|
Cisco ASA - Logging Message Suppression
|
Cisco ASA Logs
|
Disable or Modify Windows Event Log
Indicator Removal
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-05-04
|
|
Cisco ASA - New Local User Account Created
|
Cisco ASA Logs
|
Local Account
Local Accounts
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-04-15
|
|
Cisco ASA - User Account Deleted From Local Database
|
Cisco ASA Logs
|
Account Access Removal
Clear Mailbox Data
|
Anomaly
|
Suspicious Cisco Adaptive Security Appliance Activity
|
2026-04-15
|
|
Cisco ASA - User Privilege Level Change
|
Cisco ASA Logs
|
Local Accounts
Account Manipulation
|
Anomaly
|
ArcaneDoor, Suspicious Cisco Adaptive Security Appliance Activity
|
2026-04-15
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
APT37 Rustonotto and FadeStealer, AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-04-15
|
|
Email Attachments With Lots Of Spaces
|
|
Spearphishing Attachment
Masquerade File Type
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2026-03-25
|
|
ESXi Account Modified
|
VMWare ESXi Syslog
|
Local Account
Valid Accounts
Account Manipulation
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-04-15
|
|
ESXi Audit Tampering
|
VMWare ESXi Syslog
|
Prevent Command History Logging
Indicator Removal
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-05-04
|
|
ESXi External Root Login Activity
|
VMWare ESXi Syslog
|
Valid Accounts
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-04-15
|
|
ESXi Shared or Stolen Root Account
|
VMWare ESXi Syslog
|
Valid Accounts
|
Anomaly
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-04-15
|
|
ESXi System Clock Manipulation
|
VMWare ESXi Syslog
|
Timestomp
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-04-15
|
|
ESXi User Granted Admin Role
|
VMWare ESXi Syslog
|
Account Manipulation
Valid Accounts
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2026-04-15
|
|
M365 Copilot Application Usage Pattern Anomalies
|
M365 Copilot Graph API
|
Valid Accounts
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-04-15
|
|
M365 Copilot Session Origin Anomalies
|
M365 Copilot Graph API
|
Valid Accounts
|
Anomaly
|
Suspicious Microsoft 365 Copilot Activities
|
2026-03-10
|
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Okta New API Token Created
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2026-03-10
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2026-04-15
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2026-04-15
|
|
Okta Suspicious Activity Reported
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2026-04-15
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2026-04-15
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2026-04-15
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
|
Zoom High Video Latency
|
|
Valid Accounts
|
Anomaly
|
Remote Employment Fraud
|
2026-04-15
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2026-04-15
|
|
AWS Bedrock Invoke Model Access Denied
|
AWS CloudTrail
|
Valid Accounts
Use Alternate Authentication Material
|
TTP
|
AWS Bedrock Security
|
2026-04-15
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2026-04-15
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2026-04-15
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2026-04-15
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2026-04-15
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2026-04-15
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2026-04-15
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2026-04-15
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2026-04-15
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2026-04-15
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2026-04-15
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2026-04-15
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2026-04-15
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2026-04-15
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining
|
2026-04-15
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
Cloud Cryptomining
|
2026-04-15
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2026-04-15
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-04-15
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-04-15
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-04-15
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2026-04-15
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
Cloud Accounts
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2026-02-25
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2026-03-12
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace
|
Cloud Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Geographic Improbable Location
|
Okta
|
Valid Accounts
|
Anomaly
|
Remote Employment Fraud
|
2026-04-15
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2026-02-25
|
|
O365 BEC Email Hiding Rule Created
|
|
Email Hiding Rules
|
TTP
|
Office 365 Account Takeover
|
2026-04-15
|
|
O365 Email Hard Delete Excessive Volume
|
Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Suspicious Emails
|
2026-04-15
|
|
O365 Email New Inbox Rule Created
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
Email Hiding Rules
|
Anomaly
|
Office 365 Collection Techniques
|
2026-04-15
|
|
O365 Email Password and Payroll Compromise Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
Local Email Collection
|
TTP
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-04-15
|
|
O365 Email Receive and Hard Delete Takeover Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
Local Email Collection
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-04-15
|
|
O365 Email Send and Hard Delete Exfiltration Behavior
|
Office 365 Reporting Message Trace, Office 365 Universal Audit Log
|
Local Email Collection
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-04-15
|
|
O365 Email Send and Hard Delete Suspicious Behavior
|
Office 365 Universal Audit Log
|
Local Email Collection
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Data Destruction, Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2026-04-15
|
|
O365 Email Send Attachments Excessive Volume
|
Office 365 Universal Audit Log
|
Clear Mailbox Data
Data Destruction
|
Anomaly
|
Office 365 Account Takeover, Suspicious Emails
|
2026-04-15
|
|
O365 Email Transport Rule Changed
|
Office 365 Universal Audit Log
|
Email Forwarding Rule
Email Hiding Rules
|
Anomaly
|
Data Exfiltration, Office 365 Account Takeover
|
2026-04-15
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2026-04-15
|
|
O365 Security And Compliance Alert Triggered
|
|
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2026-04-15
|
|
Okta Non-Standard VPN Usage
|
Okta
|
Valid Accounts
Protocol Tunneling
Proxy
|
TTP
|
Remote Employment Fraud, Suspicious Okta Activity
|
2026-04-15
|
|
Attacker Tools On Endpoint
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
Match Legitimate Resource Name or Location
Active Scanning
|
TTP
|
CISA AA22-264A, Cisco Network Visibility Module Analytics, Compromised Windows Host, PHP-CGI RCE Attack on Japanese Organizations, SamSam Ransomware, Scattered Spider, Unusual Processes, XMRig
|
2026-04-15
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2026-04-15
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
APT37 Rustonotto and FadeStealer, BITS Jobs, DarkSide Ransomware, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Hellcat Ransomware, Ingress Tool Transfer, Living Off The Land, Scattered Spider
|
2026-04-15
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Deobfuscate/Decode Files or Information
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor, Living Off The Land, Storm-2460 CLFS Zero Day Exploitation
|
2026-04-15
|
|
Cisco NVM - Curl Execution With Insecure Flags
|
Cisco Network Visibility Module Flow Data
|
BITS Jobs
|
Anomaly
|
Cisco Network Visibility Module Analytics, Microsoft WSUS CVE-2025-59287, PromptLock
|
2026-04-15
|
|
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
|
Cisco Network Visibility Module Flow Data
|
Mshta
Visual Basic
|
Anomaly
|
BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-04-15
|
|
Cisco NVM - Non-Network Binary Making Network Connection
|
Cisco Network Visibility Module Flow Data
|
Process Injection
Masquerading
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-04-15
|
|
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
|
Cisco Network Visibility Module Flow Data
|
Mshta
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-04-15
|
|
Cisco NVM - Suspicious Download From File Sharing Website
|
Cisco Network Visibility Module Flow Data
|
BITS Jobs
|
Anomaly
|
APT37 Rustonotto and FadeStealer, BlankGrabber Stealer, Cisco Network Visibility Module Analytics
|
2026-04-15
|
|
Cisco NVM - Suspicious Network Connection From Process With No Args
|
Cisco Network Visibility Module Flow Data
|
Process Injection
System Binary Proxy Execution
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-04-15
|
|
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
|
Cisco Network Visibility Module Flow Data
|
XSL Script Processing
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2026-04-15
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
|
TTP
|
Compromised Windows Host, Ransomware, Scattered Spider
|
2026-04-15
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2026-04-15
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Control Panel
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2026-04-15
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Network Share Connection Removal
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2026-04-15
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2026-04-15
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compile After Delivery
|
Hunting
|
Windows Defense Evasion Tactics
|
2026-02-25
|
|
Curl Execution with Percent Encoded URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Obfuscated Files or Information
Ingress Tool Transfer
|
Anomaly
|
Compromised Windows Host, Ingress Tool Transfer, Living Off The Land
|
2026-04-28
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2026-04-15
|
|
Detect Excessive User Account Lockouts
|
|
Local Accounts
|
Anomaly
|
Active Directory Password Spraying, Scattered Lapsus$ Hunters
|
2026-04-15
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
Hunting
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-02-25
|
|
Detect HTML Help URL in Command Line
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-04-15
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-04-15
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
APT37 Rustonotto and FadeStealer, BlankGrabber Stealer, Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity, XWorm
|
2026-04-15
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
Hunting
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-02-25
|
|
Detect MSHTA Url in Command Line
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Lumma Stealer, NetSupport RMM Tool Abuse, Suspicious MSHTA Activity, XWorm
|
2026-04-15
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
|
TTP
|
Scattered Lapsus$ Hunters, Windows Persistence Techniques
|
2026-04-15
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity, Void Manticore
|
2026-04-15
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity, Void Manticore
|
2026-04-15
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity, Void Manticore
|
2026-04-15
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-04-15
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
Regsvcs/Regasm
|
TTP
|
Hellcat Ransomware, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-04-15
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2026-04-15
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, PHP-CGI RCE Attack on Japanese Organizations, Suspicious Regsvr32 Activity
|
2026-04-15
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
Right-to-Left Override
|
TTP
|
Spearphishing Attachments
|
2026-04-15
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Right-to-Left Override
|
TTP
|
Spearphishing Attachments
|
2026-04-15
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
APT37 Rustonotto and FadeStealer, Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2026-04-15
|
|
Disable Show Hidden Files
|
Sysmon EventID 13
|
Modify Registry
Disable or Modify Tools
Hidden Files and Directories
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2026-05-04
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Earth Alux, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
|
2026-04-15
|
|
ETW Registry Disabled
|
Sysmon EventID 13
|
Trusted Developer Utilities Proxy Execution
Disable or Modify Tools
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2026-05-04
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Axios Supply Chain Post Compromise, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Cactus Ransomware, Castle RAT, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, DynoWiper, Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, Interlock Ransomware, Interlock Rat, LockBit Ransomware, Lokibot, Meduza Stealer, MoonPeak, NailaoLocker Ransomware, NjRAT, PlugX, PromptLock, Qakbot, Quasar RAT, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, SesameOp, Snake Keylogger, SnappyBee, Swift Slicer, SystemBC, Trickbot, VIP Keylogger, ValleyRAT, Void Manticore, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XML Runner Loader, XMRig
|
2026-04-21
|
|
Executables Or Script Creation In Temp Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
APT37 Rustonotto and FadeStealer, AcidPour, AgentTesla, Amadey, AsyncRAT, Axios Supply Chain Post Compromise, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, China-Nexus Threat Activity, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Derusbi, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, Interlock Rat, LockBit Ransomware, Lokibot, Meduza Stealer, MoonPeak, NjRAT, PlugX, PromptFlux, PromptLock, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, SesameOp, Snake Keylogger, SnappyBee, Swift Slicer, Trickbot, VIP Keylogger, ValleyRAT, Void Manticore, Volt Typhoon, Warzone RAT, WhisperGate, WinDealer RAT, XML Runner Loader, XMRig
|
2026-04-21
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2026-04-15
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-04-15
|
|
GitHub Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
Dynamic Linker Hijacking
Compromise Host Software Binary
Supply Chain Compromise
|
Hunting
|
NPM Supply Chain Compromise
|
2025-11-25
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-04-09
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
TTP
|
Forest Blizzard, GhostRedirector IIS Module and Rungan Backdoor
|
2026-04-15
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Hidden Window
|
Anomaly
|
Browser Hijacking, Forest Blizzard
|
2026-04-15
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidRain, Hellcat Ransomware
|
2026-04-15
|
|
Linux Auditd AI CLI Permission Override Activated
|
Linux Auditd Proctitle
|
Execution Guardrails
|
Anomaly
|
QuietVault
|
2026-04-15
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
Deobfuscate/Decode Files or Information
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-04-15
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit, XorDDos
|
2026-04-15
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
|
TTP
|
China-Nexus Threat Activity, Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon
|
2026-04-15
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Cwd, Linux Auditd Path
|
Dynamic Linker Hijacking
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, VoidLink Cloud-Native Linux Malware
|
2026-04-15
|
|
Linux Decode Base64 to Shell
|
Cisco Isovalent Process Exec, Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Cisco Isovalent Suspicious Activity, Linux Living Off The Land
|
2026-04-15
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2026-04-15
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2026-04-15
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2026-04-15
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidPour, AcidRain
|
2026-04-15
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2026-04-15
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
File Deletion
Data Destruction
|
Anomaly
|
AcidRain, Data Destruction
|
2026-04-15
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
Indicator Removal
|
TTP
|
AwfulShred, Data Destruction
|
2026-04-15
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
File Deletion
|
Anomaly
|
AwfulShred, Data Destruction
|
2026-04-15
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit, XorDDos
|
2026-04-15
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
Masquerade Task or Service
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2026-02-25
|
|
Linux Medusa Rootkit
|
Sysmon for Linux EventID 11
|
Rootkit
Credentials
|
TTP
|
China-Nexus Threat Activity, Hellcat Ransomware, Medusa Rootkit, VoidLink Cloud-Native Linux Malware
|
2026-04-15
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
|
Anomaly
|
Linux Living Off The Land
|
2026-04-15
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
|
TTP
|
China-Nexus Threat Activity, Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, VoidLink Cloud-Native Linux Malware
|
2026-04-15
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
Dynamic-link Library Injection
|
TTP
|
AsyncRAT, Remcos
|
2026-04-15
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
APT37 Rustonotto and FadeStealer, Fake CAPTCHA Campaigns, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Living Off The Land, Malicious Inno Setup Loader, NetSupport RMM Tool Abuse, Water Gamayun
|
2026-04-15
|
|
MacOS Hidden Files and Directories
|
Osquery Results
|
Hidden Files and Directories
|
Anomaly
|
MacOS Persistence Techniques
|
2026-04-15
|
|
MacOS Log Removal
|
Osquery Results
|
Indicator Removal
|
TTP
|
MacOS Post-Exploitation
|
2026-04-15
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Regsvr32
Modify Registry
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2026-04-15
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Obfuscated Files or Information
|
Hunting
|
CISA AA22-320A, Crypto Stealer, DarkCrystal RAT, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Microsoft SharePoint Vulnerabilities, Microsoft WSUS CVE-2025-59287, NOBELIUM Group, Qakbot, Sandworm Tools, Scattered Spider, SolarWinds WHD RCE Post Exploitation, Volt Typhoon, WhisperGate
|
2026-03-25
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Water Gamayun, XML Runner Loader
|
2026-04-15
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
|
TTP
|
Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-04
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
APT37 Rustonotto and FadeStealer, IcedID, Living Off The Land, Trickbot
|
2026-04-15
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-05-02
|
|
Msmpeng Application DLL Side Loading
|
Sysmon EventID 11
|
DLL
|
TTP
|
Ransomware, Revil Ransomware
|
2026-04-15
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2026-04-15
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Checks
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Gh0st RAT, Meduza Stealer, Quasar RAT, Void Manticore, Warzone RAT, WhisperGate
|
2026-04-15
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
Anomaly
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Microsoft WSUS CVE-2025-59287, Scheduled Tasks
|
2026-04-15
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2026-02-25
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell, Water Gamayun
|
2026-04-15
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
Indicator Removal from Tools
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2026-04-15
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hellcat Ransomware, Hermetic Wiper, Malicious PowerShell
|
2026-04-15
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
PowerShell
|
TTP
|
0bj3ctivity Stealer, APT37 Rustonotto and FadeStealer, AsyncRAT, Axios Supply Chain Post Compromise, Data Destruction, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware, Hermetic Wiper, IcedID, Malicious PowerShell, Medusa Ransomware, Microsoft WSUS CVE-2025-59287, MuddyWater, NetSupport RMM Tool Abuse, NjRAT, VIP Keylogger, Winter Vivern, XWorm
|
2026-04-21
|
|
PowerShell PInvoke Process Injection API Chain
|
Powershell Script Block Logging 4104
|
Dynamic-link Library Injection
Thread Execution Hijacking
Asynchronous Procedure Call
Process Hollowing
Process Doppelgänging
PowerShell
Reflective Code Loading
|
TTP
|
VIP Keylogger
|
2026-04-22
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
Trickbot
|
2026-04-15
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2026-04-15
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, Medusa Ransomware, MoonPeak, PHP-CGI RCE Attack on Japanese Organizations
|
2026-04-15
|
|
Process Deleting Its Process File Path
|
Sysmon EventID 1
|
Indicator Removal
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2026-04-15
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
|
TTP
|
APT37 Rustonotto and FadeStealer, Ransomware
|
2026-04-15
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2026-04-15
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2026-04-15
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2026-04-15
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Token Impersonation/Theft
|
Hunting
|
Data Destruction, Hermetic Wiper, Quasar RAT, Windows Privilege Escalation
|
2025-12-15
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2026-02-25
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2026-04-15
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2026-04-15
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2026-04-15
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Anomaly
|
Ransomware
|
2026-04-15
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
Rundll32
|
TTP
|
Gh0st RAT, IcedID, Living Off The Land
|
2026-04-15
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Rundll32
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cactus Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2026-04-15
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2026-04-15
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Data Destruction
|
TTP
|
Masquerading - Rename System Utilities, Scattered Spider, Void Manticore
|
2026-04-15
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-04-09
|
|
Shai-Hulud Workflow File Creation or Modification
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
Dynamic Linker Hijacking
Compromise Host Software Binary
Supply Chain Compromise
|
TTP
|
NPM Supply Chain Compromise
|
2026-04-15
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
Local Accounts
Local Account
|
TTP
|
Active Directory Lateral Movement, GhostRedirector IIS Module and Rungan Backdoor
|
2026-04-15
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Compromised Windows Host, Scattered Lapsus$ Hunters, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-04-15
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
|
Anomaly
|
AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon, Water Gamayun
|
2026-04-15
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2026-04-15
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-04-15
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2026-04-15
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-04-15
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
Trusted Developer Utilities Proxy Execution
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2026-05-04
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2026-05-04
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
MSBuild
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-04
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
MSBuild
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-04
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
|
TTP
|
Living Off The Land, Storm-2460 CLFS Zero Day Exploitation, Trusted Developer Utilities Proxy Execution MSBuild
|
2026-05-04
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
Living Off The Land, Lumma Stealer, MuddyWater, Suspicious MSHTA Activity
|
2026-04-15
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mshta
|
TTP
|
APT37 Rustonotto and FadeStealer, Living Off The Land, Suspicious MSHTA Activity
|
2026-04-15
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
APT37 Rustonotto and FadeStealer, Amadey, GhostRedirector IIS Module and Rungan Backdoor, Remcos, Snake Keylogger, Unusual Processes, Water Gamayun
|
2026-04-15
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
China-Nexus Threat Activity, Derusbi, IcedID, Living Off The Land, Qakbot, Salt Typhoon, Suspicious Regsvr32 Activity
|
2026-04-15
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2026-04-15
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2026-04-15
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
IcedID
|
2026-04-15
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware, Suspicious Rundll32 Activity, Trickbot
|
2026-04-15
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cactus Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Hellcat Ransomware
|
2026-04-15
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2026-02-25
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
Masquerading
|
TTP
|
Collection and Staging, PlugX
|
2026-04-09
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-04-15
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
Hellcat Ransomware, Trickbot
|
2026-04-15
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
MMC
Bypass User Account Control
|
TTP
|
Windows Defense Evasion Tactics
|
2026-04-15
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware
|
2026-04-15
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Ransomware
|
2026-04-15
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation, Scattered Lapsus$ Hunters
|
2026-02-25
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-02-25
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Ransomware, Windows Log Manipulation
|
2026-04-15
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Verclsid
|
Hunting
|
Unusual Processes
|
2025-12-15
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2026-04-15
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Trickbot
|
2026-04-15
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
Create Process with Token
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, DarkGate Malware, Derusbi, Gh0st RAT, GhostRedirector IIS Module and Rungan Backdoor, Lokibot, Meduza Stealer, PathWiper, PlugX, Salt Typhoon, Scattered Lapsus$ Hunters, SnappyBee, Tuoni, ValleyRAT, WinDealer RAT
|
2026-04-15
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Hunting
|
Brute Ratel C4
|
2025-05-02
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Anomaly
|
Brute Ratel C4, PathWiper
|
2026-04-15
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks
|
2026-04-07
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
|
TTP
|
Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2026-04-15
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
SID-History Injection
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Advanced Installer MSIX with AI_STUBS Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mark-of-the-Web Bypass
Malicious File
|
TTP
|
MSIX Package Abuse
|
2026-04-15
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
NTFS File Attributes
|
TTP
|
APT37 Rustonotto and FadeStealer, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
NTFS File Attributes
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Application Whitelisting Bypass Attempt via Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2026-04-15
|
|
Windows AppLocker Block Events
|
|
System Binary Proxy Execution
|
Anomaly
|
Windows AppLocker
|
2026-04-15
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2026-02-25
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
System Binary Proxy Execution
|
TTP
|
Windows AppLocker
|
2026-04-15
|
|
Windows AppLocker Rare Application Launch Detection
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2026-02-25
|
|
Windows Azure PowerShell Module Installation Via PowerShell Script
|
Powershell Script Block Logging 4104
|
Valid Accounts
Cloud Services
Cloud Account
Account Manipulation
Cloud Groups
|
Anomaly
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-04-13
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mavinject
|
TTP
|
Living Off The Land
|
2026-04-15
|
|
Windows BitDefender Submission Wizard DLL Sideloading
|
Sysmon EventID 7
|
Hijack Execution Flow
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-04-15
|
|
Windows BitLockerToGo Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
Hunting
|
Lumma Stealer
|
2026-02-25
|
|
Windows BitLockerToGo with Network Activity
|
Sysmon EventID 22
|
System Binary Proxy Execution
|
Hunting
|
Hellcat Ransomware, Lumma Stealer
|
2026-02-25
|
|
Windows Bluetooth Service Installed From Uncommon Location
|
Windows Event Log System 7045
|
Windows Service
Masquerading
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-04-15
|
|
Windows BootLoader Inventory
|
|
System Firmware
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2026-02-25
|
|
Windows Chromium Browser Launched with Small Window Size
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
TTP
|
Browser Hijacking
|
2026-04-15
|
|
Windows Chromium Browser No Security Sandbox Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
TTP
|
Malicious Inno Setup Loader
|
2026-04-15
|
|
Windows Chromium Browser with Custom User Data Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
Anomaly
|
Lokibot, Malicious Inno Setup Loader, StealC Stealer
|
2026-04-15
|
|
Windows Chromium process Launched with Disable Popup Blocking
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
Anomaly
|
Browser Hijacking
|
2026-04-15
|
|
Windows Chromium Process Launched with Logging Disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
Anomaly
|
Browser Hijacking
|
2026-04-15
|
|
Windows Chromium Process with Disabled Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
Anomaly
|
Browser Hijacking
|
2026-04-15
|
|
Windows Command Obfuscation with Environment Variable Substrings
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command Obfuscation
|
Anomaly
|
Malicious PowerShell
|
2026-04-13
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
Run Virtual Instance
|
TTP
|
Compromised Windows Host, Spearphishing Attachments
|
2026-04-15
|
|
Windows ConsoleHost History File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
Clear Command History
|
Anomaly
|
Medusa Ransomware
|
2026-04-15
|
|
Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
Valid Accounts
Exploitation for Credential Access
Web Protocols
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2026-04-13
|
|
Windows Debugger Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
|
Hunting
|
DarkGate Malware, PlugX
|
2026-02-25
|
|
Windows Default Rdp File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
File Deletion
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-04-15
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2026-04-15
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL
|
Hunting
|
Living Off The Land, Malicious Inno Setup Loader, Qakbot, Windows Defense Evasion Tactics
|
2025-05-26
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL
|
TTP
|
Earth Alux, Qakbot
|
2026-04-07
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL
|
Anomaly
|
Earth Alux, Qakbot
|
2026-04-15
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
InstallUtil
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2026-04-15
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
Rootkit
Exploitation for Privilege Escalation
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2026-04-15
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
Rootkit
Exploitation for Privilege Escalation
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2026-02-25
|
|
Windows EFI Bootloader File Modification
|
Sysmon EventID 11
|
Bootkit
|
TTP
|
Windows BootKits
|
2026-04-13
|
|
Windows EFI Volume Mount Attempt Via Mountvol
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Pre-OS Boot
Safe Mode Boot
|
Anomaly
|
Compromised Windows Host
|
2026-04-13
|
|
Windows Entra User Management Via Azure CLI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create Account
Cloud Accounts
Account Manipulation
|
Anomaly
|
Azure Active Directory Persistence
|
2026-04-13
|
|
Windows Executable Masquerading as Benign File Types
|
Sysmon EventID 29
|
Masquerade File Type
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-04-15
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2026-04-15
|
|
Windows Execution of Microsoft MSC File In Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MMC
|
Anomaly
|
XML Runner Loader
|
2026-04-15
|
|
Windows Get-Variable.EXE Execution from WindowsApps Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Search Order Hijacking
|
Anomaly
|
Windows Persistence Techniques
|
2026-04-13
|
|
Windows GrimResource - MMC Process Accessing APDS DLL
|
Windows Event Log Security 4663
|
JavaScript
MMC
|
TTP
|
Compromised Windows Host
|
2026-04-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain Accounts
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2026-04-15
|
|
Windows Guest Account Enabled Via Net.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Default Accounts
|
Anomaly
|
Windows Persistence Techniques
|
2026-04-13
|
|
Windows Handle Duplication in Known UAC-Bypass Binaries
|
Sysmon EventID 10
|
Token Impersonation/Theft
|
Anomaly
|
Castle RAT
|
2026-04-15
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL
|
Anomaly
|
Brute Ratel C4, Malicious Inno Setup Loader, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-04-15
|
|
Windows HTTP Network Communication From MSIExec
|
Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3
|
Msiexec
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Cisco Network Visibility Module Analytics, GhostRedirector IIS Module and Rungan Backdoor, SolarWinds WHD RCE Post Exploitation, Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-04-09
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
Anomaly
|
APT37 Rustonotto and FadeStealer, DarkGate Malware, ZOVWiper
|
2026-04-15
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Indirect Command Execution
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2026-04-15
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Indirect Command Execution
|
TTP
|
Living Off The Land
|
2026-04-15
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2026-04-15
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
InstallUtil
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2026-04-15
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
InstallUtil
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2026-04-15
|
|
Windows InstallUtil Remote Network Connection
|
Cisco Network Visibility Module Flow Data, Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
|
Anomaly
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2026-04-15
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
|
TTP
|
Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2026-04-15
|
|
Windows InstallUtil URL in Command Line
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
|
TTP
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2026-04-15
|
|
Windows IOBit Unlocker Extension DLL Registration via Regsvr32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
Compromised Windows Host
|
2026-04-13
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 11
|
DLL
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL
|
TTP
|
Living Off The Land, SolarWinds WHD RCE Post Exploitation, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL
|
Anomaly
|
CISA AA23-347A, Hellcat Ransomware, Water Gamayun
|
2026-04-15
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2026-04-15
|
|
Windows List ENV Variables Via SET Command From Uncommon Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot
|
2026-04-15
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename Legitimate Utilities
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Water Gamayun, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Resource Name or Location
Rundll32
|
Anomaly
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL
|
TTP
|
Compromised Windows Host, Qakbot, Water Gamayun
|
2026-04-13
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
|
TTP
|
Compromised Windows Host, PlugX
|
2026-04-15
|
|
Windows MMC Loaded Script Engine DLL
|
Sysmon EventID 7
|
Reflective Code Loading
|
Anomaly
|
XML Runner Loader
|
2026-04-15
|
|
Windows Mock Trusted Directory MSC File Creation
|
Sysmon EventID 11
|
MMC
Bypass User Account Control
Hijack Execution Flow
|
TTP
|
Windows Persistence Techniques, Windows Privilege Escalation
|
2026-04-13
|
|
Windows MSC EvilTwin Directory Path Manipulation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Match Legitimate Resource Name or Location
Exploitation for Client Execution
|
TTP
|
Living Off The Land, Water Gamayun, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 13
|
Mshta
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2026-04-15
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
Mshta
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity, XWorm
|
2026-04-15
|
|
Windows MSI Rollback Script Deleted By Non-Msiexec Process
|
Sysmon EventID 23
|
Msiexec
Exploitation for Privilege Escalation
|
TTP
|
Windows Privilege Escalation
|
2026-04-13
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-04-15
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Qakbot, Water Gamayun
|
2026-04-15
|
|
Windows MSIExec Remote Download
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
Anomaly
|
Cisco Network Visibility Module Analytics, SolarWinds WHD RCE Post Exploitation, StealC Stealer, Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-04-15
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
Anomaly
|
Medusa Ransomware, StealC Stealer, Water Gamayun, Windows System Binary Proxy Execution MSIExec
|
2026-04-15
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2026-04-15
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2026-04-15
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2026-04-15
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2026-04-15
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2026-04-15
|
|
Windows Mustang Panda USB Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL
Malicious File
Automated Exfiltration
|
TTP
|
Compromised Windows Host
|
2026-04-13
|
|
Windows NetSupport RMM DLL Loaded By Uncommon Process
|
Sysmon EventID 7
|
Masquerading
|
Anomaly
|
NetSupport RMM Tool Abuse
|
2026-04-15
|
|
Windows New Deny Permission Set On Service SD Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-04-15
|
|
Windows New Service Security Descriptor Set Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
|
Anomaly
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2026-04-15
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 13
|
Fileless Storage
|
TTP
|
NjRAT
|
2026-04-15
|
|
Windows Obfuscated Files or Information via RAR SFX
|
Sysmon EventID 11
|
Encrypted/Encoded File
|
Anomaly
|
APT37 Rustonotto and FadeStealer, Crypto Stealer, GhostRedirector IIS Module and Rungan Backdoor
|
2026-04-15
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
Hunting
|
Living Off The Land
|
2026-02-25
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2026-04-15
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2026-04-15
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Parent PID Spoofing
|
TTP
|
Compromised Windows Host, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Potential AppDomainManager Hijack Artifacts Creation
|
Sysmon EventID 11
|
AppDomainManager
|
Anomaly
|
SesameOp
|
2026-04-15
|
|
Windows Powershell History File Deletion
|
Powershell Script Block Logging 4104
|
Windows Command Shell
Clear Command History
|
Anomaly
|
Medusa Ransomware
|
2026-04-15
|
|
Windows PowerShell Module File Created
|
Sysmon EventID 11
|
Shared Modules
PowerShell
Hijack Execution Flow
|
Anomaly
|
Malicious PowerShell, Windows Persistence Techniques
|
2026-04-13
|
|
Windows PowerShell Process Implementing Manual Base64 Decoder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command Obfuscation
PowerShell
|
Anomaly
|
Compromised Windows Host, Deobfuscate-Decode Files or Information
|
2026-04-15
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2026-04-15
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
Sysmon EventID 1
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation
|
2026-04-15
|
|
Windows Privilege Escalation System Process Without System Parent
|
Sysmon EventID 1
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2026-04-15
|
|
Windows Privilege Escalation User Process Spawn System Process
|
Sysmon EventID 1
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Compromised Windows Host, GhostRedirector IIS Module and Rungan Backdoor, Windows Privilege Escalation
|
2026-04-15
|
|
Windows Process Execution From ProgramData
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Resource Name or Location
|
Hunting
|
APT37 Rustonotto and FadeStealer, Axios Supply Chain Post Compromise, China-Nexus Threat Activity, GhostRedirector IIS Module and Rungan Backdoor, Salt Typhoon, SnappyBee, SolarWinds WHD RCE Post Exploitation, StealC Stealer, XWorm
|
2026-03-31
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Resource Name or Location
|
Anomaly
|
AgentTesla, Axios Supply Chain Post Compromise, Gh0st RAT, Lokibot, NjRAT, PathWiper, PromptLock, Qakbot, Ransomware, Remcos, Ryuk Ransomware, SesameOp, Trickbot, XWorm
|
2026-04-16
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2026-04-15
|
|
Windows Process Injection into Commonly Abused Processes
|
Sysmon EventID 10
|
Portable Executable Injection
|
Anomaly
|
APT37 Rustonotto and FadeStealer, BishopFox Sliver Adversary Emulation Framework, Earth Alux, SAP NetWeaver Exploitation
|
2026-04-15
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
Portable Executable Injection
|
Anomaly
|
APT37 Rustonotto and FadeStealer, BishopFox Sliver Adversary Emulation Framework, Earth Alux
|
2026-04-15
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
Dynamic-link Library Injection
|
TTP
|
Qakbot
|
2026-04-15
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
Portable Executable Injection
|
TTP
|
Earth Alux, Graceful Wipe Out Attack, Qakbot, Warzone RAT, Water Gamayun
|
2026-04-15
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2026-04-15
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
Portable Executable Injection
|
Hunting
|
Brute Ratel C4, Earth Alux
|
2025-05-02
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Process Writing File to World Writable Path
|
Sysmon EventID 11
|
Mshta
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper
|
2025-10-21
|
|
Windows Proxy Execution of .NET Utilities via Scripts
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
Anomaly
|
VIP Keylogger
|
2026-04-16
|
|
Windows PUA Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Inter-Process Communication
SMB/Windows Admin Shares
Process Injection
|
Anomaly
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, Cactus Ransomware, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Medusa Ransomware, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Seashell Blizzard, VanHelsing Ransomware, Volt Typhoon
|
2026-04-15
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Dynamic-link Library Injection
System Binary Proxy Execution
|
TTP
|
Compromised Windows Host, Hellcat Ransomware, Windows Defense Evasion Tactics
|
2026-04-15
|
|
Windows Rdp AutomaticDestinations Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
File Deletion
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-04-15
|
|
Windows RDP Cache File Deletion
|
Sysmon EventID 23, Sysmon EventID 26
|
File Deletion
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-04-15
|
|
Windows RDP Server Registry Deletion
|
Sysmon EventID 12, Sysmon EventID 13
|
File Deletion
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2026-04-15
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2026-04-15
|
|
Windows Registry Payload Injection
|
Sysmon EventID 13
|
Fileless Storage
|
TTP
|
Unusual Processes
|
2026-04-15
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
|
TTP
|
Compromised Windows Host, Qakbot
|
2026-04-15
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Compromised Windows Host, Unusual Processes
|
2026-04-15
|
|
Windows Renamed Powershell Execution
|
Sysmon EventID 1
|
Rename Legitimate Utilities
|
TTP
|
Axios Supply Chain Post Compromise, Hellcat Ransomware, XWorm
|
2026-04-16
|
|
Windows RMM Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Inter-Process Communication
SMB/Windows Admin Shares
Process Injection
|
Anomaly
|
CISA AA24-241A, Cactus Ransomware, Command And Control, GhostRedirector IIS Module and Rungan Backdoor, Gozi Malware, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Seashell Blizzard
|
2026-04-15
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Anomaly
|
Rhysida Ransomware
|
2026-04-15
|
|
Windows Rundll32 Execution With Log.DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hijack Execution Flow
|
Anomaly
|
Lotus Blossom Chrysalis Backdoor
|
2026-04-15
|
|
Windows Rundll32 Load DLL in Temp Dir
|
Sysmon EventID 1
|
Rundll32
|
Anomaly
|
Interlock Rat
|
2026-04-15
|
|
Windows Rundll32 with Non-Standard File Extension
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
Anomaly
|
Gh0st RAT, Living Off The Land, Suspicious Rundll32 Activity
|
2026-04-15
|
|
Windows RunMRU Command Execution
|
Sysmon EventID 13
|
Indirect Command Execution
|
Anomaly
|
Fake CAPTCHA Campaigns, Lumma Stealer
|
2026-04-15
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
Services Registry Permissions Weakness
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, China-Nexus Threat Activity, Crypto Stealer, Derusbi, Gh0st RAT, PlugX, Salt Typhoon, SnappyBee, SolarWinds WHD RCE Post Exploitation, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2026-04-15
|
|
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hijack Execution Flow
|
Anomaly
|
Windows Persistence Techniques
|
2026-04-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Snake Malware
|
2026-04-15
|
|
Windows SoftEther VPN Masquerading as Legitimate Binary
|
Sysmon EventID 1
|
Masquerading
Protocol Tunneling
|
TTP
|
Flax Typhoon, Linux Persistence Techniques, Linux Privilege Escalation
|
2026-04-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2026-04-15
|
|
Windows Suspicious C2 Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Inter-Process Communication
SMB/Windows Admin Shares
Process Injection
|
TTP
|
APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Storm-0501 Ransomware, Trickbot, Tuoni
|
2026-04-15
|
|
Windows Suspicious File in EFI Volume
|
Sysmon EventID 11
|
System Firmware
Inhibit System Recovery
|
TTP
|
BlackLotus Campaign, Sandworm Tools, Windows BootKits
|
2026-04-13
|
|
Windows Suspicious Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Inter-Process Communication
SMB/Windows Admin Shares
Process Injection
|
TTP
|
APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Trickbot, Tuoni
|
2026-04-15
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Resource Name or Location
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Axios Supply Chain Post Compromise, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Castle RAT, Chaos Ransomware, China-Nexus Threat Activity, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Earth Alux, GhostRedirector IIS Module and Rungan Backdoor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, Interlock Ransomware, Interlock Rat, LockBit Ransomware, Lokibot, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, NailaoLocker Ransomware, Phemedrone Stealer, PlugX, Prestige Ransomware, PromptLock, Qakbot, Quasar RAT, RedLine Stealer, Remcos, Rhysida Ransomware, Salt Typhoon, SesameOp, SnappyBee, StealC Stealer, Swift Slicer, SystemBC, Trickbot, VIP Keylogger, ValleyRAT, Void Manticore, Volt Typhoon, Warzone RAT, Water Gamayun, WhisperGate, XMRig, XWorm
|
2026-04-21
|
|
Windows Suspicious QEMU Execution
|
Sysmon EventID 1
|
Malicious File
Data Obfuscation
Masquerading
Run Virtual Instance
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Post-Exploitation, Linux Privilege Escalation, Linux Rootkit, VoidLink Cloud-Native Linux Malware
|
2026-04-13
|
|
Windows Svchost.exe Parent Process Anomaly
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Break Process Trees
|
Anomaly
|
China-Nexus Threat Activity, SnappyBee
|
2026-04-15
|
|
Windows SymbolicLink-Testing-Tools Utility Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
NTFS File Attributes
|
TTP
|
Windows Persistence Techniques, Windows Post-Exploitation, Windows Privilege Escalation
|
2026-04-13
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
|
TTP
|
APT37 Rustonotto and FadeStealer, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity
|
2026-04-15
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Script Proxy Execution
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2026-04-15
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Checks
|
TTP
|
BlankGrabber Stealer, NjRAT
|
2026-04-15
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Checks
|
Anomaly
|
0bj3ctivity Stealer, Snake Keylogger, VIP Keylogger
|
2026-04-21
|
|
Windows TinyCC Shellcode Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Obfuscated Files or Information
Masquerading
|
TTP
|
Lotus Blossom Chrysalis Backdoor
|
2026-04-15
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL
|
Anomaly
|
China-Nexus Threat Activity, Derusbi, Earth Alux, NjRAT, Salt Typhoon, SolarWinds WHD RCE Post Exploitation, Warzone RAT
|
2026-04-15
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL
|
TTP
|
China-Nexus Threat Activity, DarkGate Malware, Derusbi, Lokibot, Malicious Inno Setup Loader, NailaoLocker Ransomware, PlugX, Salt Typhoon, SnappyBee, SolarWinds WHD RCE Post Exploitation, XWorm
|
2026-04-15
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER, China-Nexus Threat Activity, Derusbi, Earth Alux, Salt Typhoon, XWorm
|
2026-04-15
|
|
Windows Unusual Process Load Mozilla NSS-Mozglue Module
|
Sysmon EventID 7
|
CMSTP
|
Anomaly
|
0bj3ctivity Stealer, Lokibot, Quasar RAT, StealC Stealer, VIP Keylogger
|
2026-04-21
|
|
Windows Unusual SysWOW64 Process Run System32 Executable
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Break Process Trees
|
Anomaly
|
China-Nexus Threat Activity, DarkGate Malware, Salt Typhoon
|
2026-04-15
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2026-02-25
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Compromised Windows Host, Remcos
|
2026-04-15
|
|
WMIC XSL Execution via URL
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
Cisco Network Visibility Module Analytics, Compromised Windows Host, Suspicious WMI Use
|
2026-04-15
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Parent PID Spoofing
Create or Modify System Process
|
Anomaly
|
0bj3ctivity Stealer, Axios Supply Chain Post Compromise, Data Destruction, FIN7, MuddyWater, NjRAT, Remcos, ShrinkLocker, Unusual Processes, VIP Keylogger, WhisperGate, XWorm
|
2026-04-21
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
FIN7, Suspicious WMI Use
|
2026-04-15
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
Create Account
Valid Accounts
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-04-15
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
SSH
Create Account
Valid Accounts
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-04-15
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
SSH
Create Account
Valid Accounts
|
Correlation
|
Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon
|
2026-04-15
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote Services
Process Injection
PowerShell
Ingress Tool Transfer
Remote Access Tools
Non-Standard Port
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-04-15
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploitation for Client Execution
OS Credential Dumping
Application Layer Protocol
Exploit Public-Facing Application
Valid Accounts
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-04-15
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploit Public-Facing Application
Exploitation of Remote Services
Obfuscated Files or Information
User Execution
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer
|
2026-04-15
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
Ingress Tool Transfer
Obfuscated Files or Information
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware
|
2026-04-15
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Ingress Tool Transfer
Obfuscated Files or Information
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-04-15
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
|
TTP
|
Router and Infrastructure Security
|
2026-03-10
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2026-04-15
|
