13 T1547.003 TTP Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Spoolsv Writing a DLL Windows Event Log Security 4688, Sysmon EventID 1, Sysmon EventID 11 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 13 T1053.005 Anomaly Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 Anomaly Qakbot 2026-05-13
Windows AD Hidden OU Creation Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 T1053.003 Hunting Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Registry Keys Used For Persistence Sysmon EventID 13 T1547.001 TTP Quasar RAT, Emotet Malware DHS Report TA18-201A, Ransomware, Qakbot, Lokibot, Braodo Stealer, Snake Keylogger, Remcos, SystemBC, Salat Stealer, WinDealer RAT, BlackByte Ransomware, NjRAT, MuddyWater, Axios Supply Chain Post Compromise, Interlock Ransomware, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, AsyncRAT, RedLine Stealer, XWorm, Suspicious Windows Registry Activities, DarkGate Malware, DarkCrystal RAT, Windows Persistence Techniques, Derusbi, NetSupport RMM Tool Abuse, Warzone RAT, Castle RAT, Gh0st RAT, BlackSuit Ransomware, Suspicious MSHTA Activity, Phantom Stealer, DHS Report TA18-074A, Sneaky Active Directory Persistence Tricks, Azorult, Cactus Ransomware, Chaos Ransomware, Salt Typhoon, MoonPeak, CISA AA23-347A, IcedID, Amadey, Windows Registry Abuse, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, SnappyBee, ValleyRAT 2026-06-25
Windows New Default File Association Value Set Sysmon EventID 13 T1546.001 Hunting Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Prestige Ransomware, Windows Persistence Techniques 2026-05-13
Linux Auditd Unix Shell Configuration Modification Linux Auditd Path, Linux Auditd Cwd T1546.004 TTP Linux Privilege Escalation, Linux Living Off The Land, QuietVault, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Scheduled Task with Suspicious Name Windows Event Log Security 4698, Windows Event Log Security 4702, Windows Event Log Security 4700 T1053.005 TTP Scheduled Tasks, Ransomware, Ryuk Ransomware, Windows Persistence Techniques, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, Castle RAT 2026-05-13
Suspicious GPUpdate no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Windows AD Privileged Account SID History Addition Windows Event Log Security 4742, Windows Event Log Security 4738 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
XMRIG Driver Loaded Sysmon EventID 6 T1543.003 TTP XMRig, Crypto Stealer, CISA AA22-320A 2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection Cisco Network Visibility Module Flow Data T1036 T1055 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows AD ServicePrincipalName Added To Domain Account Windows Event Log Security 5136 T1098 TTP Interlock Ransomware, Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Privilege Escalation Attempt Via MSI Rollback Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 TTP Windows Privilege Escalation 2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall T1547.006 TTP Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Disabling Remote User Account Control Sysmon EventID 13 T1548.002 TTP AgentTesla, Windows Registry Abuse, Suspicious Windows Registry Activities, Azorult, Remcos, Windows Defense Evasion Tactics 2026-05-13
Windows DISM Install PowerShell Web Access Windows Event Log Security 4688, Sysmon EventID 1 T1548.002 TTP CISA AA24-241A 2026-05-13
Windows AD DCShadow Privileges ACL Addition Windows Event Log Security 5136 T1207 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows AD GPO Disabled Windows Event Log Security 5136 T1484.001 T1685 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Services LOLBAS Execution Process Spawn Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 TTP CISA AA23-347A, Qakbot, Living Off The Land, Hellcat Ransomware, Active Directory Lateral Movement 2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 T1547.006 Anomaly Linux Privilege Escalation, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 T1053 TTP Data Destruction, Hellcat Ransomware, Scheduled Tasks, Compromised Windows Host, Industroyer2, Cactus Ransomware, Active Directory Discovery, CISA AA22-257A, Malicious Inno Setup Loader 2026-05-13
Linux Binary Launched Process with Null Argv Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-12
Suspicious DLLHost no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, BlackByte Ransomware, Cactus Ransomware 2026-05-13
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 T1546.004 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, XorDDos, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Create Remote Thread In Shell Application Sysmon EventID 8 T1055 TTP IcedID, Warzone RAT, Qakbot 2026-06-29
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows NorthStar C2 Agent Execution Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1204.002 T1547.001 T1608 TTP Compromised Windows Host 2026-05-13
Windows ComputerDefaults Spawning a Process Sysmon EventID 1 T1548.002 TTP BlankGrabber Stealer, Castle RAT 2026-05-13
Screensaver Event Trigger Execution Sysmon EventID 13 T1546.002 TTP Data Destruction, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Windows Security Support Provider Reg Query Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1547.005 Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2026-05-13
Windows Registry BootExecute Modification Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2026-05-13
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 T1055 TTP Trickbot 2026-07-01
Windows MsMpEng Writing to System32 Sysmon EventID 15, Sysmon EventID 11 T1068 T1543.003 TTP RedSun, Windows Drivers, BlueHammer, Windows Privilege Escalation 2026-04-27
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2026-05-13
Linux PF_ALG Registration Outside of Boot Window Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-11
Windows AD Domain Root ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Process Injection Wermgr Child Process Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Malicious PowerShell, Data Destruction, CISA AA24-241A, Scheduled Tasks, Microsoft WSUS CVE-2025-59287, Hermetic Wiper, Active Directory Lateral Movement 2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Cobalt Strike, BlackByte Ransomware, Cactus Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack 2026-05-13
Active Setup Registry Autostart Sysmon EventID 13 T1547.014 TTP Data Destruction, Windows Persistence Techniques, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Windows Registry Modification for Safe Mode Persistence Sysmon EventID 13 T1547.001 TTP Ransomware, Windows Drivers, Windows Registry Abuse 2026-05-13
Runas Execution in CommandLine Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1134.001 Hunting Quasar RAT, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Windows UAC Bypass Suspicious Escalation Behavior Sysmon EventID 1 T1548.002 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
WMI Permanent Event Subscription - Sysmon Sysmon EventID 21 T1546.003 TTP Suspicious WMI Use 2026-05-13
Linux Auditd Possible Access To Sudoers File Linux Auditd Path, Linux Auditd Cwd T1548.003 Anomaly Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Windows Suspicious Driver Loaded Path Sysmon EventID 6 T1543.003 TTP XMRig, Interlock Ransomware, AgentTesla, CISA AA22-320A, Snake Keylogger, APT37 Rustonotto and FadeStealer, BlackByte Ransomware 2026-05-13
Windows Schtasks Create Run As System Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP SolarWinds WHD RCE Post Exploitation, Medusa Ransomware, Scheduled Tasks, Qakbot, Windows Persistence Techniques, Castle RAT 2026-05-13
Cisco Isovalent - Nsenter Usage in Kubernetes Pod Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Windows Group Policy Object Created Windows Event Log Security 5137, Windows Event Log Security 5136 T1078.002 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Admon Group Policy Object Created Windows Active Directory Admon T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows AD Privileged Group Modification Windows Event Log Security 4728 T1098 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Privilege Escalation System Process Without System Parent Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, Windows Privilege Escalation 2026-05-13
Windows Service Create RemComSvc Windows Event Log System 7045 T1543.003 Anomaly Active Directory Discovery 2026-05-13
Windows KrbRelayUp Service Creation Windows Event Log System 7045 T1543.003 TTP Local Privilege Escalation With KrbRelayUp, Compromised Windows Host 2026-05-13
Windows Process Injection In Non-Service SearchIndexer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1055 TTP Qakbot 2026-05-13
Windows Boot or Logon Autostart Execution In Startup Folder Sysmon EventID 11 T1547.001 Anomaly Chaos Ransomware, Quasar RAT, Interlock Ransomware, BlankGrabber Stealer, Phantom Stealer, Gozi Malware, RedLine Stealer, XWorm, PromptFlux, Crypto Stealer, APT37 Rustonotto and FadeStealer, NjRAT 2026-06-25
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Privilege Escalation, XorDDos, Linux Rootkit, Linux Persistence Techniques 2026-05-13
Suspicious PlistBuddy Usage Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.001 TTP Silver Sparrow 2026-05-13
Detect WMI Event Subscription Persistence Sysmon EventID 20 T1546.003 TTP Suspicious WMI Use, Hellcat Ransomware 2026-05-13
Windows Process Injection Remote Thread Sysmon EventID 8 T1055.002 TTP Phantom Stealer, Water Gamayun, Earth Alux, Qakbot, Warzone RAT, Graceful Wipe Out Attack 2026-06-29
Windows Multiple Accounts Disabled Windows Event Log Security 4725 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Privilege Escalation Suspicious Process Elevation Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation 2026-05-13
FodHelper UAC Bypass Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1112 T1548.002 TTP BlankGrabber Stealer, IcedID, Compromised Windows Host, ValleyRAT, Windows Defense Evasion Tactics 2026-05-13
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 T1053.005 TTP Quasar RAT, Ransomware, Scheduled Tasks, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, XWorm, Ryuk Ransomware, Windows Persistence Techniques, Compromised Windows Host, Winter Vivern, Castle RAT, Medusa Ransomware, Malicious Inno Setup Loader, Active Directory Lateral Movement, Salt Typhoon, CISA AA23-347A, IcedID, Industroyer2, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT 2026-05-13
MacOS Kextload Usage Osquery Results T1543 TTP MacOS Persistence Techniques, MacOS Privilege Escalation 2026-05-13
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 T1059 TTP Windows Persistence Techniques 2026-05-13
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters, Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP Cobalt Strike, BlackByte Ransomware, LockBit Ransomware, Trickbot, Gozi Malware, Remote Monitoring and Management Software, Storm-0501 Ransomware, DarkSide Ransomware, Graceful Wipe Out Attack, Tuoni, Brute Ratel C4, Meterpreter, Hellcat Ransomware, APT37 Rustonotto and FadeStealer 2026-05-13
Cisco Isovalent - Kprobe Spike Cisco Isovalent Process Kprobe T1068 Hunting Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Admin Password Changed by Non-Admin Windows Event Log Security 4723 T1068 T1543.003 TTP BlueHammer, Windows Privilege Escalation 2026-04-27
Short Lived Windows Accounts Windows Event Log System 4726, Windows Event Log System 4720 T1078.003 T1136.001 TTP Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor 2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process Sysmon EventID 23 T1068 T1218.007 TTP Windows Privilege Escalation 2026-05-13
Scheduled Task Initiation on Remote Endpoint Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 TTP Medusa Ransomware, Scheduled Tasks, Living Off The Land, Seashell Blizzard, Active Directory Lateral Movement 2026-05-13
PowerShell PInvoke Process Injection API Chain Powershell Script Block Logging 4104 T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620 TTP Phantom Stealer, VIP Keylogger 2026-06-25
Loading Of Dynwrapx Module Sysmon EventID 7 T1055.001 TTP Remcos, AsyncRAT 2026-05-13
Shim Database Installation With Suspicious Parameters Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.011 TTP Windows Persistence Techniques, Compromised Windows Host 2026-05-13
Overwriting Accessibility Binaries Sysmon EventID 11 T1546.008 TTP Flax Typhoon, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2026-05-13
Suspicious PlistBuddy Usage via OSquery Osquery Results T1543.001 TTP Silver Sparrow 2026-05-13
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 T1053 TTP Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Hellcat Ransomware, Winter Vivern 2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 T1134.001 Hunting Brute Ratel C4 2026-05-13
Windows MOF Event Triggered Execution via WMI Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1546.003 TTP Compromised Windows Host, Living Off The Land 2026-05-13
Windows RMM Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Ransomware, Remote Monitoring and Management Software, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Scattered Spider, Insider Threat 2026-05-13
Suspicious Computer Account Name Change Windows Event Log Security 4781 T1078.002 TTP sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Compromised Windows Host, Active Directory Privilege Escalation 2026-05-13
Cisco Isovalent - Late Process Execution Cisco Isovalent Process Exec T1543 Anomaly Cisco Isovalent Suspicious Activity 2026-05-13
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 T1053 TTP Trickbot, IcedID, Scheduled Tasks, Living Off The Land, Windows Persistence Techniques, Compromised Windows Host, Castle RAT 2026-05-13
Windows AD Dangerous Deny ACL Modification Windows Event Log Security 5136 T1222.001 T1484 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 T1059.001 T1546.015 TTP Malicious PowerShell 2026-05-13
Linux APT Privilege Escalation Cisco Isovalent Process Exec, Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 T1078.002 Hunting sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2026-05-13
Monitor Registry Keys for Print Monitors Sysmon EventID 13 T1547.010 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Windows Cloud Files Filter Loaded by Uncommon Process Sysmon EventID 7 T1543.003 Anomaly RedSun, BlueHammer 2026-05-18
Linux At Allow Config File Creation Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Privilege Escalation, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Windows Privilege Escalation User Process Spawn System Process Sysmon EventID 1 T1068 T1134 T1548 TTP BlackSuit Ransomware, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation 2026-05-13
Windows AD DSRM Password Reset Windows Event Log Security 4794 T1098 TTP Sneaky Active Directory Persistence Tricks, Scattered Lapsus$ Hunters 2026-05-13
Windows AD GPO New CSE Addition Windows Event Log Security 5136 T1222.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Detect Excessive Account Lockouts From Endpoint T1078.002 Anomaly Active Directory Password Spraying 2026-05-13
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Parent PID Spoofing with Explorer Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1134.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Windows PowerShell MSIX Package Installation Powershell Script Block Logging 4104 T1059.001 T1547.001 TTP Malicious PowerShell, MSIX Package Abuse 2026-05-13
First Time Seen Child Process of Zoom Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1068 Anomaly Suspicious Zoom Child Processes 2026-05-13
Scheduled Task Deleted Or Created via CMD Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.005 Anomaly Quasar RAT, SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Living Off The Land, Lokibot, Prestige Ransomware, NOBELIUM Group, Remcos, CISA AA22-257A, Phemedrone Stealer, NjRAT, AsyncRAT, Rhysida Ransomware, RedLine Stealer, XWorm, DarkCrystal RAT, Windows Persistence Techniques, NetSupport RMM Tool Abuse, Winter Vivern, ShrinkLocker, AgentTesla, CISA AA24-241A, Trickbot, Medusa Ransomware, DHS Report TA18-074A, Azorult, Scattered Spider, Salt Typhoon, MoonPeak, CISA AA23-347A, Amadey, PlugX, China-Nexus Threat Activity, 0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, ValleyRAT 2026-05-13
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 T1134.002 Anomaly Lokibot, Salat Stealer, Brute Ratel C4, WinDealer RAT, AsyncRAT, DarkGate Malware, Derusbi, Scattered Lapsus$ Hunters, Meduza Stealer, Gh0st RAT, GhostRedirector IIS Module and Rungan Backdoor, PathWiper, Salt Typhoon, CISA AA23-347A, Tuoni, PlugX, China-Nexus Threat Activity, SnappyBee, ValleyRAT 2026-06-08
Registry Keys for Creating SHIM Databases Sysmon EventID 13 T1546.011 TTP Suspicious Windows Registry Activities, Windows Registry Abuse, Windows Persistence Techniques 2026-05-13
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 T1078 Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2026-05-13
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, BlackByte Ransomware, Storm-2460 CLFS Zero Day Exploitation, Earth Alux, Cactus Ransomware, Graceful Wipe Out Attack 2026-05-13
Windows Non-System Process Querying Definition Update Sysmon EventID 22 T1068 T1071.001 Anomaly RedSun, BlueHammer, Windows Privilege Escalation 2026-04-27
Randomly Generated Windows Service Name Windows Event Log System 7045 T1543.003 Hunting BlackSuit Ransomware, Active Directory Lateral Movement 2026-05-13
Windows Default Group Policy Object Modified Windows Event Log Security 5136 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 201, Windows Event Log TaskScheduler 200 T1053.005 Hunting SolarWinds WHD RCE Post Exploitation, Sandworm Tools, Scheduled Tasks, Qakbot, Prestige Ransomware, Remcos, SystemBC, CISA AA22-257A, Data Destruction, AsyncRAT, DarkCrystal RAT, Windows Persistence Techniques, Winter Vivern, BlackSuit Ransomware, CISA AA24-241A, Malicious Inno Setup Loader, IcedID, Amadey, Industroyer2, PlugX, ValleyRAT 2026-05-13
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Hellcat Ransomware, BlackByte Ransomware 2026-05-13
Spoolsv Suspicious Loaded Modules Sysmon EventID 7 T1547.012 TTP Black Basta Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Windows Snake Malware Service Create Windows Event Log System 7045 T1547.006 T1569.002 TTP Snake Malware, Compromised Windows Host 2026-05-13
Windows Snake Malware Kernel Driver Comadmin Sysmon EventID 11 T1547.006 TTP Snake Malware 2026-05-13
Allow Operation with Consent Admin Sysmon EventID 13 T1548 TTP Azorult, Ransomware, MoonPeak, Windows Registry Abuse 2026-05-13
Windows PUA Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly SamSam Ransomware, CISA AA22-320A, Medusa Ransomware, IcedID, HAFNIUM Group, DHS Report TA18-074A, Sandworm Tools, Rhysida Ransomware, Seashell Blizzard, DarkGate Malware, DarkSide Ransomware, VanHelsing Ransomware, Active Directory Lateral Movement, Volt Typhoon, Cactus Ransomware, BlackByte Ransomware 2026-05-13
Windows Mock Trusted Directory MSC File Creation Sysmon EventID 11 T1218.014 T1548.002 T1574 TTP Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Linux At Application Execution Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Privilege Escalation, Cisco Isovalent Suspicious Activity, Scheduled Tasks, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
SLUI RunAs Elevated Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 TTP DarkSide Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Windows Vulnerable Driver Installed Windows Event Log System 7045 T1543.003 TTP Void Manticore, Windows Drivers 2026-05-13
Scheduled Task Creation on Remote Endpoint using At Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1053.002 TTP 0bj3ctivity Stealer, Living Off The Land, Scheduled Tasks, Active Directory Lateral Movement 2026-05-13
Windows Bypass UAC via Pkgmgr Tool Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1548.002 Anomaly Warzone RAT 2026-05-13
Windows Audit Policy Auditing Option Modified - Registry Sysmon EventID 13 T1547.014 Anomaly Windows Audit Policy Tampering 2026-05-13
Linux Malformed Auth Entry Linux Secure T1068 Anomaly Linux Privilege Escalation 2026-05-06
Detect Excessive User Account Lockouts T1078.003 Anomaly Active Directory Password Spraying, Scattered Lapsus$ Hunters 2026-05-13
SilentCleanup UAC Bypass Sysmon EventID 13 T1548.002 TTP Windows Registry Abuse, MoonPeak, Windows Defense Evasion Tactics 2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle T1548.003 Anomaly Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques 2026-05-13
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Privilege Escalation, Linux Persistence Techniques 2026-05-13
Windows Service Create with Tscon Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1543.003 T1563.002 TTP Windows RDP Artifacts and Defense Evasion, Compromised Windows Host, Active Directory Lateral Movement 2026-05-13
Registry Keys Used For Privilege Escalation Sysmon EventID 13 T1546.012 TTP Data Destruction, Cloud Federated Credential Abuse, Windows Registry Abuse, Hermetic Wiper, Windows Privilege Escalation, Suspicious Windows Registry Activities 2026-05-13
Windows AD AdminSDHolder ACL Modified Windows Event Log Security 5136 T1546 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Autostart Execution LSASS Driver Registry Modification Sysmon EventID 13 T1547.008 TTP Windows Registry Abuse 2026-05-13
Spoolsv Spawning Rundll32 Windows Event Log Security 4688, CrowdStrike ProcessRollup2, Sysmon EventID 1 T1547.012 TTP Black Basta Ransomware, Compromised Windows Host, PrintNightmare CVE-2021-34527 2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries Sysmon EventID 10 T1134.001 Anomaly Castle RAT 2026-05-13
Windows Driver Load Non-Standard Path Windows Event Log System 7045 T1014 T1068 TTP BlackSuit Ransomware, AgentTesla, CISA AA22-320A, Windows Drivers, BlackByte Ransomware 2026-05-13
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 T1098.004 Anomaly Hellcat Ransomware, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware 2026-05-13
Cisco Isovalent - Potential Escape to Host Cisco Isovalent Process Exec T1611 Anomaly Cisco Isovalent Suspicious Activity, VoidLink Cloud-Native Linux Malware 2026-05-13
Windows Cloud Files Filter Log Created by Non-System Process Sysmon EventID 11 T1068 TTP RedSun, Windows Privilege Escalation 2026-05-01
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 T1098.004 Anomaly Linux Privilege Escalation, Hellcat Ransomware, Linux Living Off The Land, Linux Persistence Techniques 2026-05-13
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Privilege Escalation, Linux Living Off The Land 2026-05-13
Windows Process Injection With Public Source Path Sysmon EventID 8 T1055.002 Hunting Brute Ratel C4, Earth Alux, Phantom Stealer 2026-06-29
Splunk Enterprise KV Store Incorrect Authorization Splunk T1548 Hunting Splunk Vulnerabilities 2026-06-24
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat T1068 T1133 T1190 T1210 TTP VMware Aria Operations vRealize CVE-2023-20887 2026-05-13
Microsoft SharePoint Server Elevation of Privilege Suricata T1068 Anomaly Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2026-05-13
Cisco IOS XE Guestshell Activation and Destroy Cisco IOS Logs T1059 T1611 Anomaly Salt Typhoon 2026-05-20
ESXi Shared or Stolen Root Account VMWare ESXi Syslog T1078 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Splunk User Enumeration Attempt Splunk T1078 TTP Splunk Vulnerabilities 2026-05-14
Cisco ASA - New Local User Account Created Cisco ASA Logs T1078.003 T1136.001 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID New MFA Method Registered For User PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
Cisco ASA - User Privilege Level Change Cisco ASA Logs T1078.003 T1098 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
M365 Copilot Application Usage Pattern Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta New API Token Created Okta T1078.001 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Zoom High Video Latency T1078 Anomaly Remote Employment Fraud 2026-05-13
Okta Phishing Detection with FastPass Origin Check Okta T1078.001 T1556 TTP Okta Account Takeover 2026-05-13
ESXi External Root Login Activity VMWare ESXi Syslog T1078 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta New Device Enrolled on Account Okta T1098.005 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
PingID Multiple Failed MFA Requests For User PingID T1078 T1110 T1621 TTP Compromised User Account 2026-05-13
AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
ESXi Account Modified VMWare ESXi Syslog T1078 T1098 T1136.001 Anomaly Black Basta Ransomware, ESXi Post Compromise 2026-05-13
AWS Bedrock Claude Unusually Large Prompts AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
ESXi User Granted Admin Role VMWare ESXi Syslog T1078 T1098 TTP Black Basta Ransomware, ESXi Post Compromise 2026-05-13
Okta Suspicious Activity Reported Okta T1078.001 TTP Okta Account Takeover 2026-05-13
AWS Bedrock Claude Hostile Prompt Sentiment AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
PingID New MFA Method After Credential Reset PingID T1098.005 T1556.006 T1621 TTP Compromised User Account, Scattered Lapsus$ Hunters 2026-05-13
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion 2026-05-13
Cisco IOS XE WebUI Programmatic Configuration Cisco IOS Logs T1078 T1190 Anomaly Salt Typhoon 2026-05-19
Cisco IOS XE WebUI Login From IOSd Local Port Cisco IOS Logs T1078 T1190 TTP Salt Typhoon 2026-05-19
AWS Bedrock Claude Sensitive Data in Prompts AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
Okta Successful Single Factor Authentication Okta T1078.004 T1586.003 T1621 Anomaly Okta Account Takeover 2026-05-13
M365 Copilot Session Origin Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
AWS Bedrock Claude Possible Prompt Injection AWS Bedrock Claude T1055 Hunting Suspicious AWS Bedrock Claude Activities 2026-07-06
AWS Bedrock Claude excessive use of tokens AWS Bedrock Claude T1055 Anomaly Suspicious AWS Bedrock Claude Activities 2026-07-06
Okta Authentication Failed During MFA Challenge Okta T1078.004 T1586.003 T1621 TTP Okta Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Okta ThreatInsight Threat Detected Okta T1078.004 Anomaly Okta Account Takeover 2026-05-13
PingID Mismatch Auth Source and Verification Response PingID T1098.005 T1556.006 T1621 TTP Compromised User Account 2026-05-13
GCP Successful Single-Factor Authentication Google Workspace T1078.004 T1586.003 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
ASL AWS IAM Successful Group Deletion ASL AWS CloudTrail T1069.003 T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2026-05-13
O365 Cross-Tenant Access Change Office 365 Universal Audit Log T1484.002 TTP Azure Active Directory Persistence 2026-05-13
GCP Detect gcploit framework T1078 TTP GCP Cross Account Activity 2026-05-13
Kubernetes Cron Job Creation Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2026-05-13
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
O365 Service Principal Privilege Escalation O365 Add app role assignment grant to user. T1098.003 TTP Azure Active Directory Privilege Escalation, Office 365 Account Takeover 2026-05-13
Azure AD Successful PowerShell Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication T1484.002 TTP Scattered Lapsus$ Hunters, Hellcat Ransomware, Azure Active Directory Persistence, Storm-0501 Ransomware 2026-05-13
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
O365 Privileged Role Assigned Office 365 Universal Audit Log T1098.003 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail T1078.004 Anomaly Cloud Cryptomining 2026-05-13
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity T1078.004 TTP NOBELIUM Group, Azure Active Directory Account Takeover 2026-05-13
Azure AD Global Administrator Role Assigned Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
O365 FullAccessAsApp Permission Assigned O365 Update application. T1098.002 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Azure AD PIM Role Assigned Azure Active Directory T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Azure AD Tenant Wide Admin Consent Granted Azure Active Directory Consent to application T1098.003 TTP NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin T1078.004 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
O365 Privileged Role Assigned To Service Principal Office 365 Universal Audit Log T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
O365 Application Registration Owner Added O365 Add owner to application. T1098 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
O365 Security And Compliance Alert Triggered T1078.004 TTP Office 365 Account Takeover 2026-05-13
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1078.004 T1586.003 T1621 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
Azure AD Service Principal Privilege Escalation Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation 2026-05-13
O365 Service Principal New Client Credentials O365 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Mailbox Read Access Granted to Application O365 Update application. T1098.003 T1114.002 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 New MFA Method Registered O365 Update user. T1098.005 TTP Office 365 Persistence Mechanisms 2026-05-13
O365 High Privilege Role Granted O365 Add member to role. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Suspicious Okta Activity, Remote Employment Fraud 2026-05-13
ASL AWS IAM Delete Policy ASL AWS CloudTrail T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Service Principal Owner Added Azure Active Directory Add owner to application T1098 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook T1078.004 TTP Azure Active Directory Persistence 2026-05-13
Azure AD PIM Role Assignment Activated Azure Active Directory T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
AWS IAM Delete Policy AWS CloudTrail DeletePolicy T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed T1078 Anomaly Office 365 Account Takeover 2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2026-05-13
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
Cloud Instance Modified By Previously Unseen User AWS CloudTrail T1078.004 Anomaly Suspicious Cloud Instance Activities 2026-05-13
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain T1484.002 TTP Azure Active Directory Persistence 2026-05-13
AWS IAM Failure Group Deletion AWS CloudTrail DeleteGroup T1098 Anomaly AWS IAM Privilege Escalation 2026-05-13
Azure AD FullAccessAsApp Permission Assigned Azure Active Directory Update application T1098.002 T1098.003 TTP NOBELIUM Group, Azure Active Directory Persistence 2026-05-13
Azure AD Successful Single-Factor Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Mailbox Folder Read Permission Assigned O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Azure AD Service Principal New Client Credentials Azure Active Directory T1098.001 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
ASL AWS Create Policy Version to allow all resources ASL AWS CloudTrail T1078.004 TTP AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
Azure AD Application Administrator Role Assigned Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
O365 Application Available To Other Tenants Office 365 Universal Audit Log T1098.003 TTP Data Exfiltration, Azure Active Directory Persistence, Azure Active Directory Account Takeover 2026-05-13
Azure AD Privileged Role Assigned Azure Active Directory Add member to role T1098.003 TTP NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Storm-0501 Ransomware 2026-05-13
Azure AD New MFA Method Registered Azure Active Directory Update user T1098.005 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail T1078 Anomaly Suspicious Cloud User Activities 2026-05-13
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. T1098.003 TTP Office 365 Persistence Mechanisms 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
Azure AD Privileged Role Assigned to Service Principal Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group, Scattered Lapsus$ Hunters 2026-05-13
O365 ApplicationImpersonation Role Assigned O365 T1098.002 TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2026-05-13
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup T1069.003 T1098 Hunting AWS IAM Privilege Escalation 2026-05-13
Azure AD User ImmutableId Attribute Updated Azure Active Directory Update user T1098 TTP Hellcat Ransomware, Azure Active Directory Persistence 2026-05-13
Azure AD Admin Consent Bypassed by Service Principal Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2026-05-13
ASL AWS SAML Update identity provider ASL AWS CloudTrail T1078 TTP Cloud Federated Credential Abuse 2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies Azure Monitor Activity T1021.007 T1072 T1484 T1685 T1686 Hunting Azure Active Directory Account Takeover 2026-05-13
Azure AD User Enabled And Password Reset Azure Active Directory Update user, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin) T1098 TTP Scattered Lapsus$ Hunters, Azure Active Directory Persistence 2026-05-13
Geographic Improbable Location Okta T1078 Anomaly Remote Employment Fraud 2026-05-13
ASL AWS IAM Failure Group Deletion ASL AWS CloudTrail T1098 Anomaly AWS IAM Privilege Escalation 2026-05-13
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Authentication Failed During MFA Challenge Azure Active Directory T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
GCP Multiple Failed MFA Requests For User Google Workspace T1078.004 T1586.003 T1621 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2026-05-13
O365 Elevated Mailbox Permission Assigned O365 Add-MailboxPermission T1098.002 TTP Office 365 Collection Techniques 2026-05-13
O365 Mailbox Folder Read Permission Granted O365 ModifyFolderPermissions T1098.002 TTP Office 365 Collection Techniques 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 T1055.001 TTP Qakbot 2026-06-29
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2026-06-29