Stealth Detections

Name Data Source Technique Type Analytic Story Date
Splunk User Enumeration Attempt Splunk T1078 TTP Splunk Vulnerabilities 2026-05-14
CMLUA Or CMSTPLUA UAC Bypass Sysmon EventID 7 T1218.003 TTP DarkSide Ransomware, ValleyRAT, Ransomware, LockBit Ransomware 2026-05-13
Windows InstallUtil URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1218.004 TTP Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil 2026-05-13
Windows New Service Security Descriptor Set Via Sc.EXE CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1564 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055.001 T1218 TTP Compromised Windows Host, Windows Defense Evasion Tactics, Hellcat Ransomware 2026-05-13
USN Journal Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070 TTP Windows Log Manipulation, Ransomware 2026-05-13
Mshta spawning Rundll32 OR Regsvr32 Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.005 TTP Living Off The Land, IcedID, APT37 Rustonotto and FadeStealer, Trickbot 2026-05-13
Execution of File with Multiple Extensions CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 TTP Masquerading - Rename System Utilities, AsyncRAT, DarkGate Malware, Windows File Extension and Association Abuse 2026-05-13
MSBuild Suspicious Spawned By Script Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1127.001 TTP Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.011 TTP Windows Service Abuse, Living Off The Land, Windows Persistence Techniques 2026-05-13
Suspicious Copy on System32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 Anomaly Compromised Windows Host, Volt Typhoon, AsyncRAT, Water Gamayun, Unusual Processes, Qakbot, IcedID, Sandworm Tools 2026-05-13
Detect RTLO In Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.002 TTP Spearphishing Attachments 2026-05-13
Detect RTLO In File Name Sysmon EventID 11 T1036.002 TTP Spearphishing Attachments 2026-05-13
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 T1574.006 TTP Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity 2026-05-13
Windows MSIExec DLLRegisterServer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.007 TTP Water Gamayun, Windows System Binary Proxy Execution MSIExec 2026-05-13
Linux Obfuscated Files or Information Base64 Decode Sysmon for Linux EventID 1 T1027 Anomaly Linux Living Off The Land 2026-05-13
Windows Rundll32 with Non-Standard File Extension CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 Anomaly Living Off The Land, Gh0st RAT, Suspicious Rundll32 Activity 2026-05-13
Linux Auditd Base64 Decode Files Linux Auditd Execve T1140 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Windows Chromium Process Launched with Logging Disabled CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 Anomaly Browser Hijacking 2026-05-13
Suspicious Rundll32 StartW CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Cobalt Strike, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot 2026-05-13
Windows Odbcconf Load Response File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.008 TTP Living Off The Land 2026-05-13
Windows IOBit Unlocker Extension DLL Registration via Regsvr32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.010 TTP Compromised Windows Host 2026-05-13
Windows Drivers Loaded by Signature Sysmon EventID 6 T1014 T1068 Hunting Windows Drivers, AgentTesla, BlackByte Ransomware, CISA AA22-320A 2026-05-13
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download Cisco Network Visibility Module Flow Data T1218.005 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Proxy Execution of .NET Utilities via Scripts CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218 Anomaly VIP Keylogger 2026-05-13
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 T1135 Anomaly Active Directory Privilege Escalation, Active Directory Lateral Movement 2026-05-13
Suspicious msbuild path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1127.001 TTP Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows ConsoleHost History File Deletion Sysmon EventID 23, Sysmon EventID 26 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.010 TTP Living Off The Land, Compromised Windows Host, Cobalt Strike, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Suspicious Regsvr32 Activity, Graceful Wipe Out Attack 2026-05-13
Windows Entra User Management Via Azure CLI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1078.004 T1098 T1136 Anomaly Azure Active Directory Persistence 2026-05-13
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 T1134.004 T1543 Anomaly Remcos, VIP Keylogger, XWorm, NjRAT, 0bj3ctivity Stealer, Unusual Processes, ShrinkLocker, MuddyWater, Data Destruction, WhisperGate, FIN7, Axios Supply Chain Post Compromise 2026-05-13
Rundll32 Control RunDLL Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 Hunting Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2026-05-13
Windows Process Injection into Commonly Abused Processes Sysmon EventID 10 T1055.002 Anomaly SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer, Earth Alux, BishopFox Sliver Adversary Emulation Framework 2026-05-13
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Compromised Windows Host, Unusual Processes 2026-05-13
Windows AD SID History Attribute Modified Windows Event Log Security 5136 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Windows Chromium process Launched with Disable Popup Blocking CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 Anomaly Browser Hijacking 2026-05-13
Windows Process With NamedPipe CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 Anomaly Windows Defense Evasion Tactics 2026-05-13
Windows BitLockerToGo with Network Activity Sysmon EventID 22 T1218 Hunting Lumma Stealer, Hellcat Ransomware 2026-05-13
Linux Account Manipulation Of SSH Config and Keys Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, Hellcat Ransomware 2026-05-13
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 T1574.001 TTP APT29 Diplomatic Deceptions with WINELOADER 2026-05-13
Windows GrimResource - MMC Process Accessing APDS DLL Windows Event Log Security 4663 T1059.007 T1218.014 TTP Compromised Windows Host 2026-05-13
Curl Execution with Percent Encoded URL CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1027 T1105 Anomaly Living Off The Land, Compromised Windows Host, Ingress Tool Transfer 2026-05-13
Detect Rundll32 Inline HTA Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.005 TTP Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer, NOBELIUM Group 2026-05-13
Windows Azure PowerShell Module Installation Via PowerShell Script Powershell Script Block Logging 4104 T1021.007 T1069.003 T1078 T1098 T1136.003 Anomaly Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Powershell Enable SMB1Protocol Feature Powershell Script Block Logging 4104 T1027.005 TTP Hermetic Wiper, Malicious PowerShell, Data Destruction, Ransomware 2026-05-13
Suspicious microsoft workflow compiler usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1127 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution 2026-05-13
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve T1574.006 TTP Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host 2026-05-13
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 T1547 T1574.001 Anomaly Earth Alux, XWorm, APT29 Diplomatic Deceptions with WINELOADER, Salt Typhoon, Derusbi, China-Nexus Threat Activity 2026-05-13
Windows System Script Proxy Execution Syncappvpublishingserver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1216 T1218 TTP Living Off The Land 2026-05-13
Windows Obfuscated Files or Information via RAR SFX Sysmon EventID 11 T1027.013 Anomaly GhostRedirector IIS Module and Rungan Backdoor, Crypto Stealer, APT37 Rustonotto and FadeStealer, Salat Stealer 2026-06-08
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1055 TTP Trickbot, Hellcat Ransomware 2026-05-13
Windows Process Execution From ProgramData CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 Hunting APT37 Rustonotto and FadeStealer, Axios Supply Chain Post Compromise, XWorm, Salat Stealer, StealC Stealer, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, China-Nexus Threat Activity, SnappyBee 2026-06-08
Windows Odbcconf Load DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.008 TTP Living Off The Land 2026-05-13
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.009 TTP Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host, Handala Wiper, DarkGate Malware, Snake Keylogger, Void Manticore 2026-05-13
Windows AD Cross Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Windows Diskshadow Proxy Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218 TTP Living Off The Land 2026-05-13
Windows MSIExec Spawn WinDBG CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.007 TTP Compromised Windows Host, DarkGate Malware 2026-05-13
Potential password in username Linux Secure T1078.003 T1552.001 Hunting Insider Threat, Credential Dumping 2026-05-13
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1105 T1197 TTP DarkSide Ransomware, Living Off The Land, APT37 Rustonotto and FadeStealer, Scattered Spider, Ingress Tool Transfer, Flax Typhoon, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, BITS Jobs 2026-05-13
Disable Show Hidden Files Sysmon EventID 13 T1112 T1564.001 T1685 Anomaly Windows Registry Abuse, Windows Defense Evasion Tactics, Azorult 2026-05-13
Windows Rundll32 Apply User Settings Changes CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 Anomaly Rhysida Ransomware 2026-05-13
Windows HTTP Network Communication From MSIExec Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data T1218.007 Anomaly APT37 Rustonotto and FadeStealer, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, SolarWinds WHD RCE Post Exploitation, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec 2026-05-13
Linux Deletion Of Cron Jobs Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, Data Destruction, AcidPour 2026-05-13
Windows RunMRU Command Execution Sysmon EventID 13 T1202 Anomaly Fake CAPTCHA Campaigns, Lumma Stealer 2026-05-13
MacOS Hidden Files and Directories Osquery Results T1564.001 Anomaly MacOS Persistence Techniques 2026-05-13
LOLBAS With Network Traffic Sysmon EventID 3 T1105 T1218 T1567 TTP Malicious Inno Setup Loader, Living Off The Land, APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, Water Gamayun, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, NetSupport RMM Tool Abuse 2026-05-13
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.005 TTP Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, XWorm, Gozi Malware, BlankGrabber Stealer 2026-05-13
Suspicious Process Executed From Container File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.008 T1204.002 TTP APT37 Rustonotto and FadeStealer, Remcos, Water Gamayun, Unusual Processes, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger 2026-05-13
PowerShell Start-BitsTransfer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1197 TTP Gozi Malware, BITS Jobs 2026-05-13
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2026-05-13
Sdelete Application Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070.004 T1485 TTP Masquerading - Rename System Utilities, Void Manticore, Scattered Spider 2026-05-13
Linux Auditd Kernel Module Enumeration Linux Auditd Syscall T1014 T1082 Anomaly Linux Rootkit, XorDDos, Compromised Linux Host 2026-05-13
Cisco NVM - Curl Execution With Insecure Flags Cisco Network Visibility Module Flow Data T1197 Anomaly PromptLock, Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287 2026-05-13
Windows Odbcconf Hunting CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.008 Hunting Living Off The Land 2026-05-13
WMIC XSL Execution via URL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1220 TTP Compromised Windows Host, Suspicious WMI Use, Cisco Network Visibility Module Analytics 2026-05-13
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script Powershell Script Block Logging 4104 T1071.001 T1078 T1212 T1482 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2026-05-13
Linux Decode Base64 to Shell Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1027 T1059.004 TTP Linux Living Off The Land, Cisco Isovalent Suspicious Activity 2026-05-13
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497.003 Anomaly Gh0st RAT, Warzone RAT, BlackByte Ransomware, Meduza Stealer, Quasar RAT, Data Destruction, WhisperGate, Void Manticore 2026-05-13
Windows Known Abused DLL Created Sysmon EventID 11 T1574.001 Anomaly Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Malicious PowerShell Process - Encoded Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1027 Hunting Crypto Stealer, CISA AA22-320A, Scattered Spider, Volt Typhoon, Microsoft SharePoint Vulnerabilities, DarkCrystal RAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Qakbot, SolarWinds WHD RCE Post Exploitation, Microsoft WSUS CVE-2025-59287, NOBELIUM Group, Data Destruction, WhisperGate, Lumma Stealer, Sandworm Tools, Malicious PowerShell 2026-05-13
Recursive Delete of Directory In Batch CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070.004 TTP APT37 Rustonotto and FadeStealer, Ransomware 2026-05-13
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 T1218.014 T1548.002 TTP Windows Defense Evasion Tactics 2026-05-13
Windows Advanced Installer MSIX with AI_STUBS Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1218 T1553.005 TTP MSIX Package Abuse 2026-05-13
Windows Suspicious File in EFI Volume Sysmon EventID 11 T1490 T1542.001 TTP Windows BootKits, BlackLotus Campaign, Sandworm Tools 2026-05-13
Windows Registry Payload Injection Sysmon EventID 13 T1027.011 TTP Unusual Processes 2026-05-13
Windows NetSupport RMM DLL Loaded By Uncommon Process Sysmon EventID 7 T1036 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Process Writing File to World Writable Path Sysmon EventID 11 T1218.005 Hunting APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper 2026-05-13
Windows DLL Side-Loading In Calc Sysmon EventID 7 T1574.001 TTP Qakbot, Earth Alux 2026-05-13
Linux Deletion Of Services Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidRain, AwfulShred, Data Destruction, AcidPour 2026-05-13
Windows Suspicious Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1543 TTP RoguePlanet, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, Water Gamayun, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, Prestige Ransomware, Earth Alux, Warzone RAT, DarkCrystal RAT, PlugX, StealC Stealer, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, Malicious Inno Setup Loader, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, Interlock Rat, XWorm, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, Phemedrone Stealer, SesameOp 2026-06-11
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.009 TTP Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host 2026-05-13
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Remcos, Compromised Windows Host 2026-05-13
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Compromised Windows Host, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware 2026-05-13
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574 Anomaly Windows Persistence Techniques 2026-05-13
Linux Deletion of SSL Certificate Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, AcidPour 2026-05-13
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 T1078.002 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2026-05-13
Suspicious Regsvr32 Register Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.010 TTP Living Off The Land, Qakbot, Salt Typhoon, Suspicious Regsvr32 Activity, Derusbi, IcedID, China-Nexus Threat Activity 2026-05-13
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.009 TTP Scattered Lapsus$ Hunters, Windows Persistence Techniques 2026-05-13
Windows Execute Arbitrary Commands with MSDT CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host 2026-05-13
Windows Process Execution in Temp Dir CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1543 Anomaly RoguePlanet, Gh0st RAT, Remcos, Lokibot, Axios Supply Chain Post Compromise, PromptLock, Ransomware, XWorm, NjRAT, Salat Stealer, AgentTesla, Qakbot, PathWiper, Ryuk Ransomware, Trickbot, SesameOp 2026-06-08
Windows Guest Account Enabled Via Net.EXE CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1078.001 Anomaly Windows Persistence Techniques 2026-05-13
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 T1574.001 TTP Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics 2026-05-13
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 T1134.001 Anomaly Brute Ratel C4, PathWiper 2026-05-13
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 T1069 T1078.002 TTP Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery 2026-05-13
Windows AD Same Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques 2026-05-13
Windows Multiple Accounts Deleted Windows Event Log Security 4726 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows Time Based Evasion CrowdStrike ProcessRollup2, Sysmon EventID 1 T1497.003 TTP NjRAT, BlankGrabber Stealer 2026-05-13
Windows System Binary Proxy Execution Compiled HTML File Decompile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.001 TTP Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity 2026-05-13
Cisco NVM - Suspicious Network Connection From Process With No Args Cisco Network Visibility Module Flow Data T1055 T1218 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows Chromium Process with Disabled Extensions CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 Anomaly Browser Hijacking 2026-05-13
Create or delete windows shares using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070.005 TTP Prestige Ransomware, Windows Post-Exploitation, Hidden Cobra Malware, DarkGate Malware, CISA AA22-277A 2026-05-13
Windows Bluetooth Service Installed From Uncommon Location Windows Event Log System 7045 T1036 T1543.003 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
Process Deleting Its Process File Path Sysmon EventID 1 T1070 TTP WhisperGate, Data Destruction, Clop Ransomware, Remcos 2026-05-13
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 T1055 TTP Living Off The Land, IcedID 2026-05-13
Windows Rundll32 Load DLL in Temp Dir Sysmon EventID 1 T1218.011 Anomaly Interlock Rat 2026-05-13
Detect mshta renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.005 Hunting Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Suspicious Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter 2026-05-13
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.003 T1218.014 TTP Living Off The Land, XML Runner Loader, Water Gamayun, Active Directory Lateral Movement 2026-05-13
Wbemprox COM Object Execution Sysmon EventID 7 T1218.003 TTP Revil Ransomware, Ransomware, LockBit Ransomware 2026-05-13
Windows Indirect Command Execution Via pcalua CrowdStrike ProcessRollup2, Sysmon EventID 1 T1202 TTP Living Off The Land 2026-05-13
Linux Indicator Removal Service File Deletion Sysmon for Linux EventID 1 T1070.004 Anomaly AwfulShred, Data Destruction 2026-05-13
RunDLL Loading DLL By Ordinal CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Living Off The Land, IcedID, Suspicious Rundll32 Activity, Unusual Processes 2026-05-13
Suspicious writes to windows Recycle Bin Sysmon EventID 1, Sysmon EventID 11 T1036 TTP PlugX, Collection and Staging 2026-05-13
Windows Get-Variable.EXE Execution from WindowsApps Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.008 Anomaly Windows Persistence Techniques 2026-05-13
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 T1027.011 T1059.001 T1105 TTP MoonPeak, Malicious PowerShell, PHP-CGI RCE Attack on Japanese Organizations, Medusa Ransomware 2026-05-13
Windows Mshta Execution In Registry Sysmon EventID 13 T1218.005 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques 2026-05-13
Windows Process Injection into Notepad Sysmon EventID 10 T1055.002 Anomaly APT37 Rustonotto and FadeStealer, Earth Alux, BishopFox Sliver Adversary Emulation Framework 2026-05-13
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 T1055 T1059.001 TTP Hermetic Wiper, Malicious PowerShell, Data Destruction, Hellcat Ransomware 2026-05-13
Linux Deletion Of Init Daemon Script Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidRain, Data Destruction, AcidPour 2026-05-13
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 T1574.001 TTP Malicious Inno Setup Loader, Lokibot, NailaoLocker Ransomware, XWorm, PlugX, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, DarkGate Malware, Derusbi, China-Nexus Threat Activity, SnappyBee 2026-05-13
Windows Potential AppDomainManager Hijack Artifacts Creation Sysmon EventID 11 T1574.014 Anomaly SesameOp 2026-05-13
Windows Alternate DataStream - Process Execution Sysmon EventID 1, Windows Event Log Security 4688 T1564.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-06-04
Suspicious Rundll32 no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Cobalt Strike, BlackByte Ransomware, Suspicious Rundll32 Activity, Graceful Wipe Out Attack, Hellcat Ransomware, PrintNightmare CVE-2021-34527 2026-05-13
Detect Regsvcs with Network Connection Sysmon EventID 3 T1218.009 TTP Suspicious Regsvcs Regasm Activity, Living Off The Land, Hellcat Ransomware 2026-05-13
Windows Svchost.exe Parent Process Anomaly Sysmon EventID 1, Windows Event Log Security 4688 T1036.009 Anomaly China-Nexus Threat Activity, SnappyBee 2026-05-13
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.001 Anomaly Qakbot, Earth Alux 2026-05-13
Windows Regsvr32 Renamed Binary CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.010 TTP Qakbot, Compromised Windows Host 2026-05-13
Suspicious Rundll32 PluginInit CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP IcedID 2026-05-13
Linux Auditd Preload Hijack Via Preload File Linux Auditd Cwd, Linux Auditd Path T1574.006 TTP Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Windows List ENV Variables Via SET Command From Uncommon Parent CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 Anomaly Qakbot 2026-05-13
Windows WinLogon with Public Network Connection Sysmon EventID 1, Sysmon EventID 3 T1542.003 Hunting BlackLotus Campaign 2026-05-13
Windows Time Based Evasion via Choice Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497.003 Anomaly 0bj3ctivity Stealer, Snake Keylogger, VIP Keylogger 2026-05-13
CertUtil With Decode Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1140 TTP Living Off The Land, Forest Blizzard, Deobfuscate-Decode Files or Information, APT29 Diplomatic Deceptions with WINELOADER, GhostRedirector IIS Module and Rungan Backdoor, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1218.001 TTP Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Cisco Network Visibility Module Analytics, Suspicious Compiled HTML Activity 2026-05-13
Suspicious GPUpdate no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP BlackByte Ransomware, Hellcat Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2026-05-13
Windows AD Privileged Account SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 T1134.005 TTP Sneaky Active Directory Persistence Tricks, Compromised Windows Host 2026-05-13
Uninstall App Using MsiExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.007 TTP Ransomware 2026-05-13
Cisco NVM - Non-Network Binary Making Network Connection Cisco Network Visibility Module Flow Data T1036 T1055 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows EFI Bootloader File Modification Sysmon EventID 11 T1542.003 TTP Windows BootKits 2026-05-13
Windows Chromium Browser Launched with Small Window Size CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 TTP Browser Hijacking 2026-05-13
Windows BootLoader Inventory T1542.001 Hunting Windows BootKits, BlackLotus Campaign 2026-05-13
Rundll32 with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1218.011 TTP PrintNightmare CVE-2021-34527, Compromised Windows Host, BlackSuit Ransomware, Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Suspicious Rundll32 Activity 2026-05-13
Cisco NVM - Suspicious Network Connection Initiated via MsXsl Cisco Network Visibility Module Flow Data T1220 Anomaly Cisco Network Visibility Module Analytics 2026-05-13
Windows LOLBAS Executed As Renamed File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1218.011 TTP Masquerading - Rename System Utilities, Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics 2026-05-13
Windows Snake Malware File Modification Crmlog Sysmon EventID 11 T1027 TTP Snake Malware 2026-05-13
Windows Unusual Process Load Mozilla NSS-Mozglue Module Sysmon EventID 7 T1218.003 Anomaly Lokibot, VIP Keylogger, 0bj3ctivity Stealer, StealC Stealer, Quasar RAT 2026-05-13
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.001 TTP Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious Compiled HTML Activity 2026-05-13
Windows Njrat Fileless Storage via Registry Sysmon EventID 13 T1027.011 TTP NjRAT 2026-05-13
Windows Binary Proxy Execution Mavinject DLL Injection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.013 TTP Living Off The Land 2026-05-13
Windows InstallUtil Uninstall Option CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.004 TTP Living Off The Land, Compromised Windows Host, Signed Binary Proxy Execution InstallUtil 2026-05-13
Windows EFI Volume Mount Attempt Via Mountvol CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1204.002 T1542 T1688 Anomaly Compromised Windows Host 2026-05-13
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1 T1202 TTP Living Off The Land, Windows Post-Exploitation 2026-05-13
Windows MSIExec Unregister DLLRegisterServer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2026-05-13
Suspicious DLLHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2026-05-13
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI Cisco Network Visibility Module Flow Data T1059.005 T1218.005 Anomaly Cisco Network Visibility Module Analytics, BlankGrabber Stealer 2026-05-13
Windows Mustang Panda USB Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1020 T1204.002 T1574.001 TTP Compromised Windows Host 2026-05-13
Linux Auditd AI CLI Permission Override Activated Linux Auditd Proctitle T1480 Anomaly QuietVault 2026-05-13
Suspicious microsoft workflow compiler rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1127 Hunting Living Off The Land, Cobalt Strike, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution, Masquerading - Rename System Utilities, Graceful Wipe Out Attack 2026-05-13
Create Remote Thread In Shell Application Sysmon EventID 8 T1055 TTP Qakbot, IcedID, Warzone RAT 2026-05-13
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.001 TTP Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Windows MSIExec Remote Download CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1218.007 Anomaly Water Gamayun, StealC Stealer, SolarWinds WHD RCE Post Exploitation, Cisco Network Visibility Module Analytics, Windows System Binary Proxy Execution MSIExec 2026-05-13
Windows Registry BootExecute Modification Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2026-05-13
Detect Regasm with Network Connection Sysmon EventID 3 T1218.009 TTP Suspicious Regsvcs Regasm Activity, Living Off The Land, Handala Wiper, Hellcat Ransomware, Void Manticore 2026-05-13
System Processes Run From Unexpected Locations CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 Anomaly Windows Error Reporting Service Elevation of Privilege Vulnerability, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Qakbot, DarkGate Malware, Suspicious Command-Line Executions 2026-05-13
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 T1055 TTP Trickbot 2026-05-13
Malicious InProcServer32 Modification Sysmon EventID 12, Sysmon EventID 13 T1112 T1218.010 TTP Remcos, Suspicious Regsvr32 Activity 2026-05-13
Windows Indicator Removal Via Rmdir CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070 Anomaly ZOVWiper, APT37 Rustonotto and FadeStealer, DarkGate Malware 2026-05-13
Windows Rundll32 Execution With Log.DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574 Anomaly Lotus Blossom Chrysalis Backdoor 2026-05-13
GitHub Workflow File Creation or Modification Sysmon EventID 11, Sysmon for Linux EventID 11 T1195 T1554 T1574.006 Hunting NPM Supply Chain Compromise 2026-05-13
Executables Or Script Creation In Temp Path Sysmon EventID 11 T1036 Anomaly RoguePlanet, Crypto Stealer, Brute Ratel C4, PromptLock, XMRig, AsyncRAT, Hermetic Wiper, MoonPeak, Amadey, Snake Keylogger, Derusbi, Graceful Wipe Out Attack, IcedID, Trickbot, RedLine Stealer, PromptFlux, Warzone RAT, DarkCrystal RAT, PlugX, NjRAT, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, WinDealer RAT, Interlock Rat, Salat Stealer, Meduza Stealer, Qakbot, AgentTesla, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, XML Runner Loader, Remcos, APT37 Rustonotto and FadeStealer, Volt Typhoon, BlackByte Ransomware, AcidPour, Azorult, Swift Slicer, Data Destruction, Double Zero Destructor, Handala Wiper, SesameOp 2026-06-11
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2026-05-13
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1 T1021.003 T1021.006 T1047 T1053.005 T1059.001 T1218.014 T1543.003 Anomaly Scheduled Tasks, CISA AA24-241A, Hermetic Wiper, Data Destruction, Microsoft WSUS CVE-2025-59287, Malicious PowerShell, Active Directory Lateral Movement 2026-05-13
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Cobalt Strike, Cactus Ransomware, BlackByte Ransomware, Hellcat Ransomware, Graceful Wipe Out Attack 2026-05-13
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1134.001 Hunting Hermetic Wiper, Windows Privilege Escalation, Quasar RAT, Data Destruction 2026-05-13
Suspicious MSBuild Rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1127.001 Hunting Living Off The Land, Cobalt Strike, BlackByte Ransomware, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows PowerShell Process Implementing Manual Base64 Decoder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1027.010 T1059.001 Anomaly Compromised Windows Host, Deobfuscate-Decode Files or Information 2026-05-13
Suspicious mshta child process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.005 TTP Suspicious MSHTA Activity, Living Off The Land, Lumma Stealer, MuddyWater 2026-05-13
BITS Job Persistence CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1197 TTP Living Off The Land, BITS Jobs 2026-05-13
Windows Wermgr Alternate Data Stream in Temp Dir Sysmon EventID 15 T1564.004 Anomaly RoguePlanet 2026-06-11
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.001 Hunting Living Off The Land, APT37 Rustonotto and FadeStealer, Suspicious Compiled HTML Activity 2026-05-13
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.002 TTP Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host 2026-05-13
Suspicious Rundll32 dllregisterserver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Living Off The Land, IcedID, Suspicious Rundll32 Activity 2026-05-13
Windows Executable Masquerading as Benign File Types Sysmon EventID 29 T1036.008 Anomaly NetSupport RMM Tool Abuse 2026-05-13
Windows Renamed Powershell Execution Sysmon EventID 1 T1036.003 TTP XWorm, Axios Supply Chain Post Compromise, Hellcat Ransomware 2026-05-13
Wermgr Process Create Executable File Sysmon EventID 11 T1027 TTP Trickbot 2026-05-13
Windows Group Policy Object Created Windows Event Log Security 5137, Windows Event Log Security 5136 T1078.002 T1484.001 TTP Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation 2026-05-13
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows MSHTA Writing to World Writable Path Sysmon EventID 11 T1218.005 TTP APT29 Diplomatic Deceptions with WINELOADER, XWorm, Suspicious MSHTA Activity 2026-05-13
Rundll32 Control RunDLL World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, Suspicious Rundll32 Activity 2026-05-13
Cisco NVM - Suspicious Download From File Sharing Website Cisco Network Visibility Module Flow Data T1197 Anomaly APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, BlankGrabber Stealer 2026-05-13
Windows Privilege Escalation System Process Without System Parent Sysmon EventID 1 T1068 T1134 T1548 TTP Windows Privilege Escalation, BlackSuit Ransomware 2026-05-13
Windows Process Injection In Non-Service SearchIndexer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1055 TTP Qakbot 2026-05-13
Windows MSIExec Spawn Discovery Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.007 Anomaly Water Gamayun, Windows System Binary Proxy Execution MSIExec, Medusa Ransomware, StealC Stealer 2026-05-13
Linux Indicator Removal Clear Cache Sysmon for Linux EventID 1 T1070 TTP AwfulShred, Data Destruction 2026-05-13
Windows BitLockerToGo Process Execution Sysmon EventID 1, Windows Event Log Security 4688 T1218 Hunting Lumma Stealer 2026-05-13
Suspicious mshta spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.005 TTP Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer 2026-05-13
Windows Process Injection Remote Thread Sysmon EventID 8 T1055.002 TTP Earth Alux, Warzone RAT, Water Gamayun, Qakbot, Graceful Wipe Out Attack 2026-05-13
Windows New Deny Permission Set On Service SD Via Sc.EXE CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1564 Anomaly Defense Evasion or Unauthorized Access Via SDDL Tampering 2026-05-13
Windows MSC EvilTwin Directory Path Manipulation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1203 T1218 TTP Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics 2026-05-13
Windows InstallUtil in Non Standard Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1218.004 TTP Living Off The Land, Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Data Destruction, WhisperGate 2026-05-13
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 T1055.001 TTP Qakbot 2026-05-13
Windows Execution of Microsoft MSC File In Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.014 Anomaly XML Runner Loader 2026-05-13
Windows RDP Server Registry Deletion Sysmon EventID 12, Sysmon EventID 13 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Unusual SysWOW64 Process Run System32 Executable Sysmon EventID 1, Windows Event Log Security 4688 T1036.009 Anomaly Salt Typhoon, China-Nexus Threat Activity, DarkGate Malware 2026-05-13
Windows RDP Cache File Deletion Sysmon EventID 23, Sysmon EventID 26 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Detect Regsvcs with No Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.009 TTP Suspicious Regsvcs Regasm Activity, Living Off The Land 2026-05-13
XSL Script Execution With WMIC CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1220 TTP FIN7, Suspicious WMI Use 2026-05-13
Windows Multiple Accounts Disabled Windows Event Log Security 4725 T1078 T1098 TTP Azure Active Directory Persistence 2026-05-13
Windows SymbolicLink-Testing-Tools Utility Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1222 T1564.004 TTP Windows Privilege Escalation, Windows Post-Exploitation, Windows Persistence Techniques 2026-05-13
Windows Indirect Command Execution Via Series Of Forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1202 Anomaly Prestige Ransomware, Windows Post-Exploitation 2026-05-13
Windows Privilege Escalation Suspicious Process Elevation Sysmon EventID 1 T1068 T1134 T1548 TTP GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware 2026-05-13
Windows Command Obfuscation with Environment Variable Substrings CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1027.010 Anomaly Malicious PowerShell 2026-05-13
Windows Alternate DataStream - Base64 Content Sysmon EventID 15 T1564.004 TTP APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics 2026-05-13
Rundll32 LockWorkStation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 Anomaly Ransomware 2026-05-13
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, Active Directory Lateral Movement 2026-05-13
Windows Suspicious C2 Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 TTP DarkSide Ransomware, APT37 Rustonotto and FadeStealer, Brute Ratel C4, Cobalt Strike, Remote Monitoring and Management Software, BlackByte Ransomware, Gozi Malware, LockBit Ransomware, Storm-0501 Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware, Trickbot, Tuoni, Meterpreter 2026-05-13
Windows Process Injection With Public Source Path Sysmon EventID 8 T1055.002 Hunting Brute Ratel C4, Earth Alux 2026-05-13
Windows Suspicious QEMU Execution Sysmon EventID 1 T1001 T1036 T1204.002 T1564.006 TTP Linux Rootkit, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Short Lived Windows Accounts Windows Event Log System 4720, Windows Event Log System 4726 T1078.003 T1136.001 TTP GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement 2026-05-13
Windows MSI Rollback Script Deleted By Non-Msiexec Process Sysmon EventID 23 T1068 T1218.007 TTP Windows Privilege Escalation 2026-05-13
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 T1574.001 Anomaly Brute Ratel C4, XWorm, SolarWinds WHD RCE Post Exploitation, Malicious Inno Setup Loader 2026-05-13
PowerShell PInvoke Process Injection API Chain Powershell Script Block Logging 4104 T1055.001 T1055.003 T1055.004 T1055.012 T1055.013 T1059.001 T1620 TTP VIP Keylogger 2026-05-13
Loading Of Dynwrapx Module Sysmon EventID 7 T1055.001 TTP Remcos, AsyncRAT 2026-05-13
Windows ConHost with Headless Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1564.003 T1564.006 TTP Compromised Windows Host, Spearphishing Attachments 2026-05-13
Windows Alternate DataStream - Executable Content Sysmon EventID 15 T1564.004 TTP Windows Defense Evasion Tactics 2026-05-13
Rundll32 Process Creating Exe Dll Files Sysmon EventID 11 T1218.011 TTP Gh0st RAT, Living Off The Land, IcedID 2026-05-13
Windows Masquerading Msdtc Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036 TTP Compromised Windows Host, PlugX 2026-05-13
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 T1134.001 Hunting Brute Ratel C4 2026-05-13
Windows RMM Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly Command And Control, Cactus Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Gozi Malware, Seashell Blizzard, CISA AA24-241A, GhostRedirector IIS Module and Rungan Backdoor, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters 2026-05-13
Windows SoftEther VPN Masquerading as Legitimate Binary Sysmon EventID 1 T1036 T1572 TTP Linux Persistence Techniques, Flax Typhoon, Linux Privilege Escalation 2026-05-13
Windows TinyCC Shellcode Execution Sysmon EventID 1, Windows Event Log Security 4688 T1027 T1036 T1059.003 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Suspicious Computer Account Name Change Windows Event Log Security 4781 T1078.002 TTP Compromised Windows Host, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation 2026-05-13
Windows InstallUtil Credential Theft Sysmon EventID 7 T1218.004 TTP Signed Binary Proxy Execution InstallUtil 2026-05-13
Executables Or Script Creation In Suspicious Path Sysmon EventID 11 T1036 Anomaly Crypto Stealer, Brute Ratel C4, PromptLock, XMRig, Castle RAT, AsyncRAT, DynoWiper, Hermetic Wiper, MoonPeak, GhostRedirector IIS Module and Rungan Backdoor, Amadey, Snake Keylogger, Graceful Wipe Out Attack, Derusbi, IcedID, Trickbot, RedLine Stealer, Earth Alux, Warzone RAT, Cactus Ransomware, DarkCrystal RAT, PlugX, NjRAT, Rhysida Ransomware, Salt Typhoon, DarkGate Malware, Chaos Ransomware, LockBit Ransomware, China-Nexus Threat Activity, SnappyBee, Void Manticore, ValleyRAT, Lokibot, VIP Keylogger, Industroyer2, WinDealer RAT, Interlock Rat, NailaoLocker Ransomware, Meduza Stealer, AgentTesla, Qakbot, CISA AA23-347A, WhisperGate, Axios Supply Chain Post Compromise, SystemBC, XML Runner Loader, Remcos, Volt Typhoon, BlackByte Ransomware, Interlock Ransomware, Azorult, Quasar RAT, Swift Slicer, Data Destruction, Handala Wiper, Double Zero Destructor, AcidPour, SesameOp 2026-05-13
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 T1078.002 Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2026-05-13
CSC Net On The Fly Compilation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1027.004 Hunting Windows Defense Evasion Tactics 2026-05-13
Windows DotNet Binary in Non Standard Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036.003 T1218.004 TTP Signed Binary Proxy Execution InstallUtil, Ransomware, Unusual Processes, Masquerading - Rename System Utilities, Data Destruction, WhisperGate 2026-05-13
Windows BitDefender Submission Wizard DLL Sideloading Sysmon EventID 7 T1574 TTP Lotus Blossom Chrysalis Backdoor 2026-05-13
Windows Application Whitelisting Bypass Attempt via Rundll32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Living Off The Land, Compromised Windows Host, Suspicious Rundll32 Activity 2026-05-13
Windows LOLBAS Executed Outside Expected Path Sysmon EventID 1, Windows Event Log Security 4688 T1036.005 T1218.011 Anomaly Masquerading - Rename System Utilities, Living Off The Land, Windows Defense Evasion Tactics 2026-05-13
Linux High Frequency Of File Deletion In Etc Folder Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, Data Destruction 2026-05-13
Windows Powershell History File Deletion Powershell Script Block Logging 4104 T1059.003 T1070.003 Anomaly Medusa Ransomware 2026-05-13
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1003 T1036.005 T1595 TTP Compromised Windows Host, Scattered Spider, XMRig, PHP-CGI RCE Attack on Japanese Organizations, Unusual Processes, CISA AA22-264A, Cisco Network Visibility Module Analytics, SamSam Ransomware 2026-05-13
Msmpeng Application DLL Side Loading Sysmon EventID 11 T1574.001 TTP Revil Ransomware, Ransomware 2026-05-13
Windows Privilege Escalation User Process Spawn System Process Sysmon EventID 1 T1068 T1134 T1548 TTP GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation, BlackSuit Ransomware, Compromised Windows Host 2026-05-13
Windows MsiExec HideWindow Rundll32 Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.007 TTP Qakbot, Water Gamayun 2026-05-13
Detect Excessive Account Lockouts From Endpoint T1078.002 Anomaly Active Directory Password Spraying 2026-05-13
Suspicious IcedID Rundll32 Cmdline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.011 TTP Living Off The Land, IcedID 2026-05-13
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1134.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2026-05-13
Windows Debugger Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1036 Hunting PlugX, DarkGate Malware 2026-05-13
Windows AppLocker Block Events T1218 Anomaly Windows AppLocker 2026-05-13
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 T1134.002 Anomaly Gh0st RAT, Brute Ratel C4, AsyncRAT, GhostRedirector IIS Module and Rungan Backdoor, Derusbi, PlugX, Salt Typhoon, DarkGate Malware, PathWiper, China-Nexus Threat Activity, Scattered Lapsus$ Hunters, SnappyBee, ValleyRAT, Lokibot, WinDealer RAT, Salat Stealer, Meduza Stealer, CISA AA23-347A, Tuoni 2026-06-08
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 T1078 Hunting Active Directory Privilege Escalation, Active Directory Lateral Movement 2026-05-13
Windows Unsigned DLL Side-Loading Sysmon EventID 7 T1574.001 Anomaly Earth Alux, Warzone RAT, NjRAT, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Derusbi, China-Nexus Threat Activity 2026-05-13
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Cobalt Strike, Earth Alux, Cactus Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1574.001 TTP Water Gamayun, Qakbot, Compromised Windows Host 2026-05-13
Linux High Frequency Of File Deletion In Boot Folder Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, Data Destruction, Industroyer2 2026-05-13
UAC Bypass With Colorui COM Object Sysmon EventID 7 T1218.003 TTP Ransomware, LockBit Ransomware 2026-05-13
MSI Module Loaded by Non-System Binary Sysmon EventID 7 T1574.001 Hunting Hermetic Wiper, Windows Privilege Escalation, Data Destruction 2026-05-13
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 T1055 TTP Compromised Windows Host, Cobalt Strike, BlackByte Ransomware, Graceful Wipe Out Attack, Hellcat Ransomware 2026-05-13
Headless Browser Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 T1564.003 Anomaly Forest Blizzard, Browser Hijacking 2026-05-13
Detect Regasm with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.009 TTP Suspicious Regsvcs Regasm Activity, Living Off The Land, Void Manticore, Handala Wiper 2026-05-13
Windows AppLocker Rare Application Launch Detection T1218 Hunting Windows AppLocker 2026-05-13
Windows PUA Named Pipe Sysmon EventID 17, Sysmon EventID 18 T1021.002 T1055 T1559 Anomaly DarkSide Ransomware, CISA AA22-320A, Cactus Ransomware, Medusa Ransomware, SamSam Ransomware, BlackByte Ransomware, DHS Report TA18-074A, Volt Typhoon, HAFNIUM Group, Seashell Blizzard, Rhysida Ransomware, VanHelsing Ransomware, DarkGate Malware, IcedID, Sandworm Tools, Active Directory Lateral Movement 2026-05-13
Windows Mock Trusted Directory MSC File Creation Sysmon EventID 11 T1218.014 T1548.002 T1574 TTP Windows Privilege Escalation, Windows Persistence Techniques 2026-05-13
Windows MMC Loaded Script Engine DLL Sysmon EventID 7 T1620 Anomaly XML Runner Loader 2026-05-13
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070.004 TTP Scattered Spider, Compromised Windows Host, Ransomware 2026-05-13
Shai-Hulud Workflow File Creation or Modification Sysmon EventID 11, Sysmon for Linux EventID 11 T1195 T1554 T1574.006 TTP NPM Supply Chain Compromise 2026-05-13
Windows Chromium Browser No Security Sandbox Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 TTP Malicious Inno Setup Loader 2026-05-13
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 T1574.001 Anomaly Water Gamayun, CISA AA23-347A, Hellcat Ransomware 2026-05-13
Headless Browser Mockbin or Mocky Request CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1564.003 TTP GhostRedirector IIS Module and Rungan Backdoor, Forest Blizzard 2026-05-13
Suspicious MSBuild Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1127.001 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation 2026-05-13
Regsvr32 Silent and Install Param Dll Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.010 Anomaly Living Off The Land, Remcos, AsyncRAT, Hermetic Wiper, Suspicious Regsvr32 Activity, Data Destruction 2026-06-09
Windows InstallUtil Remote Network Connection Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data T1218.004 Anomaly Living Off The Land, Compromised Windows Host, Cisco Network Visibility Module Analytics, Signed Binary Proxy Execution InstallUtil 2026-05-13
Windows PowerShell Module File Created Sysmon EventID 11 T1059.001 T1129 T1574 Anomaly Malicious PowerShell, Windows Persistence Techniques 2026-05-13
Linux Kworker Process In Writable Process Path Sysmon for Linux EventID 1 T1036.004 Hunting Cyclops Blink, Sandworm Tools 2026-05-13
ETW Registry Disabled Sysmon EventID 13 T1127 T1685 TTP Windows Registry Abuse, Hermetic Wiper, CISA AA23-347A, Data Destruction, Windows Persistence Techniques, Windows Privilege Escalation 2026-05-13
Detect Excessive User Account Lockouts T1078.003 Anomaly Active Directory Password Spraying, Scattered Lapsus$ Hunters 2026-05-13
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1218.005 TTP Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, XWorm, Cisco Network Visibility Module Analytics, NetSupport RMM Tool Abuse, Lumma Stealer 2026-05-13
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 T1055 TTP Living Off The Land, IcedID 2026-05-13
Windows Service Creation Using Registry Entry Sysmon EventID 13 T1574.011 Anomaly Gh0st RAT, Crypto Stealer, Windows Registry Abuse, Brute Ratel C4, PlugX, Suspicious Windows Registry Activities, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, CISA AA23-347A, Derusbi, Windows Persistence Techniques, China-Nexus Threat Activity, SnappyBee, Active Directory Lateral Movement 2026-05-13
Fsutil Zeroing File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1070 TTP Ransomware, LockBit Ransomware 2026-05-13
Powershell Fileless Script Contains Base64 Encoded Content Powershell Script Block Logging 4104 T1027 T1059.001 TTP AsyncRAT, Hermetic Wiper, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Microsoft WSUS CVE-2025-59287, NetSupport RMM Tool Abuse, IcedID, Medusa Ransomware, Winter Vivern, NjRAT, MuddyWater, VIP Keylogger, XWorm, Salat Stealer, 0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Malicious PowerShell, APT37 Rustonotto and FadeStealer, Data Destruction 2026-06-08
Windows AppLocker Privilege Escalation via Unauthorized Bypass T1218 TTP Windows AppLocker 2026-05-13
MacOS Log Removal Osquery Results T1070 TTP MacOS Post-Exploitation 2026-05-13
Windows Default Rdp File Deletion Sysmon EventID 23, Sysmon EventID 26 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Powershell Creating Thread Mutex Powershell Script Block Logging 4104 T1027.005 T1059.001 TTP Water Gamayun, Malicious PowerShell 2026-05-13
Windows Handle Duplication in Known UAC-Bypass Binaries Sysmon EventID 10 T1134.001 Anomaly Castle RAT 2026-05-13
Linux Kernel Module Enumeration Sysmon for Linux EventID 1 T1014 T1082 Anomaly Linux Rootkit, XorDDos 2026-05-13
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 T1574.001 Hunting Malicious Inno Setup Loader, Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2026-05-13
Windows Rdp AutomaticDestinations Deletion Sysmon EventID 23, Sysmon EventID 26 T1070.004 Anomaly Windows RDP Artifacts and Defense Evasion 2026-05-13
Windows Chromium Browser with Custom User Data Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1497 Anomaly Malicious Inno Setup Loader, Lokibot, StealC Stealer 2026-05-13
Windows AppLocker Execution from Uncommon Locations T1218 Hunting Windows AppLocker 2026-05-13
Windows Driver Load Non-Standard Path Windows Event Log System 7045 T1014 T1068 TTP CISA AA22-320A, BlackSuit Ransomware, BlackByte Ransomware, Windows Drivers, AgentTesla 2026-05-13
Verclsid CLSID Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.012 Hunting Unusual Processes 2026-05-13
Linux Medusa Rootkit Sysmon for Linux EventID 11 T1014 T1589.001 TTP Medusa Rootkit, China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware 2026-05-13
ESXi Shared or Stolen Root Account VMWare ESXi Syslog T1078 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Cisco ASA - New Local User Account Created Cisco ASA Logs T1078.003 T1136.001 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Cisco ASA - User Privilege Level Change Cisco ASA Logs T1078.003 T1098 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
M365 Copilot Application Usage Pattern Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Okta New API Token Created Okta T1078.001 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Zoom High Video Latency T1078 Anomaly Remote Employment Fraud 2026-05-13
Okta Phishing Detection with FastPass Origin Check Okta T1078.001 T1556 TTP Okta Account Takeover 2026-05-13
ESXi External Root Login Activity VMWare ESXi Syslog T1078 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Cisco ASA - User Account Deleted From Local Database Cisco ASA Logs T1070.008 T1531 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
PingID Multiple Failed MFA Requests For User PingID T1078 T1110 T1621 TTP Compromised User Account 2026-05-13
Cisco ASA - Logging Message Suppression Cisco ASA Logs T1070 T1685.001 Anomaly ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
ESXi Account Modified VMWare ESXi Syslog T1078 T1098 T1136.001 Anomaly ESXi Post Compromise, Black Basta Ransomware 2026-05-13
ESXi User Granted Admin Role VMWare ESXi Syslog T1078 T1098 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Email Attachments With Lots Of Spaces T1036.008 T1566.001 Anomaly Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails, Data Destruction 2026-05-13
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.001 TTP Living Off The Land, APT37 Rustonotto and FadeStealer, Compromised Windows Host, AgentTesla, Suspicious Compiled HTML Activity 2026-05-13
Okta Suspicious Activity Reported Okta T1078.001 TTP Okta Account Takeover 2026-05-13
ESXi System Clock Manipulation VMWare ESXi Syslog T1070.006 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Okta MFA Exhaustion, Suspicious Okta Activity, Okta Account Takeover 2026-05-13
Cisco IOS XE WebUI Programmatic Configuration Cisco IOS Logs T1078 T1190 Anomaly Salt Typhoon 2026-05-19
Cisco IOS XE WebUI Login From IOSd Local Port Cisco IOS Logs T1078 T1190 TTP Salt Typhoon 2026-05-19
Okta Successful Single Factor Authentication Okta T1078.004 T1586.003 T1621 Anomaly Okta Account Takeover 2026-05-13
ESXi Audit Tampering VMWare ESXi Syslog T1070 T1690 TTP ESXi Post Compromise, Black Basta Ransomware 2026-05-13
M365 Copilot Session Origin Anomalies M365 Copilot Graph API T1078 Anomaly Suspicious Microsoft 365 Copilot Activities 2026-05-13
Cisco IOS XE VTY Access Class Tampering Cisco IOS Logs T1021 T1562 Anomaly Salt Typhoon 2026-05-20
Okta Authentication Failed During MFA Challenge Okta T1078.004 T1586.003 T1621 TTP Scattered Lapsus$ Hunters, Okta Account Takeover 2026-05-13
Okta ThreatInsight Threat Detected Okta T1078.004 Anomaly Okta Account Takeover 2026-05-13
Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal Cisco IOS Logs T1070.001 T1562 Anomaly Salt Typhoon 2026-05-20
GCP Successful Single-Factor Authentication Google Workspace T1078.004 T1586.003 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Email Transport Rule Changed Office 365 Universal Audit Log T1114.003 T1564.008 Anomaly Data Exfiltration, Office 365 Account Takeover 2026-05-13
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2026-05-13
GCP Detect gcploit framework T1078 TTP GCP Cross Account Activity 2026-05-13
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Microsoft Intune Device Health Scripts Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Azure AD Successful PowerShell Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Microsoft Intune Mobile Apps Azure Monitor Activity T1021.007 T1072 T1105 T1202 Hunting Azure Active Directory Account Takeover 2026-05-13
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail T1078.004 Anomaly Cloud Cryptomining 2026-05-13
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity T1078.004 TTP Azure Active Directory Account Takeover, NOBELIUM Group 2026-05-13
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin T1078.004 T1586.003 TTP AWS Identity and Access Management Account Takeover 2026-05-13
O365 Email Send Attachments Excessive Volume Office 365 Universal Audit Log T1070.008 T1485 Anomaly Office 365 Account Takeover, Suspicious Emails 2026-05-13
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
O365 Security And Compliance Alert Triggered T1078.004 TTP Office 365 Account Takeover 2026-05-13
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin T1535 T1586 Anomaly Suspicious AWS Login Activities, Compromised User Account 2026-05-13
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1078.004 T1586.003 T1621 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Email Password and Payroll Compromise Behavior Office 365 Reporting Message Trace, Office 365 Universal Audit Log T1070.008 T1114.001 T1485 TTP Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques 2026-05-13
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Email Receive and Hard Delete Takeover Behavior Office 365 Reporting Message Trace, Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques 2026-05-13
Detect AWS Console Login by User from New Region AWS CloudTrail T1535 T1586.003 Hunting Suspicious AWS Login Activities, Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover 2026-05-13
Cloud Compute Instance Created In Previously Unused Region AWS CloudTrail T1535 Anomaly Cloud Cryptomining 2026-05-13
O365 Email Hard Delete Excessive Volume Office 365 Universal Audit Log T1070.008 T1485 Anomaly Office 365 Account Takeover, Suspicious Emails, Data Destruction 2026-05-13
Okta Non-Standard VPN Usage Okta T1078 T1090 T1572 TTP Remote Employment Fraud, Suspicious Okta Activity 2026-05-13
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook T1078.004 TTP Azure Active Directory Persistence 2026-05-13
Detect AWS Console Login by User from New City AWS CloudTrail T1535 T1586.003 Hunting Suspicious AWS Login Activities, Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover 2026-05-13
O365 Email New Inbox Rule Created Office 365 Universal Audit Log T1114.003 T1564.008 Anomaly Office 365 Collection Techniques 2026-05-13
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoginFailed, O365 UserLoggedIn T1078 Anomaly Office 365 Account Takeover 2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2026-05-13
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion T1078.004 TTP AWS IAM Privilege Escalation 2026-05-13
Cloud Instance Modified By Previously Unseen User AWS CloudTrail T1078.004 Anomaly Suspicious Cloud Instance Activities 2026-05-13
Azure AD Successful Single-Factor Authentication Azure Active Directory T1078.004 T1586.003 TTP Azure Active Directory Account Takeover 2026-05-13
O365 Email Send and Hard Delete Exfiltration Behavior Office 365 Reporting Message Trace, Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques 2026-05-13
Detect AWS Console Login by User from New Country AWS CloudTrail T1535 T1586.003 Hunting Suspicious AWS Login Activities, Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover 2026-05-13
ASL AWS Create Policy Version to allow all resources ASL AWS CloudTrail T1078.004 TTP AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters 2026-05-13
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail T1078 Anomaly Suspicious Cloud User Activities 2026-05-13
AWS Bedrock Invoke Model Access Denied AWS CloudTrail T1078 T1550 TTP AWS Bedrock Security 2026-05-13
ASL AWS SAML Update identity provider ASL AWS CloudTrail T1078 TTP Cloud Federated Credential Abuse 2026-05-13
Geographic Improbable Location Okta T1078 Anomaly Remote Employment Fraud 2026-05-13
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2026-05-13
Azure AD Authentication Failed During MFA Challenge Azure Active Directory T1078.004 T1586.003 T1621 TTP Azure Active Directory Account Takeover 2026-05-13
GCP Multiple Failed MFA Requests For User Google Workspace T1078.004 T1586.003 T1621 TTP GCP Account Takeover, Scattered Lapsus$ Hunters 2026-05-13
O365 Email Send and Hard Delete Suspicious Behavior Office 365 Universal Audit Log T1070.008 T1114.001 T1485 Anomaly Office 365 Account Takeover, Data Destruction, Suspicious Emails, Office 365 Collection Techniques 2026-05-13
O365 BEC Email Hiding Rule Created T1564.008 TTP Office 365 Account Takeover 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Software Download To Network Device T1542.005 TTP Router and Infrastructure Security 2026-05-13
Rundll32 DNSQuery Sysmon EventID 22 T1218.011 TTP Living Off The Land, IcedID 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Regsvr32 with Known Silent Switch Cmdline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1218.010 Anomaly Living Off The Land, Remcos, AsyncRAT, Qakbot, Suspicious Regsvr32 Activity, IcedID 2026-06-09