|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2026-05-14
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
DarkSide Ransomware, ValleyRAT, LockBit Ransomware, Ransomware
|
2026-05-13
|
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.004
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055.001
T1218
|
TTP
|
Hellcat Ransomware, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
Ransomware, Windows Log Manipulation
|
2026-05-13
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
IcedID, APT37 Rustonotto and FadeStealer, Living Off The Land, Trickbot
|
2026-05-13
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
TTP
|
DarkGate Malware, Windows File Extension and Association Abuse, Masquerading - Rename System Utilities, AsyncRAT
|
2026-05-13
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.011
|
TTP
|
Windows Service Abuse, Living Off The Land, Windows Persistence Techniques
|
2026-05-13
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
Anomaly
|
Sandworm Tools, Compromised Windows Host, AsyncRAT, IcedID, Volt Typhoon, Unusual Processes, Qakbot, Water Gamayun
|
2026-05-13
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
|
TTP
|
Spearphishing Attachments
|
2026-05-13
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Salt Typhoon
|
2026-05-13
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
T1027
|
Anomaly
|
Linux Living Off The Land
|
2026-05-13
|
|
Windows Rundll32 with Non-Standard File Extension
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Living Off The Land, Gh0st RAT, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
T1140
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Living Off The Land, Compromised Linux Host
|
2026-05-13
|
|
Windows Chromium Process Launched with Logging Disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Cobalt Strike, Trickbot, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows IOBit Unlocker Extension DLL Registration via Regsvr32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
BlackByte Ransomware, CISA AA22-320A, AgentTesla, Windows Drivers
|
2026-05-13
|
|
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
|
Cisco Network Visibility Module Flow Data
|
T1218.005
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Proxy Execution of .NET Utilities via Scripts
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
Anomaly
|
VIP Keylogger
|
2026-05-13
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
T1135
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
TTP
|
Living Off The Land, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Living Off The Land, Suspicious Regsvr32 Activity, BlackByte Ransomware, PHP-CGI RCE Attack on Japanese Organizations, Graceful Wipe Out Attack, Cobalt Strike, Compromised Windows Host
|
2026-05-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.004
T1098
T1136
|
Anomaly
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
T1134.004
T1543
|
Anomaly
|
Axios Supply Chain Post Compromise, XWorm, FIN7, Data Destruction, MuddyWater, WhisperGate, Unusual Processes, VIP Keylogger, Remcos, 0bj3ctivity Stealer, NjRAT, ShrinkLocker
|
2026-05-13
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
Earth Alux, SAP NetWeaver Exploitation, APT37 Rustonotto and FadeStealer, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Unusual Processes, Compromised Windows Host
|
2026-05-13
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
T1218
|
Hunting
|
Hellcat Ransomware, Lumma Stealer
|
2026-05-13
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
Hellcat Ransomware, AcidRain
|
2026-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
T1059.007
T1218.014
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Curl Execution with Percent Encoded URL
|
CrowdStrike ProcessRollup2, Sysmon for Linux EventID 1, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
T1105
|
Anomaly
|
Living Off The Land, Ingress Tool Transfer, Compromised Windows Host
|
2026-05-13
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
NOBELIUM Group, APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1021.007
T1069.003
T1078
T1098
T1136.003
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027.005
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-05-13
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host, China-Nexus Threat Activity, Salt Typhoon
|
2026-05-13
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1547
T1574.001
|
Anomaly
|
Earth Alux, XWorm, China-Nexus Threat Activity, Derusbi, Salt Typhoon, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
T1027.013
|
Anomaly
|
GhostRedirector IIS Module and Rungan Backdoor, Crypto Stealer, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Trickbot Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1055
|
TTP
|
Hellcat Ransomware, Trickbot
|
2026-05-13
|
|
Windows Process Execution From ProgramData
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
|
Hunting
|
StealC Stealer, SolarWinds WHD RCE Post Exploitation, Axios Supply Chain Post Compromise, XWorm, China-Nexus Threat Activity, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, SnappyBee
|
2026-05-13
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Living Off The Land, Void Manticore, Compromised Windows Host, DarkGate Malware, Snake Keylogger, Suspicious Regsvcs Regasm Activity, Handala Wiper
|
2026-05-13
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
DarkGate Malware, Compromised Windows Host
|
2026-05-13
|
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-05-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1197
|
TTP
|
Living Off The Land, Scattered Spider, Hellcat Ransomware, Ingress Tool Transfer, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, DarkSide Ransomware, Flax Typhoon, BITS Jobs, Gozi Malware
|
2026-05-13
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
T1112
T1564.001
T1685
|
Anomaly
|
Windows Registry Abuse, Azorult, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Rhysida Ransomware
|
2026-05-13
|
|
Windows HTTP Network Communication From MSIExec
|
Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data
|
T1218.007
|
Anomaly
|
SolarWinds WHD RCE Post Exploitation, Windows System Binary Proxy Execution MSIExec, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Water Gamayun
|
2026-05-13
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
T1202
|
Anomaly
|
Fake CAPTCHA Campaigns, Lumma Stealer
|
2026-05-13
|
|
MacOS Hidden Files and Directories
|
Osquery Results
|
T1564.001
|
Anomaly
|
MacOS Persistence Techniques
|
2026-05-13
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1218
T1567
|
TTP
|
Living Off The Land, Hellcat Ransomware, Malicious Inno Setup Loader, APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, NetSupport RMM Tool Abuse, Fake CAPTCHA Campaigns, Water Gamayun
|
2026-05-13
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Living Off The Land, XWorm, BlankGrabber Stealer, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, Gozi Malware
|
2026-05-13
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.008
T1204.002
|
TTP
|
APT37 Rustonotto and FadeStealer, GhostRedirector IIS Module and Rungan Backdoor, Unusual Processes, Snake Keylogger, Remcos, Amadey, Water Gamayun
|
2026-05-13
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Gozi Malware, BITS Jobs
|
2026-05-13
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1485
|
TTP
|
Void Manticore, Scattered Spider, Masquerading - Rename System Utilities
|
2026-05-13
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos, Compromised Linux Host
|
2026-05-13
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, PromptLock
|
2026-05-13
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
Hunting
|
Living Off The Land
|
2026-05-13
|
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1220
|
TTP
|
Suspicious WMI Use, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
T1071.001
T1078
T1212
T1482
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-05-13
|
|
Linux Decode Base64 to Shell
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
T1027
T1059.004
|
TTP
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land
|
2026-05-13
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
Anomaly
|
Warzone RAT, Void Manticore, Quasar RAT, BlackByte Ransomware, Gh0st RAT, Data Destruction, WhisperGate, Meduza Stealer
|
2026-05-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
T1574.001
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
|
Hunting
|
Scattered Spider, SolarWinds WHD RCE Post Exploitation, Microsoft SharePoint Vulnerabilities, Sandworm Tools, Lumma Stealer, NOBELIUM Group, Hermetic Wiper, CISA AA22-320A, Data Destruction, Malicious PowerShell, GhostRedirector IIS Module and Rungan Backdoor, DarkCrystal RAT, Volt Typhoon, WhisperGate, Crypto Stealer, Qakbot, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Ransomware
|
2026-05-13
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1218.014
T1548.002
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1218
T1553.005
|
TTP
|
MSIX Package Abuse
|
2026-05-13
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
T1490
T1542.001
|
TTP
|
Sandworm Tools, Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
Unusual Processes
|
2026-05-13
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
T1036
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
Hunting
|
PHP-CGI RCE Attack on Japanese Organizations, PathWiper, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, Data Destruction, AcidPour, AwfulShred
|
2026-05-13
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
TTP
|
Rhysida Ransomware, Warzone RAT, Phemedrone Stealer, Quasar RAT, Lokibot, Chaos Ransomware, PlugX, Graceful Wipe Out Attack, Volt Typhoon, VIP Keylogger, DarkCrystal RAT, Qakbot, SnappyBee, Interlock Ransomware, StealC Stealer, NailaoLocker Ransomware, XWorm, Data Destruction, Industroyer2, IcedID, AgentTesla, Salt Typhoon, Meduza Stealer, MoonPeak, BlackByte Ransomware, Brute Ratel C4, Double Zero Destructor, Hermetic Wiper, Swift Slicer, ValleyRAT, Trickbot, Prestige Ransomware, RedLine Stealer, PromptLock, Interlock Rat, CISA AA23-347A, Amadey, Earth Alux, Void Manticore, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, Malicious Inno Setup Loader, XMRig, LockBit Ransomware, Azorult, AsyncRAT, GhostRedirector IIS Module and Rungan Backdoor, DarkGate Malware, SesameOp, Castle RAT, WhisperGate, Remcos, Water Gamayun, Handala Wiper, SystemBC
|
2026-05-13
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity, Compromised Windows Host
|
2026-05-13
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Compromised Windows Host, Remcos
|
2026-05-13
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, Cactus Ransomware
|
2026-05-13
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, AcidPour
|
2026-05-13
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Living Off The Land, Suspicious Regsvr32 Activity, China-Nexus Threat Activity, IcedID, Salt Typhoon, Derusbi, Qakbot
|
2026-05-13
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.009
|
TTP
|
Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Compromised Windows Host
|
2026-05-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1543
|
Anomaly
|
PathWiper, Axios Supply Chain Post Compromise, Ransomware, XWorm, Lokibot, Gh0st RAT, Trickbot, SesameOp, AgentTesla, PromptLock, Remcos, Qakbot, NjRAT, Ryuk Ransomware
|
2026-05-13
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1078.001
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
PathWiper, Brute Ratel C4
|
2026-05-13
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1069
T1078.002
|
TTP
|
Rhysida Ransomware, Active Directory Privilege Escalation, Active Directory Discovery
|
2026-05-13
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1497.003
|
TTP
|
BlankGrabber Stealer, NjRAT
|
2026-05-13
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
T1055
T1218
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Chromium Process with Disabled Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
Browser Hijacking
|
2026-05-13
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.005
|
TTP
|
Windows Post-Exploitation, Prestige Ransomware, Hidden Cobra Malware, CISA AA22-277A, DarkGate Malware
|
2026-05-13
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
T1036
T1543.003
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
T1070
|
TTP
|
Remcos, WhisperGate, Data Destruction, Clop Ransomware
|
2026-05-13
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
T1218.011
|
Anomaly
|
Interlock Rat
|
2026-05-13
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
Hunting
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Brute Ratel C4, Meterpreter, Cobalt Strike, APT37 Rustonotto and FadeStealer, Graceful Wipe Out Attack, LockBit Ransomware, Remote Monitoring and Management Software, DarkSide Ransomware, Trickbot, Tuoni, Gozi Malware
|
2026-05-13
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.003
T1218.014
|
TTP
|
Living Off The Land, Active Directory Lateral Movement, Water Gamayun, XML Runner Loader
|
2026-05-13
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
Anomaly
|
Living Off The Land, Suspicious Regsvr32 Activity, AsyncRAT, IcedID, Remcos, Qakbot
|
2026-05-13
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
Revil Ransomware, LockBit Ransomware, Ransomware
|
2026-05-13
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
T1070.004
|
Anomaly
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, IcedID, Unusual Processes, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
T1036
|
TTP
|
PlugX, Collection and Staging
|
2026-05-13
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.008
|
Anomaly
|
Windows Persistence Techniques
|
2026-05-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1027.011
T1059.001
T1105
|
TTP
|
PHP-CGI RCE Attack on Japanese Organizations, MoonPeak, Medusa Ransomware, Malicious PowerShell
|
2026-05-13
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
T1218.005
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055.002
|
Anomaly
|
Earth Alux, APT37 Rustonotto and FadeStealer, BishopFox Sliver Adversary Emulation Framework
|
2026-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1055
T1059.001
|
TTP
|
Hellcat Ransomware, Hermetic Wiper, Data Destruction, Malicious PowerShell
|
2026-05-13
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidRain, Data Destruction, AcidPour
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.001
|
TTP
|
NailaoLocker Ransomware, SolarWinds WHD RCE Post Exploitation, Lokibot, XWorm, China-Nexus Threat Activity, Malicious Inno Setup Loader, PlugX, DarkGate Malware, Derusbi, Salt Typhoon, SnappyBee
|
2026-05-13
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
T1574.014
|
Anomaly
|
SesameOp
|
2026-05-13
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Cobalt Strike, Suspicious Rundll32 Activity, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Living Off The Land, Hellcat Ransomware, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
Windows Svchost.exe Parent Process Anomaly
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee
|
2026-05-13
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
Anomaly
|
Earth Alux, Qakbot
|
2026-05-13
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
TTP
|
Qakbot, Compromised Windows Host
|
2026-05-13
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID
|
2026-05-13
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path, Linux Auditd Cwd
|
T1574.006
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host, Linux Living Off The Land, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot
|
2026-05-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2026-05-13
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497.003
|
Anomaly
|
0bj3ctivity Stealer, Snake Keylogger, VIP Keylogger
|
2026-05-13
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1140
|
TTP
|
Living Off The Land, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Deobfuscate-Decode Files or Information, Storm-2460 CLFS Zero Day Exploitation, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.001
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Hellcat Ransomware, Graceful Wipe Out Attack, Cobalt Strike, BlackByte Ransomware
|
2026-05-13
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4742, Windows Event Log Security 4738
|
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks, Compromised Windows Host
|
2026-05-13
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Ransomware
|
2026-05-13
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
T1036
T1055
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
T1542.003
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Windows Chromium Browser Launched with Small Window Size
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Browser Hijacking
|
2026-05-13
|
|
Windows BootLoader Inventory
|
|
T1542.001
|
Hunting
|
Windows BootKits, BlackLotus Campaign
|
2026-05-13
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.011
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host, BlackSuit Ransomware, Suspicious Rundll32 Activity, Cactus Ransomware, PrintNightmare CVE-2021-34527
|
2026-05-13
|
|
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
|
Cisco Network Visibility Module Flow Data
|
T1220
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.011
|
TTP
|
Living Off The Land, Water Gamayun, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2026-05-13
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
T1218.003
|
Anomaly
|
StealC Stealer, Quasar RAT, Lokibot, VIP Keylogger, 0bj3ctivity Stealer
|
2026-05-13
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Living Off The Land, Compromised Windows Host
|
2026-05-13
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
T1027.011
|
TTP
|
NjRAT
|
2026-05-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.013
|
TTP
|
Living Off The Land
|
2026-05-13
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.004
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil, Compromised Windows Host
|
2026-05-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1542
T1688
|
Anomaly
|
Compromised Windows Host
|
2026-05-13
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1202
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2026-05-13
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-05-13
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Graceful Wipe Out Attack, Cactus Ransomware, Cobalt Strike, BlackByte Ransomware
|
2026-05-13
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
T1059.005
T1218.005
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows Mustang Panda USB Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
T1204.002
T1574.001
|
TTP
|
Compromised Windows Host
|
2026-05-13
|
|
Linux Auditd AI CLI Permission Override Activated
|
Linux Auditd Proctitle
|
T1480
|
Anomaly
|
QuietVault
|
2026-05-13
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127
|
Hunting
|
Living Off The Land, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution, Cobalt Strike, Masquerading - Rename System Utilities, Graceful Wipe Out Attack
|
2026-05-13
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2026-05-13
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Living Off The Land, Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.007
|
Anomaly
|
StealC Stealer, SolarWinds WHD RCE Post Exploitation, Windows System Binary Proxy Execution MSIExec, Cisco Network Visibility Module Analytics, Water Gamayun
|
2026-05-13
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2026-05-13
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218.009
|
TTP
|
Living Off The Land, Void Manticore, Hellcat Ransomware, Suspicious Regsvcs Regasm Activity, Handala Wiper
|
2026-05-13
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
|
Anomaly
|
Ransomware, Masquerading - Rename System Utilities, Suspicious Command-Line Executions, DarkGate Malware, Unusual Processes, Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2026-05-13
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 13, Sysmon EventID 12
|
T1112
T1218.010
|
TTP
|
Suspicious Regsvr32 Activity, Remcos
|
2026-05-13
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
Anomaly
|
DarkGate Malware, APT37 Rustonotto and FadeStealer, ZOVWiper
|
2026-05-13
|
|
Windows Rundll32 Execution With Log.DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
GitHub Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
Hunting
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
Rhysida Ransomware, Warzone RAT, Lokibot, Chaos Ransomware, PlugX, Graceful Wipe Out Attack, Volt Typhoon, Derusbi, VIP Keylogger, Qakbot, DarkCrystal RAT, SnappyBee, Data Destruction, Industroyer2, IcedID, AgentTesla, Salt Typhoon, Meduza Stealer, PromptFlux, MoonPeak, BlackByte Ransomware, Brute Ratel C4, Double Zero Destructor, ValleyRAT, Hermetic Wiper, Swift Slicer, Trickbot, RedLine Stealer, Crypto Stealer, PromptLock, Snake Keylogger, Interlock Rat, CISA AA23-347A, Amadey, NjRAT, WinDealer RAT, Void Manticore, Axios Supply Chain Post Compromise, XML Runner Loader, China-Nexus Threat Activity, Azorult, LockBit Ransomware, XMRig, APT37 Rustonotto and FadeStealer, AsyncRAT, DarkGate Malware, SesameOp, WhisperGate, AcidPour, Remcos, Handala Wiper
|
2026-05-13
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-05-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
T1021.003
T1021.006
T1047
T1053.005
T1059.001
T1218.014
T1543.003
|
Anomaly
|
CISA AA24-241A, Scheduled Tasks, Hermetic Wiper, Data Destruction, Malicious PowerShell, Active Directory Lateral Movement, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Graceful Wipe Out Attack, Cobalt Strike, Cactus Ransomware
|
2026-05-13
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.001
|
Hunting
|
Windows Privilege Escalation, Quasar RAT, Data Destruction, Hermetic Wiper
|
2026-05-13
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1127.001
|
Hunting
|
Living Off The Land, BlackByte Ransomware, Trusted Developer Utilities Proxy Execution MSBuild, Cobalt Strike, Masquerading - Rename System Utilities, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-05-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.010
T1059.001
|
Anomaly
|
Deobfuscate-Decode Files or Information, Compromised Windows Host
|
2026-05-13
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Living Off The Land, MuddyWater, Suspicious MSHTA Activity, Lumma Stealer
|
2026-05-13
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
Living Off The Land, BITS Jobs
|
2026-05-13
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
Hunting
|
Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Living Off The Land
|
2026-05-13
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.002
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host
|
2026-05-13
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, IcedID, Suspicious Rundll32 Activity
|
2026-05-13
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
T1036.008
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-05-13
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
Hellcat Ransomware, Axios Supply Chain Post Compromise, XWorm
|
2026-05-13
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2026-05-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1078.002
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
Suspicious MSHTA Activity, XWorm, APT29 Diplomatic Deceptions with WINELOADER
|
2026-05-13
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity, Compromised Windows Host
|
2026-05-13
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
T1197
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics, APT37 Rustonotto and FadeStealer
|
2026-05-13
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2026-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
Anomaly
|
StealC Stealer, Water Gamayun, Windows System Binary Proxy Execution MSIExec, Medusa Ransomware
|
2026-05-13
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
T1070
|
TTP
|
Data Destruction, AwfulShred
|
2026-05-13
|
|
Windows BitLockerToGo Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
Hunting
|
Lumma Stealer
|
2026-05-13
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.005
|
TTP
|
Living Off The Land, APT37 Rustonotto and FadeStealer, Suspicious MSHTA Activity
|
2026-05-13
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055.002
|
TTP
|
Earth Alux, Warzone RAT, Graceful Wipe Out Attack, Qakbot, Water Gamayun
|
2026-05-13
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-05-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1203
T1218
|
TTP
|
Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.004
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil, Ransomware, Masquerading - Rename System Utilities, Data Destruction, WhisperGate, Unusual Processes
|
2026-05-13
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
|
TTP
|
Qakbot
|
2026-05-13
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.014
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 13, Sysmon EventID 12
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.009
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon
|
2026-05-13
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-05-13
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1220
|
TTP
|
Suspicious WMI Use, FIN7
|
2026-05-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1078
T1098
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
T1564.004
|
TTP
|
Windows Post-Exploitation, Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1202
|
Anomaly
|
Windows Post-Exploitation, Prestige Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Windows Command Obfuscation with Environment Variable Substrings
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.010
|
Anomaly
|
Malicious PowerShell
|
2026-05-13
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
Anomaly
|
Ransomware
|
2026-05-13
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Active Directory Kerberos Attacks, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Brute Ratel C4, Meterpreter, APT37 Rustonotto and FadeStealer, Cobalt Strike, Graceful Wipe Out Attack, LockBit Ransomware, Remote Monitoring and Management Software, DarkSide Ransomware, Trickbot, Tuoni, Storm-0501 Ransomware, Gozi Malware
|
2026-05-13
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055.002
|
Hunting
|
Earth Alux, Brute Ratel C4
|
2026-05-13
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
T1001
T1036
T1204.002
T1564.006
|
TTP
|
Linux Privilege Escalation, Linux Rootkit, Compromised Linux Host, Linux Living Off The Land, Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware
|
2026-05-13
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4726, Windows Event Log System 4720
|
T1078.003
T1136.001
|
TTP
|
GhostRedirector IIS Module and Rungan Backdoor, Active Directory Lateral Movement
|
2026-05-13
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
T1068
T1218.007
|
TTP
|
Windows Privilege Escalation
|
2026-05-13
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm, Brute Ratel C4
|
2026-05-13
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
T1055.001
T1055.003
T1055.004
T1055.012
T1055.013
T1059.001
T1620
|
TTP
|
VIP Keylogger
|
2026-05-13
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055.001
|
TTP
|
AsyncRAT, Remcos
|
2026-05-13
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
T1564.006
|
TTP
|
Spearphishing Attachments, Compromised Windows Host
|
2026-05-13
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218.011
|
TTP
|
IcedID, Living Off The Land, Gh0st RAT
|
2026-05-13
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
TTP
|
PlugX, Compromised Windows Host
|
2026-05-13
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
|
Hunting
|
Brute Ratel C4
|
2026-05-13
|
|
Windows RMM Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Gozi Malware, GhostRedirector IIS Module and Rungan Backdoor, Seashell Blizzard, Scattered Lapsus$ Hunters, Cactus Ransomware, Interlock Ransomware
|
2026-05-13
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
T1036
T1572
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation, Flax Typhoon
|
2026-05-13
|
|
Windows TinyCC Shellcode Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
T1036
T1059.003
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078.002
|
TTP
|
sAMAccountName Spoofing and Domain Controller Impersonation, Scattered Lapsus$ Hunters, Active Directory Privilege Escalation, Compromised Windows Host
|
2026-05-13
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2026-05-13
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
Rhysida Ransomware, Warzone RAT, Quasar RAT, Lokibot, Chaos Ransomware, PlugX, Graceful Wipe Out Attack, Volt Typhoon, Derusbi, VIP Keylogger, DarkCrystal RAT, Qakbot, SnappyBee, Interlock Ransomware, NailaoLocker Ransomware, Data Destruction, Industroyer2, IcedID, AgentTesla, Salt Typhoon, Meduza Stealer, DynoWiper, MoonPeak, BlackByte Ransomware, Brute Ratel C4, Double Zero Destructor, Hermetic Wiper, Swift Slicer, ValleyRAT, Trickbot, RedLine Stealer, Crypto Stealer, PromptLock, Snake Keylogger, Interlock Rat, CISA AA23-347A, Amadey, NjRAT, Cactus Ransomware, Earth Alux, WinDealer RAT, Void Manticore, Axios Supply Chain Post Compromise, XML Runner Loader, China-Nexus Threat Activity, XMRig, LockBit Ransomware, Azorult, AsyncRAT, GhostRedirector IIS Module and Rungan Backdoor, DarkGate Malware, SesameOp, Castle RAT, WhisperGate, AcidPour, Remcos, SystemBC, Handala Wiper
|
2026-05-13
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4781, Windows Event Log Security 4768
|
T1078.002
|
Hunting
|
sAMAccountName Spoofing and Domain Controller Impersonation, Active Directory Privilege Escalation, Active Directory Kerberos Attacks
|
2026-05-13
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.004
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1218.004
|
TTP
|
Signed Binary Proxy Execution InstallUtil, Ransomware, Masquerading - Rename System Utilities, Data Destruction, WhisperGate, Unusual Processes
|
2026-05-13
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
T1574
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-05-13
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity, Compromised Windows Host
|
2026-05-13
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1218.011
|
Anomaly
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
Anomaly
|
AcidRain, Data Destruction
|
2026-05-13
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
T1059.003
T1070.003
|
Anomaly
|
Medusa Ransomware
|
2026-05-13
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1003
T1036.005
T1595
|
TTP
|
Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, XMRig, CISA AA22-264A, Compromised Windows Host, Unusual Processes, SamSam Ransomware, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
T1574.001
|
TTP
|
Revil Ransomware, Ransomware
|
2026-05-13
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
T1068
T1134
T1548
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation, GhostRedirector IIS Module and Rungan Backdoor, Compromised Windows Host
|
2026-05-13
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Qakbot, Water Gamayun
|
2026-05-13
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2026-05-13
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.004
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Debugger Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
Hunting
|
DarkGate Malware, PlugX
|
2026-05-13
|
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2026-05-13
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
|
Anomaly
|
WinDealer RAT, PathWiper, Lokibot, Brute Ratel C4, Gh0st RAT, China-Nexus Threat Activity, PlugX, ValleyRAT, AsyncRAT, GhostRedirector IIS Module and Rungan Backdoor, DarkGate Malware, Scattered Lapsus$ Hunters, Tuoni, Derusbi, Salt Typhoon, Meduza Stealer, CISA AA23-347A, SnappyBee
|
2026-05-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-05-13
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Earth Alux, Warzone RAT, SolarWinds WHD RCE Post Exploitation, China-Nexus Threat Activity, Derusbi, Salt Typhoon, NjRAT
|
2026-05-13
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Earth Alux, BlackByte Ransomware, Graceful Wipe Out Attack, Cobalt Strike, Storm-2460 CLFS Zero Day Exploitation, Cactus Ransomware
|
2026-05-13
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Qakbot, Water Gamayun, Compromised Windows Host
|
2026-05-13
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1070.004
T1485
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2026-05-13
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218.003
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-05-13
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Windows Privilege Escalation, Hermetic Wiper, Data Destruction
|
2026-05-13
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
Hellcat Ransomware, BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Compromised Windows Host
|
2026-05-13
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
T1564.003
|
Anomaly
|
Forest Blizzard, Browser Hijacking
|
2026-05-13
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.009
|
TTP
|
Living Off The Land, Void Manticore, Suspicious Regsvcs Regasm Activity, Handala Wiper
|
2026-05-13
|
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows PUA Named Pipe
|
Sysmon EventID 18, Sysmon EventID 17
|
T1021.002
T1055
T1559
|
Anomaly
|
Rhysida Ransomware, BlackByte Ransomware, Sandworm Tools, VanHelsing Ransomware, CISA AA22-320A, Seashell Blizzard, IcedID, DarkGate Malware, DarkSide Ransomware, Volt Typhoon, HAFNIUM Group, Medusa Ransomware, Active Directory Lateral Movement, Cactus Ransomware, DHS Report TA18-074A, SamSam Ransomware
|
2026-05-13
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
T1218.014
T1548.002
T1574
|
TTP
|
Windows Privilege Escalation, Windows Persistence Techniques
|
2026-05-13
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
T1620
|
Anomaly
|
XML Runner Loader
|
2026-05-13
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
|
TTP
|
Scattered Spider, Ransomware, Compromised Windows Host
|
2026-05-13
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon for Linux EventID 11, Sysmon EventID 11
|
T1195
T1554
T1574.006
|
TTP
|
NPM Supply Chain Compromise
|
2026-05-13
|
|
Windows Chromium Browser No Security Sandbox Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
TTP
|
Malicious Inno Setup Loader
|
2026-05-13
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.001
|
Anomaly
|
Hellcat Ransomware, Water Gamayun, CISA AA23-347A
|
2026-05-13
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
|
TTP
|
Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor
|
2026-05-13
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
|
TTP
|
Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-13
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
|
Anomaly
|
Living Off The Land, Suspicious Regsvr32 Activity, Hermetic Wiper, Data Destruction, AsyncRAT, Remcos
|
2026-05-13
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3, Cisco Network Visibility Module Flow Data
|
T1218.004
|
Anomaly
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil, Compromised Windows Host, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
T1059.001
T1129
T1574
|
Anomaly
|
Malicious PowerShell, Windows Persistence Techniques
|
2026-05-13
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
T1036.004
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2026-05-13
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
T1127
T1685
|
TTP
|
Windows Persistence Techniques, Windows Registry Abuse, Hermetic Wiper, Data Destruction, CISA AA23-347A, Windows Privilege Escalation
|
2026-05-13
|
|
Detect Excessive User Account Lockouts
|
|
T1078.003
|
Anomaly
|
Scattered Lapsus$ Hunters, Active Directory Password Spraying
|
2026-05-13
|
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data
|
T1218.005
|
TTP
|
Living Off The Land, XWorm, Lumma Stealer, APT37 Rustonotto and FadeStealer, Compromised Windows Host, Suspicious MSHTA Activity, NetSupport RMM Tool Abuse, Cisco Network Visibility Module Analytics
|
2026-05-13
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
T1574.011
|
Anomaly
|
SolarWinds WHD RCE Post Exploitation, Gh0st RAT, Brute Ratel C4, Windows Persistence Techniques, China-Nexus Threat Activity, Windows Registry Abuse, PlugX, Suspicious Windows Registry Activities, Crypto Stealer, Derusbi, Salt Typhoon, CISA AA23-347A, Active Directory Lateral Movement, SnappyBee
|
2026-05-13
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-05-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1027
T1059.001
|
TTP
|
Hellcat Ransomware, Axios Supply Chain Post Compromise, XWorm, NetSupport RMM Tool Abuse, Hermetic Wiper, APT37 Rustonotto and FadeStealer, Data Destruction, Malicious PowerShell, AsyncRAT, IcedID, GhostRedirector IIS Module and Rungan Backdoor, MuddyWater, Medusa Ransomware, VIP Keylogger, Winter Vivern, 0bj3ctivity Stealer, NjRAT, Microsoft WSUS CVE-2025-59287
|
2026-05-13
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2026-05-13
|
|
MacOS Log Removal
|
Osquery Results
|
T1070
|
TTP
|
MacOS Post-Exploitation
|
2026-05-13
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027.005
T1059.001
|
TTP
|
Water Gamayun, Malicious PowerShell
|
2026-05-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
T1134.001
|
Anomaly
|
Castle RAT
|
2026-05-13
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1014
T1082
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-05-13
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
|
Hunting
|
Living Off The Land, Qakbot, Malicious Inno Setup Loader, Windows Defense Evasion Tactics
|
2026-05-13
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
T1070.004
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-05-13
|
|
Windows Chromium Browser with Custom User Data Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
|
Anomaly
|
StealC Stealer, Malicious Inno Setup Loader, Lokibot
|
2026-05-13
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2026-05-13
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
BlackByte Ransomware, Windows Drivers, CISA AA22-320A, BlackSuit Ransomware, AgentTesla
|
2026-05-13
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.012
|
Hunting
|
Unusual Processes
|
2026-05-13
|
|
Linux Medusa Rootkit
|
Sysmon for Linux EventID 11
|
T1014
T1589.001
|
TTP
|
China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware, Medusa Rootkit
|
2026-05-13
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
T1078.003
T1136.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
T1078.003
T1098
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta New API Token Created
|
Okta
|
T1078.001
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Zoom High Video Latency
|
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
T1078
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
T1070.008
T1531
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-13
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1078
T1110
T1621
|
TTP
|
Compromised User Account
|
2026-05-13
|
|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
T1070
T1685.001
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity, ArcaneDoor
|
2026-05-13
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
T1078
T1098
T1136.001
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
T1078
T1098
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Email Attachments With Lots Of Spaces
|
|
T1036.008
T1566.001
|
Anomaly
|
Hermetic Wiper, Data Destruction, Suspicious Emails, Emotet Malware DHS Report TA18-201A
|
2026-05-13
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity, APT37 Rustonotto and FadeStealer, Compromised Windows Host, AgentTesla
|
2026-05-13
|
|
Okta Suspicious Activity Reported
|
Okta
|
T1078.001
|
TTP
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
T1070.006
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Suspicious Okta Activity, Okta Account Takeover, Okta MFA Exhaustion
|
2026-05-13
|
|
Okta Successful Single Factor Authentication
|
Okta
|
T1078.004
T1586.003
T1621
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
T1070
T1690
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-13
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
T1078
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-05-13
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, Okta Account Takeover
|
2026-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2026-05-13
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
T1078.004
T1586.003
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Account Takeover, Data Exfiltration
|
2026-05-13
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
T1021.007
T1072
T1105
T1202
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
NOBELIUM Group, Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1078.004
T1586.003
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-05-13
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-05-13
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
O365 Security And Compliance Alert Triggered
|
|
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
T1535
T1586
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2026-05-13
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
TTP
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities
|
2026-05-13
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
T1535
|
Anomaly
|
Cloud Cryptomining
|
2026-05-13
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
T1070.008
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Suspicious Emails
|
2026-05-13
|
|
Okta Non-Standard VPN Usage
|
Okta
|
T1078
T1090
T1572
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2026-05-13
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities
|
2026-05-13
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
T1114.003
T1564.008
|
Anomaly
|
Office 365 Collection Techniques
|
2026-05-13
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoginFailed, O365 UserLoggedIn
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2026-05-13
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation
|
2026-05-13
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-05-13
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1078.004
T1586.003
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
T1535
T1586.003
|
Hunting
|
Compromised User Account, Suspicious Cloud Authentication Activities, AWS Identity and Access Management Account Takeover, Suspicious AWS Login Activities
|
2026-05-13
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
T1078.004
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-05-13
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
T1078
T1550
|
TTP
|
AWS Bedrock Security
|
2026-05-13
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2026-05-13
|
|
Geographic Improbable Location
|
Okta
|
T1078
|
Anomaly
|
Remote Employment Fraud
|
2026-05-13
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-05-13
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1078.004
T1586.003
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2026-05-13
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
T1078.004
T1586.003
T1621
|
TTP
|
Scattered Lapsus$ Hunters, GCP Account Takeover
|
2026-05-13
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
T1070.008
T1114.001
T1485
|
Anomaly
|
Office 365 Account Takeover, Data Destruction, Office 365 Collection Techniques, Suspicious Emails
|
2026-05-13
|
|
O365 BEC Email Hiding Rule Created
|
|
T1564.008
|
TTP
|
Office 365 Account Takeover
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
T1027
T1105
|
Anomaly
|
Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-05-13
|
