Microsoft-Windows-Sysmon

Show 25 more (28 total) on the rules page

Elastic

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Sysmon Event ID 3: Network connection→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

28 rules

Elastic

WMI Incoming Lateral Movement (source)

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Show 22 more (25 total) on the rules page

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Sysmon Event ID 1: Process creationANDEvent ID 3: Network connection

25 rules

Elastic

InstallUtil Process Making Network Connections (source)

Elastic

Network Connection via Signed Binary (source)

Elastic

Mshta Making Network Connections (source)

Elastic

Outbound Network Connection from Java Using Default Ports (source)

Splunk

Mauricio Velazco, Lou Stella, Splunk

DLLHost with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

GPUpdate with no Command Line Arguments with Network (source)

Michael Haag, Splunk

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection

Show All Detection Patterns

22 rules

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Incoming DCOM Lateral Movement via MSHTA (source)

Elastic

Elastic

Show 16 more (19 total) on the rules page

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Network Connection

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

20 rules

Elastic

Potential Remote File Execution via MSIEXEC (source)

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

InstallUtil Process Making Network Connections (source)

Elastic

Show 14 more (17 total) on the rules page

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Sysmon Event ID 1: Process creationANDEvent ID 11: FileCreate

15 rules

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Elastic

MS Exchange Mailbox Replication service writing Active Server Pages (source)

Elastic

Splunk

Michael Haag, Splunk

Windows Office Product Dropped Cab or Inf File (source)

Bhavin Patel, Splunk

Michael Haag, Splunk

Sysmon Event ID 3: Network connection→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

14 rules

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Elastic

Command Line Utility Added to Accessibility Features (Sysmon) (source)

Splunk

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated

12 rules

Kusto

SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)

Yuval Naor

Base64 encoded Windows process command-lines (Normalized Process Events) (source)

Yuval Naor

Process Creation with Suspicious CommandLine Arguments (source)

Sysmon Event ID 11: FileCreate→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

12 rules

Elastic

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Elastic

Splunk

Windows Office Product Dropped Cab or Inf File (source)

Bhavin Patel, Splunk

Michael Haag, Splunk

Windows Office Product Dropped Uncommon File (source)

Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github

Sysmon Event ID 1: Process creationOREvent ID 13: RegistryEvent

12 rules

Splunk

Command Line Utility Added to Accessibility Features (Sysmon) (source)

Wow6432Node Classes Autorun Keys Modification (Sysmon) (source)

Suspicious InprocServer32 Registry Modification (Sysmon) (source)

Sysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEvent

11 rules

Splunk

ComputerDefaults UAC Bypass (Sysmon) (source)

ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon) (source)

EnableLUA Registry Value Modified (Sysmon) (source)

(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)

8 rules

Elastic

Windows Office Product Dropped Cab or Inf File (source)

Elastic

Splunk

Michael Haag, Splunk

Windows Office Product Dropped Uncommon File (source)

Bhavin Patel, Splunk

Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github

Delayed Execution via Ping (source)

7 rules

Elastic

Elastic

Local Scheduled Task Creation (source)

Elastic

Execution via MS VisualStudio Pre/Post Build Events (source)

Elastic

Security-Auditing Event ID 4688: A new process has been created.→Sysmon Event ID 1: Process creation

6 rules

Elastic

Execution of File Written or Modified by Microsoft Office (source)

Elastic

Windows Script Interpreter Executing Process via WMI (source)

Elastic

ROT Encoded Python Script Execution (source)

Elastic

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 7: Image loaded

5 rules

Elastic

Suspicious WMIC XSL Script Execution (source)

Elastic

Veeam Backup Library Loaded by Unusual Process (source)

Elastic

Elastic

Sysmon Event ID 1: Process creationANDEvent ID 13: RegistryEvent

5 rules

Splunk

Windows Process Executed From Removable Media (source)

Steven Dick

Windows Modify Registry Qakbot Binary Data Registry (source)

Teoderick Contreras, Bhavin Patel, Splunk

Defender Registry Values Modified (Sysmon) (source)

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

5 rules

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Elastic

Elastic

Suspicious writes to windows Recycle Bin (source)

Splunk

Rico Valdez, Splunk

Share Access Sysmon

Sysmon Event ID 1: Process creationOREvent ID 11: FileCreate

5 rules

Elastic

Windows Default RDP File Creation By Non MSTSC Process (source)

Elastic

Splunk

Teoderick Contreras, Splunk

Windows Admin$ Share Access (Sysmon) (source)

Windows C$ Share Access (Sysmon) (source)

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

Xsl Script Execution

4 rules

Elastic

Veeam Backup Library Loaded by Unusual Process (source)

Elastic

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 1: Process creation

2 rules

Elastic

AWS SSM `SendCommand` with Run Shell Command Parameters (source)

Elastic

First Time Seen Remote Monitoring and Management Tool (source)

Elastic

Defense Impairment: Modify Registry

Sysmon Event ID 1: Process creationANDEvent ID 12: RegistryEvent

2 rules

Splunk

Windows Deleted Registry By A Non Critical Process File Path (source)

Steven Dick, Teoderick Contreras, Splunk

LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon) (source)

Exfiltration: Exfiltration Over Alternative Protocol

Sysmon Event ID 1: Process creationOREvent ID 3: Network connection

2 rules

Splunk

Windows Rundll32 WebDav With Network Connection (source)

Michael Haag, Splunk

PuTTY Secure Copy Client Execution (Sysmon) (source)

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Execution of Persistent Suspicious Program (source)

Elastic

Credential Access: DCSync

Sysmon Event ID 1: Process creationOREvent ID 10: ProcessAccess

1 rule

Splunk

Mimikatz (Sysmon) (source)

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

1 rule

Elastic

Potential Remote Desktop Shadowing Activity (source)

Elastic

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 22: DNSEvent

1 rule

Elastic

MsBuild Making Network Connections (source)

Elastic

Execution: Exploitation for Client Execution

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 1: Process creation

1 rule

Kusto

Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 (source)

Persistence: Create or Modify System Process

Sysmon Event ID 1: Process creationANDEvent ID 7: Image loaded

1 rule

Kusto

COM Event System Loading New DLL (source)

Shain

Stealth: Process Hollowing

Sysmon Event ID 1: Process creation→Event ID 10: ProcessAccess

1 rule

Elastic

Suspicious Process Creation CallTrace (source)

Elastic

Stealth: Create Process with Token

Security-Auditing Event ID 4624: An account was successfully logged on.→(Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Process Creation via Secondary Logon (source)

Elastic

Stealth: Msiexec

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

1 rule

Elastic

Windows Installer with Suspicious Properties (source)

Elastic

Lateral Movement: Exploitation of Remote Services

Security-Auditing Event ID 4624: An account was successfully logged on.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent

1 rule

Kusto

Gain Code Execution on ADFS Server via Remote WMI Execution (source)

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.type`	eq	`start`	242 rules	elastic
`Image`	ends_with	`\powershell.exe`	162 rules	sigma
`Image`	ends_with	`\pwsh.exe`	150 rules	sigma
`Image`	ends_with	`\cmd.exe`	117 rules	sigma
`Image`	ends_with	`\rundll32.exe`	81 rules	sigma
`Image`	ends_with	`\cscript.exe`	60 rules	sigma
`Image`	ends_with	`\wscript.exe`	60 rules	sigma
`Image`	ends_with	`\regsvr32.exe`	56 rules	sigma
`OriginalFileName`	eq	`powershell.exe`	120 rules	elastic, sigma, splunk
`OriginalFileName`	eq	`pwsh.dll`	112 rules	elastic, sigma, splunk
`OriginalFileName`	eq	`cmd.exe`	64 rules	elastic, sigma, splunk
`OriginalFileName`	eq	`rundll32.exe`	62 rules	elastic, sigma, splunk
`OriginalFileName`	eq	`wmic.exe`	61 rules	elastic, sigma, splunk
`process_name`	eq	`powershell.exe`	94 rules	elastic, splunk
`process_name`	eq	`cmd.exe`	73 rules	elastic, splunk

Detection Rules #

Sigma # view in coverage

7Zip Compressing Dump Files source medium: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Compress Data and Lock With Password for Exfiltration With 7-ZIP source medium: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Potential DLL Injection Via AccCheckConsole source medium: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.

Show 17 more (864 total)

Suspicious AddinUtil.EXE CommandLine Execution source high: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Uncommon AddinUtil.EXE CommandLine Execution source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
AddinUtil.EXE Execution From Uncommon Directory source medium: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Potential Adplus.EXE Abuse source high: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
AgentExecutor PowerShell Execution source medium: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Suspicious AgentExecutor PowerShell Execution source high: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Windows AMSI Related Registry Tampering Via CommandLine source high: Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE source medium: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
Hiding Files with Attrib.exe source medium: Detects usage of attrib.exe to hide files from users.
Set Suspicious Files as System Files Using Attrib.EXE source high: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Audit Policy Tampering Via Auditpol source high: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Windows EventLog Autologger Session Registry Modification Via CommandLine source high: Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
Suspicious Autorun Registry Modified via WMI source high: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
Indirect Inline Command Execution Via Bash.EXE source medium: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Indirect Command Execution From Script File Via Bash.EXE source medium: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Boot Configuration Tampering Via Bcdedit.EXE source high: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE source medium: Detects potential malicious and unauthorized usage of bcdedit.exe

Splunk # view in coverage

Detect Remote Access Software Usage FileInfo source: The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote…
Excessive Usage Of SC Service Utility source: The following analytic detects excessive usage of the sc.exe service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where sc.exe is executed more frequently than normal within a 15-minute window.…
Jscript Execution Using Cscript App source: The following analytic detects the execution of JScript using the cscript.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This behavior is significant…

Show 17 more (268 total)

MacOS - Re-opened Applications source: The following analytic identifies processes referencing plist files that determine which applications are re-opened when a user reboots their MacOS machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on…
Malicious PowerShell Process With Obfuscation Techniques source: The following analytic detects PowerShell processes launched with command-line arguments indicative of obfuscation techniques. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent…
Ping Sleep Batch Command source: The following analytic identifies the execution of ping sleep batch commands. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details. This activity is significant as…
Possible Lateral Movement PowerShell Spawn source: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection…
Process Deleting Its Process File Path source: The following analytic identifies a process attempting to delete its own file path, a behavior often associated with defense evasion techniques. This detection leverages Sysmon EventCode 1 logs, focusing on command lines executed via…
Unusually Long Command Line source: The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This…
Vbscript Execution Using Wscript App source: The following analytic detects the execution of VBScript using the wscript.exe application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant…
Web or Application Server Spawning a Shell source: The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and…
Web Servers Executing Suspicious Processes source: The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables",…
Windows Account Access Removal via Logoff Exec source: The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could…
Windows Binary Execution from an Archive source: Detects the execution of a binary from archive-related paths in the user's Temp directory. It looks for binaries launched by explorer.exe, winrar.exe, or 7zFM.exe, where the executed process path includes Temp and archive markers…
Windows Browser Process Launched with Unusual Flags source: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or…
Windows Command Shell DCRat ForkBomb Payload source: The following analytic detects the execution of a DCRat "forkbomb" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data,…
Windows ComputerDefaults Spawning a Process source: The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account…
Windows Credential Target Information Structure in Commandline source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages process creation events…
Windows Crowdstrike RTR Script Execution source: Detects usage of Crowdstrike Real Time Response (RTR) to execute a "runscript" command. This can be used by malicious actors with access to the Crowdstrike Dashboard to execute commands on remote managed hosts.
Windows Default Rdp File Unhidden source: This detection identifies the use of attrib.exe to remove hidden (-h) or system (-s) attributes from the Default.rdp file, which is automatically created in a user's Documents folder when a Remote Desktop Protocol (RDP) session is…

Kusto # view in coverage

SUNBURST suspicious SolarWinds child processes source medium: Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
Audit policy manipulation using auditpol utility source medium: This detects attempts to manipulate audit policies using auditpol command. This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks. The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it. Refer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol
Refer to our M365 blog for details on use during the Solorigate attack: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
Modification of Accessibility Features source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1] Ref: https://attack.mitre.org/techniques/T1546/008/

Show 10 more (13 total)

Lateral Movement via DCOM source medium: This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network. Ref: http://thenegative.zone/incident response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html
Detecting Macro Invoking ShellBrowserWindow COM Objects source medium: This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.
Windows Binaries Lolbins Renamed source medium: This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html
Potential Kerberos Relaying Activity - MDE source: The below query detects potential Kerberos relaying event chain generated by KrbRelay.
Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matches Event ID 3: Network connection, Event ID 11: FileCreate, Event ID 13: RegistryEvent (Value Set)
T1566.002 Spearphishing Link - Rare URL Clicks source: Below query analyzes URLs that are opened from applications like Outlook, Word, Excel, Powerpoint, and Adobe PDF apps. It finds rare URLs that might be a phishing attempt.
It is strongly recommended to enrich results with prevalence information using firewall or proxy logs. You can reduce the noise by filtering specific parent processes according to your needs.
You can further improve the results using logic apps or scripting to get extra information about the URL(age, certificate, VT score etc.) Keep in mind that there ways to bypass controls by hosting the phishing links inside a document stored in the cloud. You don't have any visibility with Sysmon in this scenario.
Potential Lateral Movement via MSI ODBC Driver Install over DCOM source: Detects Potential Lateral Movement via MSI Custom Actions to install ODBC Driver over DCOM remotely.
Scheduled Task - Suspicious Network Connection source: Below query performs process tree analysis for Scheduled Tasks on MDE/MDATP/M365D and displays anomalous trees. Then, it gets all network connections made by every single process in each anomalous process tree. Before using the query, do a quick analysis on commandlines of the processes spawned by Scheduled Tasks. There might be specific processes executing with a unique argument on each device. You need to whitelist them to get better results.
Process Tree Analysis source: Below queries perform process tree analysis on MDE/MDATP, Azure Sentinel (Sysmon), and Splunk (Sysmon) and displays anomalous trees. All queries run smoothly even in the large environments. Detailed explanation is here
Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/↳ also matches Event ID 3: Network connection

YARA-L # view in coverage

GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage source: Alerts when an authorization token originating from GKE activity is subsequently used within a command line on an endpoint system, suggesting potential credential exfiltration and reuse.
W3WP Launching Encoded Powershell source: Detects on the execution of an encoded powershell command with a parent process of w3wp.exe.
Potential Webshell Process Execution source: Detects on the execution arguments associated with cmd.exe invocations originating from an active ASP.NET webshell.

Show 17 more (69 total)

Base64 Encoded PowerShell Command Detected source: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
ConvertTo-SecureString Cmdlet Usage Via CommandLine source: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Copy From Or To Admin Share Or Sysvol Folder source: Detects a copy command or a copy utility execution to or from an Admin share or remote
CreateDump Process Dump source: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Direct Autorun Keys Modification source: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe
File Download Using Notepad++ GUP Utility source: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files
File Download Via Windows Defender MpCmpRun.EXE source: Detects the use of Windows Defender MpCmdRun.EXE to download files
Finger.EXE Execution source: Detects execution of the finger.exe utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of finger.exe can be considered suspicious and worth investigating.
HackTool - Dumpert Process Dumper Execution source: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Hacktool - IronSharpPack Execution source: Detects the execution of known attacker tools, including but not limited to those in the IronSharpPack toolset. These tools are commonly used for offensive security operations and may indicate malicious activity if observed in unauthorized environments.
HackTool - Mimikatz Execution source: Detection well-known mimikatz command line arguments
Purple Knight Tool Execution Detected source: This detection rule identifies the execution of the Purple Knight tool, a free Active Directory security assessment utility developed by Semperis. Purple Knight is designed to scan for AD vulnerabilities, misconfigurations, and common attack paths. While it is a legitimate tool used by defenders, its execution in production environments may also indicate red team activity or unauthorized reconnaissance by adversaries attempting to map domain weaknesses.
Hacktool - SharpSuccessor Execution source: SharpSuccessor is a .NET-based post-exploitation tool designed to weaponize the BadSuccessor attack discovered by Yuval Gordon (@YuG0rd) from Akamai. It allows a low-privileged user with 'CreateChild' permissions over any Organizational Unit (OU) in an Active Directory domain to escalate privileges to Domain Administrator. This detection rule identifies execution patterns or behavioral indicators linked to SharpSuccessor activity, which may signal privilege escalation attempts in Active Directory environments.
Hacktool - WinPEAS Execution Patterns source: This detection rule identifies the execution of WinPEAS (Windows Privilege Escalation Awesome Script), a post-exploitation reconnaissance tool used to discover privilege escalation paths on Windows systems. WinPEAS performs a wide range of local enumeration checks, including service misconfigurations, permission issues, token privileges, and more. Its usage is commonly observed during red team assessments and by adversaries seeking to elevate privileges after gaining initial access. WinPEAS checks are well-documented in the HackTricks knowledge base.
Impacket WMIExec CISA Report source: Detects the artifacts generally associated with the use of wmiexec.py↳ also matches Event ID 11: FileCreate
Local Accounts Discovery source: Local accounts, System Owner/User discovery using operating systems utilities
LSASS Dump Keyword In CommandLine source: Detects the presence of the keywords lsass and .dmp in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-1.yml
MS Learn Mandatory Integrity Control https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control

Event ID 2: A process changed a file creation time

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: File creation time changed (rule: FileCreateTime)
Opcode: Info

Description

The change **file creation time** event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Message #

File creation time changed:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
TargetFilename: %6
CreationUtcTime: %7
PreviousCreationUtcTime: %8
User: %9

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that changed the file creation time
`ProcessId` UInt32	Process ID used by the OS to identify the process changing the file creation time
`Image` UnicodeString	File path of the process that changed the file creation time	13 detection rules
`TargetFilename` UnicodeString	Full path name of the file	7 detection rules
`CreationUtcTime` UnicodeString	New creation time of the file	1 detection rule
`PreviousCreationUtcTime` UnicodeString	Previous creation time of the file	1 detection rule
`User` UnicodeString	Name of the account who changed the file creation time of a file

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 2,
    "version": 5,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:31:51.7752086+00:00",
    "event_record_id": 17461544,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 13:31:51.770",
    "ProcessGuid": "{8a99384c-5bb9-6a2d-3605-000000001000}",
    "ProcessId": "7796",
    "Image": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
    "TargetFilename": "C:\\Windows\\Temp\\B776E034-9102-4917-A2BF-152F782EA60A\\WimProvider.dll",
    "CreationUtcTime": "2026-06-13 13:31:38.052",
    "PreviousCreationUtcTime": "2026-06-13 13:31:38.052",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": "File creation time changed:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:31:51.770\r\nProcessGuid: {8a99384c-5bb9-6a2d-3605-000000001000}\r\nProcessId: 7796\r\nImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\r\nTargetFilename: C:\\Windows\\Temp\\B776E034-9102-4917-A2BF-152F782EA60A\\WimProvider.dll\r\nCreationUtcTime: 2026-06-13 13:31:38.052\r\nPreviousCreationUtcTime: 2026-06-13 13:31:38.052\r\nUser: NT AUTHORITY\\SYSTEM"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`FileRenamed`	1 rule	kusto
`Image`	ends_with	`\dns.exe`	1 rule	sigma
`Provider_Name`	eq	`Microsoft-Windows-Sysmon`	1 rule	elastic
`TargetFilename`	wildcard	`?:\programdata\microsoft\windows\start menu\programs\startup\*`	1 rule	elastic
`TargetFilename`	wildcard	`?:\users\\appdata\roaming\microsoft\windows\start menu\programs\startup\`	1 rule	elastic
`file.extension`	eq	`dll`	1 rule	elastic
`file.extension`	eq	`exe`	1 rule	elastic
`file.extension`	eq	`lnk`	1 rule	elastic
`file.extension`	eq	`pif`	1 rule	elastic
`file.extension`	eq	`scr`	1 rule	elastic

Detection Rules #

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection

Sigma # view in coverage

Unusual File Modification by dns.exe source high: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
File Creation Date Changed to Another Year source low: Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.

Elastic # view in coverage

Potential Timestomp in Executable Files source medium: Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.

Kusto # view in coverage

WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches Event ID 7: Image loaded, Event ID 11: FileCreate

YARA-L # view in coverage

Suspicious Filewrites To Sharepoint Layouts source: Detects a command-line interpreter (cmd.exe or powershell.exe) writing a file to a SharePoint (\TEMPLATE\LAYOUTS) directory.↳ also matches Event ID 11: FileCreate, Event ID 23: FileDelete (File Delete archived)
Suspicious Unusual Location LNK File source: Detects creation and movement of .lnk files to specific folders↳ also matches Event ID 11: FileCreate, Event ID 23: FileDelete (File Delete archived)

References #

Event ID 3: Network connection

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Network connection detected (rule: NetworkConnect)
Opcode: Info

Description

The **network connection** event logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.

Message #

Network connection detected:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
User: %6
Protocol: %7
Initiated: %8
SourceIsIpv6: %9
SourceIp: %10
SourceHostname: %11
SourcePort: %12
SourcePortName: %13
DestinationIsIpv6: %14
DestinationIp: %15
DestinationHostname: %16
DestinationPort: %17
DestinationPortName: %18

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that made the network connection
`ProcessId` UInt32	Process ID used by the OS to identify the process that made the network connection
`Image` UnicodeString	File path of the process that made the network connection	394 detection rules
`User` UnicodeString	Name of the account who made the network connection. It usually contains domain name and user name	8 detection rules
`Protocol` UnicodeString	Protocol being used for the network connection. Sysmon emits the literal lowercase transport name rather than the IANA protocol number; tcp / udp are the only values produced by the kernel transport callback that drives this event. Known values `tcp` TCP connection. `udp` UDP datagram.	8 detection rules
`Initiated` Boolean	Indicates whether the process initiated the TCP connection	49 detection rules
`SourceIsIpv6` Boolean	Is the source IP an IPv6	1 detection rule
`SourceIp` UnicodeString	Source IP address that made the network connection	3 detection rules
`SourceHostname` UnicodeString	Name of the host that made the network connection	1 detection rule
`SourcePort` UInt16	Source port number	3 detection rules
`SourcePortName` UnicodeString	Name of the source port being used (i.e. netbios-dgm)
`DestinationIsIpv6` Boolean	Is the destination IP an IPv6	1 detection rule
`DestinationIp` UnicodeString	Destination IP address	72 detection rules
`DestinationHostname` UnicodeString	Name of the host that received the network connection	457 detection rules
`DestinationPort` UInt16	Destination port number	141 detection rules
`DestinationPortName` UnicodeString	Name of the destination port	4 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 3,
    "version": 5,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:46.6013699+00:00",
    "event_record_id": 17613679,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5404
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:43.178",
    "ProcessGuid": "{8a99384c-e92c-6a2c-0c00-000000001000}",
    "ProcessId": "896",
    "Image": "C:\\Windows\\System32\\lsass.exe",
    "User": "NT AUTHORITY\\SYSTEM",
    "Protocol": "tcp",
    "Initiated": "false",
    "SourceIsIpv6": "false",
    "SourceIp": "127.0.0.1",
    "SourceHostname": "telemetry-DC-c.cell-c.ludus.domain",
    "SourcePort": "57872",
    "SourcePortName": "-",
    "DestinationIsIpv6": "false",
    "DestinationIp": "127.0.0.1",
    "DestinationHostname": "telemetry-DC-c.cell-c.ludus.domain",
    "DestinationPort": "389",
    "DestinationPortName": "ldap"
  },
  "message": "Network connection detected:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:43.178\r\nProcessGuid: {8a99384c-e92c-6a2c-0c00-000000001000}\r\nProcessId: 896\r\nImage: C:\\Windows\\System32\\lsass.exe\r\nUser: NT AUTHORITY\\SYSTEM\r\nProtocol: tcp\r\nInitiated: false\r\nSourceIsIpv6: false\r\nSourceIp: 127.0.0.1\r\nSourceHostname: telemetry-DC-c.cell-c.ludus.domain\r\nSourcePort: 57872\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 127.0.0.1\r\nDestinationHostname: telemetry-DC-c.cell-c.ludus.domain\r\nDestinationPort: 389\r\nDestinationPortName: ldap"
}

Detection Patterns #

31 rules

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Show 25 more (28 total) on the rules page

Elastic

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Sysmon Event ID 3: Network connection→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

28 rules

Elastic

WMI Incoming Lateral Movement (source)

Elastic

Suspicious Command Prompt Network Connection (source)

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Show 22 more (25 total) on the rules page

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Sysmon Event ID 1: Process creationANDEvent ID 3: Network connection

25 rules

Elastic

InstallUtil Process Making Network Connections (source)

Elastic

Network Connection via Signed Binary (source)

Elastic

Mshta Making Network Connections (source)

Elastic

Outbound Network Connection from Java Using Default Ports (source)

Splunk

Mauricio Velazco, Lou Stella, Splunk

DLLHost with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

GPUpdate with no Command Line Arguments with Network (source)

Michael Haag, Splunk

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection

20 rules

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Incoming DCOM Lateral Movement via MSHTA (source)

Elastic

Incoming DCOM Lateral Movement with MMC (source)

Elastic

Show 14 more (17 total) on the rules page

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Network Connection

20 rules

Elastic

Potential Remote File Execution via MSIEXEC (source)

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

InstallUtil Process Making Network Connections (source)

Elastic

Show 14 more (17 total) on the rules page

Splunk

Rundll32 with no Command Line Arguments with Network (source)

Steven Dick, Michael Haag, Splunk

Windows HTTP Network Communication From MSIExec (source)

Michael Haag, Splunk

Windows InstallUtil Remote Network Connection (source)

Michael Haag, Splunk

Show All Detection Patterns

Security-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection

13 rules

Kusto

SUNBURST network beacons (source)

Detect Msiexec executing DLL network connections (source)

Robbe Van den Daele

Rouge RDP: Suspicious File Creation (source)

Cyb3rMonk

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.OREvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.OREvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.OREvent ID 5156: The Windows Filtering Platform has permitted a connection.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.OREvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.OREvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ORSysmon Event ID 3: Network connection

13 rules

Kusto

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Suspicious Command Prompt Network Connection (source)

13 rules

Elastic

Elastic

Incoming Execution via PowerShell Remoting (source)

Elastic

Elastic

Security-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.ORSysmon Event ID 3: Network connection

7 rules

Kusto

Detect process drops via Azure Custom Script Extension performing lateral movement (source)

Robbe Van den Daele

DCOM Lateral Movement (source)

Anomaly in SMB Traffic(ASIM Network Session schema) (source)

Defender-DeviceNetworkEvents any: Network activityORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection

Lateral Movement: Distributed Component Object Model

7 rules

Kusto

DCOM Lateral Movement (source)

Hunt for ADWS requests from unknown devices (source)

Robbe Van den Daele

Anomaly in SMB Traffic(ASIM Network Session schema) (source)

Sysmon Event ID 3: Network connection→Event ID 11: FileCreate

Remote File Download

4 rules

Elastic

Remote File Download via PowerShell (source)

Elastic

Remote File Download via Script Interpreter (source)

Elastic

Potential Ransomware Note File Dropped via SMB (source)

Elastic

Security-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connectionORThreat-Intelligence Event ID 3: Remote Section Map

Adws Connection

3 rules

Kusto

ADWS Connection from Process Injection Target (source)

FalconForce

ADWS Connection from Unexpected Binary (source)

FalconForce

Hunt for ADWS requests from unknown devices (source)

Robbe Van den Daele

Sysmon Event ID 7: Image loaded→Event ID 3: Network connection

2 rules

Elastic

Outbound Scheduled Task Activity via PowerShell (source)

Elastic

Potential Enumeration via Active Directory Web Service (source)

Elastic

Sysmon Event ID 3: Network connection→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

2 rules

Elastic

Elastic

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection

Elastic

Command & Control: Application Layer Protocol

2 rules

Kusto

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Exfiltration: Exfiltration Over Alternative Protocol

Sysmon Event ID 1: Process creationOREvent ID 3: Network connection

2 rules

Splunk

Windows Rundll32 WebDav With Network Connection (source)

Michael Haag, Splunk

PuTTY Secure Copy Client Execution (Sysmon) (source)

Stealth: Disable or Modify System Firewall

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.OREvent ID 5157: The Windows Filtering Platform has blocked a connection.ORSysmon Event ID 3: Network connection

1 rule

Elastic

Potential Evasion via Windows Filtering Platform (source)

Elastic

Command & Control: Web Protocols

Sysmon Event ID 3: Network connectionOREvent ID 15: FileCreateStreamHash

1 rule

Splunk

Unusual HTTP Download (Sysmon) (source)

Collection: Data from Local System

Sysmon Event ID 3: Network connectionANDEvent ID 18: PipeEvent

1 rule

Kusto

AD FS Remote HTTP Network Connection (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Initiated`	eq	`true`	48 rules	sigma
`Initiated`	eq	`incoming`	10 rules	elastic
`Initiated`	eq	`ingress`	10 rules	elastic
`event.type`	eq	`start`	27 rules	elastic
`src_ip`	ne	`127.0.0.1`	12 rules	elastic, splunk
`src_ip`	ne	`::1`	12 rules	elastic, splunk
`Protocol`	eq	`tcp`	8 rules	elastic, sigma
`DestinationPort`	eq	`80`	7 rules	elastic, kusto, sigma
`DestinationPort`	eq	`3389`	6 rules	elastic, kusto, sigma, splunk
`DestinationPort`	ne	`0`	7 rules	splunk
`EventType`	eq	`ConnectionSuccess`	7 rules	kusto
`SourcePort`	ge	`49152`	7 rules	elastic
`graph.metadata.entity_type`	eq	`IP_ADDRESS`	7 rules	chronicle
`dns.question.name`	is_not_null		6 rules	elastic
`graph.metadata.source_type`	eq	`GLOBAL_CONTEXT`	6 rules	chronicle

Detection Rules #

Sysmon Event ID 4: Sysmon service state changedOREvent ID 5: Process terminatedOREvent ID 8: CreateRemoteThread

Sigma # view in coverage

Network Connection Initiated By AddinUtil.EXE source high: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Uncommon Connection to Active Directory Web Services source medium: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Uncommon Network Connection Initiated By Certutil.EXE source high: Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.

Show 17 more (61 total)

Outbound Network Connection Initiated By Cmstp.EXE source high: Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
Outbound Network Connection Initiated By Microsoft Dialer source high: Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Network Connection Initiated To AzureWebsites.NET By Non-Browser Process source medium: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Network Connection Initiated To BTunnels Domains source medium: Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Network Connection Initiated To Cloudflared Tunnels Domains source medium: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Network Communication With Crypto Mining Pool source high: Detects initiated network connections to crypto mining pools
New Connection Initiated To Potential Dead Drop Resolver Domain source high: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
Network Connection Initiated To DevTunnels Domain source medium: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Suspicious Dropbox API Usage source high: Detects an executable that isn't dropbox but communicates with the Dropbox API
Suspicious Network Connection to IP Lookup Service APIs source medium: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Suspicious Non-Browser Network Communication With Google API source medium: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
Communication To LocaltoNet Tunneling Service Initiated source high: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Network Connection Initiated To Mega.nz source low: Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
Process Initiated Network Connection To Ngrok Domain source high: Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Communication To Ngrok Tunneling Service Initiated source high: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Potentially Suspicious Network Connection To Notion API source low: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
Network Communication Initiated To Portmap.IO Domain source medium: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Elastic # view in coverage

Connection to Common Large Language Model Endpoints source medium: Identifies DNS queries to known Large Language Model domains by unsigned binaries or common Windows scripting utilities. Malwares may leverage the capabilities of LLM to perform actions in the affected system in a dynamic way.
GenAI Process Connection to Suspicious Top Level Domain source medium: Detects when GenAI tools connect to domains using suspicious TLDs commonly abused for malware C2 infrastructure. TLDs like .top, .xyz, .ml, .cf, .onion are frequently used in phishing and malware campaigns. Legitimate GenAI services use well-established domains (.com, .ai, .io), so connections to suspicious TLDs may indicate compromised tools, malicious plugins, or AI-generated code connecting to attacker infrastructure.
Suspicious Instance Metadata Service (IMDS) API Request source medium: This rule identifies various tools/scripts performing network activities attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if roles are assumed by that instance.

Show 10 more (13 total)

Connection to Commonly Abused Web Services source low: Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.
Network Activity to a Suspicious Top Level Domain source high: Identifies DNS queries to commonly abused Top Level Domains by common LOLBINs or executables running from world writable directories or unsigned binaries. This behavior matches on common malware C2 abusing less formal domain names.
Connection to Commonly Abused Free SSL Certificate Providers source low: Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.
Deprecated - SUNBURST Command and Control Activity source high: The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.
Kerberos Traffic from Unusual Process source medium: Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.
Potential Kerberos SPN Spoofing via Suspicious DNS Query source high: Identifies queries for a DNS name containing a base64-encoded blob matching the pattern "UWhRCA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. It is associated with tools and techniques that exploit SPN spoofing via DNS. Adversaries may abuse such names to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services (often the victim's own identity). Depending on the coerced service and negotiated authentication, this can support Kerberos relay or NTLM reflection/relay paths without relying on normal NTLM fallback behavior.
System Public IP Discovery via DNS Query source high: Identifies DNS queries to known public IP address lookup web services from suspicious Windows processes, which can reveal external IP or internet-connectivity discovery before follow-on activity.
Suspicious File Renamed via SMB source high: Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.
Network Connection via Certutil source low: Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.
Potential Outgoing RDP Connection by Unusual Process source low: Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.

Splunk # view in coverage

Detect Regasm with Network Connection source: The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is…
Detect Regsvcs with Network Connection source: The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by…
LOLBAS With Network Traffic source: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries,…

Show 16 more (19 total)

Network Traffic to Active Directory Web Services Protocol source: The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and…
Windows Detect Network Scanner Behavior source: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote…
Windows File Transfer Protocol In Non-Common Process Path source: The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not…
Windows Mail Protocol In Non-Common Process Path source: The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird,…
Windows Network Connection From Program In Suspect Location source: The following analytic detects network connections from processes running out of suspicious Windows directories such as Recycle Bin, Public, PerfLogs, systemprofile, Fonts, IME, and Addins paths. This activity is significant because…
Windows Potential Cloudflared Network Connection source: This analytic detects network connection events possibly associated with the Cloudflared tool, a tool used to create tunnels via Cloudflare. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. It reaches out to…
Windows Suspect Process With Authentication Traffic source: The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network…
Windows Remote Desktop Network Bruteforce Attempt source: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that…
Network Connection with Suspicious Folder (Sysmon) source: Detects potential downloads to suspicious file locations like temp, appdata, and downloads
Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon) source: A critical vulnerability CVE-2024-21413 in Microsoft Outlook, discovered by Check Point, enables remote code execution from merely opening an email containing malicious links, bypassing Outlook's Protected View. This flaw, exploitable…
Potential network connection with CVE-2023-21554 (Sysmon) source: Exploitation of CVE-2023-21554 (aka. QueueJumper), allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe by reaching the TCP port 1801.
Process Connection to Mega - Windows (Sysmon) source: Mega is a cloud storage service used by many threat actors due to its use of end-to-end encryption and semi-anonymous payment options. The client application MEGAsync.exe and command-line interface utility MegaCMD allow threat actors to…
RDP Connection (Sysmon) source: This use case looks for when an RDP network connection has been established
Script Connected to External Destination - Windows (Sysmon) source: Adversaries may use scripts to connect to external locations for C2 communications, downloading and executing payloads, data exfiltration, or redirection. This use case detects when a Windows script interpreter (wscript, cscript, mshta,…
Unexpected Network Connection from System Process (Sysmon) source: Threat actors may abuse legitimate system processes that typically lack network functionality to perform malicious network activity, helping evade detection and blend in with normal system behavior. This technique is often associated with…
wuauclt.exe Network Connection (Sysmon) source: wuauclt.exe is the Windows Update client. It can be abused to proxy execution of malicious code as documented in the LOLBAS project. This use case detects network connection events with wuauclt.exe. Connections to Microsoft-owned IPs are…

Kusto # view in coverage

Log4j vulnerability exploit aka Log4Shell IP IOC source high: Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
Zinc Actor IOCs files - October 2022 source high: Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/↳ also matches Event ID 1: Process creation
Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matches Event ID 1: Process creation, Event ID 11: FileCreate

Show 10 more (13 total)

Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. Use it as a starting point and refine further as it may generate too many results.
Suspicious Network Beacons - Microsoft Defender(MDE/M365D) source: Below query detects suspicious beaconing activity by analyzing DeviceNetworkEvents data.
Suspicious Network Beacons - Sysmon source: Below query detects suspicious beaconing activity by analyzing Sysmon network connection events.
Suspicious Network Connections - Supply Chain Attack source: Below query detects unusual network conenctions from servers that have 3rd party software installed.
You can further improve the query by using a list of servers that have privileges across the whole domain.
Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matches Event ID 1: Process creation, Event ID 11: FileCreate, Event ID 13: RegistryEvent (Value Set)
Server Network Connection Anomalies source: Servers have a specific baseline. This makes it easy to create a baseline and detect anomalies.
Below queries analyze the network connections made by the specified servers and detects the rare/anomalous ones.
You can add process info to the analysis, but it will probably generate more results(different processes for the same IP).
Detect CVE exploits on network for which a device is vulnerable source: This detection query can be used to find specific CVE exploits passing on the wire for which the device is vulnerable. This query should have a very high TP rate, and can be considered as a 'High severity' query.
Hunt for public facing devices via DeviceNetworkEvents source: Find public facing devices via the DeviceNetworkEvents table.
Hunt for Defender for Identity NNR issues source: This query can help you in finding Network Name Resolution health issues of Microsoft Defender for Identity. NNR is a critical component which is used to get more information on IP addresses seen by MDI. Without NNR proparly working, MDI can throw a lot of False Positive alerts.
Hunt MDE with GSA events source: This rule correlates the Microsoft Defender for Endpoint DeviceNetworkEvents table with the Global Secure Access NetworkAccessTraffic table. By doing this, you can enrich the MDE events which contains detailed process information with the GSA events that contains detailed HTTP header information and more.

YARA-L # view in coverage

Potential Remote PowerShell Session Initiated source: Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
High Risk User Download Executable From Macro source: Executable downloaded by Microsoft Excel by user with GCP entity relationship
Network Traffic To Specific Country source: Identify network traffic based on target country

Show 11 more (14 total)

Suspicious ASN source: Identify network traffic based on a specific ASN
Suspicious ASN Watchlist source: Identify any network connections to a list of ASNs
GCTI Benign Binaries Contacts Tor Exit Node source: Alert on Benign Binary contacting a TOR IP
GCTI Tor Exit Nodes source: Alert traffic destined for known Tor exit nodes
Google Safebrowsing File Contacts Tor Exit Node source: A malicious file contacting a known Tor Exit Node.
IOC IP Target source: Detect network events that indicate communication to a watchlisted IP address
IP Target Prevalence source: Detect events that are communicating to IP addresses that have a low rolling max prevalence.
Network Connection First Seen In Past Day source: Detect network connection to an ip address that was only seen for the first time in the past 24 hours
VT Relationships File Contacts IP source: Alert on known Hash contacting known IP with VT Relationships
VT Relationships File Contacts Tor IP source: Alert on known Hash contacting Tor IP with VT Relationships.
WHOIS Recently Created Domain Access source: Detects access attempts to a newly created domain via WHOIS enrichment.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-3.yml
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

Event ID 4: Sysmon service state changed

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Sysmon service state changed
Opcode: Info

Description

The service state change event reports the state of the Sysmon service (started or stopped).

Message #

Sysmon service state changed:
UtcTime: %1
State: %2
Version: %3
SchemaVersion: %4

Fields #

Name	Description	Rules
`UtcTime` UnicodeString	Time in UTC when event was created
`State` UnicodeString	Sysmon service state (i.e. stopped) Known values `Started` Sysmon driver / service began collecting events. `Stopped` Sysmon driver / service stopped collecting events; a pairing 4 with State=Stopped immediately followed by State=Started indicates a config reload or driver restart.	2 detection rules
`Version` UnicodeString	Sysmon version
`SchemaVersion` UnicodeString	Sysmon config schema version

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 4,
    "version": 3,
    "level": 4,
    "task": 4,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:41:34.1645578+00:00",
    "event_record_id": 6120906,
    "correlation": {},
    "execution": {
      "process_id": 3872,
      "thread_id": 5252
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UtcTime": "2026-06-13 13:41:34.151",
    "State": "Started",
    "Version": "15.20",
    "SchemaVersion": "4.91"
  },
  "message": "Sysmon service state changed:\r\nUtcTime: 2026-06-13 13:41:34.151\r\nState: Started\r\nVersion: 15.20\r\nSchemaVersion: 4.91"
}

Detection Patterns #

Execution: User Execution

1 rule

Kusto

Suspicious Process Injection from Office application (source)

Stealth: Hide Artifacts

Sysmon Event ID 4: Sysmon service state changedOREvent ID 16: ServiceConfigurationChange

1 rule

Sigma

Sysmon Configuration Modification (source)

frack113

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`parent_process_name`	in	`excel.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`powerpnt.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`winword.exe`	1 rule	kusto, splunk

References #

Event ID 5: Process terminated

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Process terminated (rule: ProcessTerminate)
Opcode: Info

Description

The **process terminate** event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.

Message #

Process terminated:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
User: %6

Fields #

Name	Description
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that terminated
`ProcessId` UInt32	Process ID used by the OS to identify the process that terminated
`Image` UnicodeString	File path of the process that terminated
`User` UnicodeString	Name of the account that terminated the process.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 5,
    "version": 3,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:29.7402157+00:00",
    "event_record_id": 17612823,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:29.726",
    "ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
    "ProcessId": "7704",
    "Image": "C:\\ludus\\background\\bginfo.exe",
    "User": "cell-c\\domainadmin"
  },
  "message": "Process terminated:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.726\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nUser: cell-c\\domainadmin"
}

Detection Patterns #

Security-Auditing Event ID 4688: A new process has been created.OREvent ID 4689: A process has exited.ORSysmon Event ID 1: Process creationOREvent ID 5: Process terminated

12 rules

Kusto

SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)

Yuval Naor

Base64 encoded Windows process command-lines (Normalized Process Events) (source)

Yuval Naor

Process Creation with Suspicious CommandLine Arguments (source)

Sysmon Event ID 4: Sysmon service state changedOREvent ID 5: Process terminatedOREvent ID 8: CreateRemoteThread

Execution: User Execution

1 rule

Kusto

Suspicious Process Injection from Office application (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`-r`	2 rules	kusto, sigma
`CommandLine`	contains	`-s`	2 rules	elastic, kusto, sigma, splunk
`CommandLine`	contains	`-exclusionpath`	1 rule	kusto
`CommandLine`	contains	`-k gpsvcgroup`	1 rule	kusto
`CommandLine`	contains	`-q`	1 rule	kusto, sigma, splunk
`CommandLine`	contains	`-s gpsvc`	1 rule	kusto
`CommandLine`	contains	`/set`	1 rule	kusto, splunk
`CommandLine`	contains	`accepteula`	1 rule	kusto, sigma, splunk
`CommandLine`	contains	`advfirewall`	1 rule	kusto, sigma
`CommandLine`	contains	`delete`	1 rule	kusto, sigma, splunk
`CommandLine`	contains	`execute`	1 rule	kusto, sigma
`CommandLine`	contains	`onstart`	1 rule	kusto, sigma
`CommandLine`	contains	`regread`	1 rule	kusto, sigma
`CommandLine`	contains	`sdelete`	1 rule	kusto
`EventType`	eq	`ProcessCreated`	2 rules	kusto

Detection Rules #

Splunk # view in coverage

High Process Termination Frequency source: The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second…
Windows Processes Killed By Industroyer2 Malware source: The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is…

References #

Event ID 6: Driver loaded

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Driver loaded (rule: DriverLoad)
Opcode: Info

Description

The **driver loaded** events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading.

Message #

Driver loaded:
RuleName: %1
UtcTime: %2
ImageLoaded: %3
Hashes: %4
Signed: %5
Signature: %6
SignatureStatus: %7

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ImageLoaded` UnicodeString	Full path of the driver loaded	370 detection rules
`Hashes` UnicodeString	Hashes captured by Sysmon driver	5259 detection rules
`Signed` UnicodeString	Whether the loaded driver is signed
`Signature` UnicodeString	The signer	2 detection rules
`SignatureStatus` UnicodeString	Status of the signature (i.e. valid)

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 6,
    "version": 4,
    "level": 4,
    "task": 6,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:42:26.1541821+00:00",
    "event_record_id": 6170407,
    "correlation": {},
    "execution": {
      "process_id": 3872,
      "thread_id": 5268
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 13:41:41.166",
    "ImageLoaded": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\Drivers\\WdNisDrv.sys",
    "Hashes": "SHA1=F34854FEBF0D58F5F9C2F3081DA0C384E031CC48,MD5=D91B0982401E5C29F1E584228A774142,SHA256=8F98F2093E6373F1D275AAD30D9EF08ECFCE453F6ED02243FD284BDB6012377E,IMPHASH=FBF34F374D5BBC52DBDD4925A27836EF",
    "Signed": "true",
    "Signature": "Microsoft Windows",
    "SignatureStatus": "Valid"
  },
  "message": "Driver loaded:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:41:41.166\r\nImageLoaded: C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\Drivers\\WdNisDrv.sys\r\nHashes: SHA1=F34854FEBF0D58F5F9C2F3081DA0C384E031CC48,MD5=D91B0982401E5C29F1E584228A774142,SHA256=8F98F2093E6373F1D275AAD30D9EF08ECFCE453F6ED02243FD284BDB6012377E,IMPHASH=FBF34F374D5BBC52DBDD4925A27836EF\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`DriverLoad`	2 rules	kusto
`Hashes`	contains	`imphash=28dc68bb6d6bf4f6b2db8dd7588b2511`	2 rules	sigma
`Hashes`	contains	`imphash=45bfe170e0cd654bc1e2ae3fca3ac3f4`	2 rules	sigma
`Hashes`	contains	`imphash=821d74031d3f625bcbd0df08b70f1e77`	2 rules	sigma
`Hashes`	contains	`imphash=d41fa95d4642dc981f10de36f4dc8cd7`	2 rules	sigma
`Hashes`	contains	`imphash=f86759bb4de4320918615dc06e998a39`	2 rules	sigma
`ImageLoaded`	contains	`\temp\`	1 rule	sigma
`ImageLoaded`	ends_with	`\kprocesshacker.sys`	2 rules	sigma
`ImageLoaded`	ends_with	`\winring0.sys`	2 rules	sigma
`process_id`	eq	`4`	2 rules	elastic
`dcount_DeviceId`	le	`5`	1 rule	kusto
`dll.code_signature.exists`	eq	`false`	1 rule	elastic
`dll.code_signature.trusted`	eq	`false`	1 rule	elastic
`is_driver`	eq	`TRUE`	1 rule	splunk

Detection Rules #

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 7: Image loaded

Sigma # view in coverage

Malicious Driver Load source high: Detects loading of known malicious drivers via their hash.
Malicious Driver Load By Name source medium: Detects loading of known malicious drivers via the file name of the drivers.
PUA - Process Hacker Driver Load source high: Detects driver load of the Process Hacker tool

Show 7 more (10 total)

PUA - System Informer Driver Load source medium: Detects driver load of the System Informer tool
Driver Load From A Temporary Directory source high: Detects a driver load from a temporary directory
Vulnerable Driver Load source high: Detects loading of known vulnerable drivers via their hash.
Vulnerable Driver Load By Name source low: Detects the load of known vulnerable drivers via the file name of the drivers.
Vulnerable HackSys Extreme Vulnerable Driver Load source high: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Vulnerable WinRing0 Driver Load source high: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
WinDivert Driver Load source high: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Elastic # view in coverage

Untrusted Driver Loaded source high: Identifies an untrusted driver loaded by the Windows kernel. Adversaries may modify code signing policies to enable execution of unsigned or self-signed kernel code.
Expired or Revoked Driver Loaded source medium: Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.

Splunk # view in coverage

Windows Drivers Loaded by Signature source: The following analytic identifies all drivers being loaded on Windows systems using Sysmon EventCode 6 (Driver Load). It leverages fields such as driver path, signature status, and hash to detect potentially suspicious drivers. This…
Windows Suspicious Driver Loaded Path source: The following analytic detects the loading of drivers from suspicious paths, which is a technique often used by malicious software such as coin miners (e.g., xmrig). It leverages Sysmon EventCode 6 to identify drivers loaded from…
Windows Vulnerable Driver Loaded source: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Sysmon EventCode 6 to identify driver loading events and…

Show 2 more (5 total)

XMRIG Driver Loaded source: The following analytic detects the installation of the XMRIG coinminer driver on a system. It identifies the loading of the WinRing0x64.sys driver, commonly associated with XMRIG, by analyzing Sysmon EventCode 6 logs for specific…
Driver Loaded from Unusual Path - Windows (Sysmon) source: Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating…

Kusto # view in coverage

Microsoft Recommended Driver Block List source: The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.
Suspicious Driver Load source: Below query detects suspicious(unusual/rare) driver loads. Further checks are required on detected files to confirm malicious activity.

References #

Event ID 7: Image loaded

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Image loaded (rule: ImageLoad)
Opcode: Info

Description

The **image loaded** event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the -l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.

Message #

Image loaded:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
ImageLoaded: %6
FileVersion: %7
Description: %8
Product: %9
Company: %10
OriginalFileName: %11
Hashes: %12
Signed: %13
Signature: %14
SignatureStatus: %15
User: %16

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that loaded the image
`ProcessId` UInt32	Process ID used by the OS to identify the process that loaded the image
`Image` UnicodeString	File path of the process that loaded the image	515 detection rules
`ImageLoaded` UnicodeString	Full path of the image loaded	998 detection rules
`FileVersion` UnicodeString	Version of the image loaded
`Description` UnicodeString	Description of the image loaded	6 detection rules
`Product` UnicodeString	Product name that the loaded image belongs to	4 detection rules
`Company` UnicodeString	Company name that the loaded image belongs to	5 detection rules
`OriginalFileName` UnicodeString	Original file name from the PE header, useful for detecting renamed modules	29 detection rules
`Hashes` UnicodeString	Hash of the file contents using the algorithms specified in the HashType field	18 detection rules
`Signed` UnicodeString	Is the image loaded signed	26 detection rules
`Signature` UnicodeString	The signer	5 detection rules
`SignatureStatus` UnicodeString	Status of the signature (i.e. valid)	19 detection rules
`User` UnicodeString	Name of the account that loaded the image.	3 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 7,
    "version": 3,
    "level": 4,
    "task": 7,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:29.7375531+00:00",
    "event_record_id": 17612821,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:29.726",
    "ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
    "ProcessId": "7704",
    "Image": "C:\\ludus\\background\\bginfo.exe",
    "ImageLoaded": "C:\\Windows\\SysWOW64\\CoreMessaging.dll",
    "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
    "Description": "Microsoft CoreMessaging Dll",
    "Product": "Microsoft® Windows® Operating System",
    "Company": "Microsoft Corporation",
    "OriginalFileName": "CoreMessaging.dll",
    "Hashes": "SHA1=3461F4349EF97F0FDE633219894DA0F67F4A69BC,MD5=A8D1AC93678A40577CD19E7561D7A714,SHA256=7BF17030A0FFABA28D8322D466718DE8CF499CD1B72B7D7B50543E6D93914998,IMPHASH=345E67613280BA4F965702CB83E693FE",
    "Signed": "true",
    "Signature": "Microsoft Windows",
    "SignatureStatus": "Valid",
    "User": "cell-c\\domainadmin"
  },
  "message": "Image loaded:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.726\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nImageLoaded: C:\\Windows\\SysWOW64\\CoreMessaging.dll\r\nFileVersion: 10.0.20348.1 (WinBuild.160101.0800)\r\nDescription: Microsoft CoreMessaging Dll\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: CoreMessaging.dll\r\nHashes: SHA1=3461F4349EF97F0FDE633219894DA0F67F4A69BC,MD5=A8D1AC93678A40577CD19E7561D7A714,SHA256=7BF17030A0FFABA28D8322D466718DE8CF499CD1B72B7D7B50543E6D93914998,IMPHASH=345E67613280BA4F965702CB83E693FE\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: cell-c\\domainadmin"
}

Detection Patterns #

5 rules

Elastic

Suspicious WMIC XSL Script Execution (source)

Elastic

Veeam Backup Library Loaded by Unusual Process (source)

Elastic

Elastic

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

Xsl Script Execution

4 rules

Elastic

Veeam Backup Library Loaded by Unusual Process (source)

Elastic

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Sysmon Event ID 7: Image loaded→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 3: Network connection

Xsl Script Execution

3 rules

Elastic

Potential Command and Control via Internet Explorer (source)

Elastic

Suspicious WMIC XSL Script Execution (source)

Elastic

Elastic

Sysmon Event ID 7: Image loaded→Event ID 3: Network connection

2 rules

Elastic

Outbound Scheduled Task Activity via PowerShell (source)

Elastic

Potential Enumeration via Active Directory Web Service (source)

Elastic

Stealth: DLL

Defender-DeviceImageLoadEvents any: Image loadORSysmon Event ID 7: Image loaded

1 rule

Kusto

DLL Hijacking: Loading from an Unusual Directory (source)

Cyb3rMonk

Show All Detection Patterns

Execution: Exploitation for Client Execution

Sysmon Event ID 7: Image loadedANDEvent ID 22: DNSEvent

1 rule

Splunk

Sunburst Correlation DLL and Network Event (source)

Patrick Bareiss, Splunk

Persistence: Create or Modify System Process

Sysmon Event ID 1: Process creationANDEvent ID 7: Image loaded

1 rule

Kusto

COM Event System Loading New DLL (source)

Shain

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Signed`	eq	`false`	9 rules	sigma, splunk
`Image`	ends_with	`\excel.exe`	8 rules	sigma
`Image`	ends_with	`\outlook.exe`	7 rules	sigma
`Image`	ends_with	`\winword.exe`	7 rules	sigma
`Image`	ends_with	`\powerpnt.exe`	6 rules	sigma
`Image`	ends_with	`\rundll32.exe`	6 rules	sigma
`Image`	ends_with	`\mspub.exe`	5 rules	sigma
`Image`	ends_with	`\onenote.exe`	5 rules	sigma
`Image`	ends_with	`\onenoteim.exe`	5 rules	sigma
`ImageLoaded`	ends_with	`.dll`	6 rules	sigma, splunk
`ImageLoaded`	ends_with	`\dbgcore.dll`	6 rules	sigma
`ImageLoaded`	ends_with	`\dbghelp.dll`	6 rules	sigma
`EventType`	eq	`load`	5 rules	elastic
`event.category`	eq	`library`	5 rules	elastic
`event.category`	eq	`process`	5 rules	elastic

Community Notes #

Image loaded. Generated when a process loads a DLL into memory, ie, side-loading.

Detection Rules #

Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context Change

Sigma # view in coverage

Clfs.SYS Loaded By Process Located In a Potential Suspicious Location source medium: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
DLL Loaded From Suspicious Location Via Cmspt.EXE source high: Detects cmstp loading "dll" or "ocx" files from suspicious locations
Amsi.DLL Loaded Via LOLBIN Process source medium: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Show 17 more (123 total)

Potential Azure Browser SSO Abuse source low: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 source high: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
CredUI.DLL Loaded By Uncommon Process source medium: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded source high: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
PCRE.NET Package Image Load source high: Detects processes loading modules related to PCRE.NET package
Load Of RstrtMgr.DLL By A Suspicious Process source high: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Load Of RstrtMgr.DLL By An Uncommon Process source low: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE source high: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
PowerShell Core DLL Loaded By Non PowerShell Process source medium: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Time Travel Debugging Utility Usage - Image source high: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Unsigned .node File Loaded source medium: Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Suspicious Volume Shadow Copy VSS_PS.dll Load source high: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
Suspicious Volume Shadow Copy Vssapi.dll Load source high: Detects the image load of VSS DLL by uncommon executables
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load source medium: Detects the image load of VSS DLL by uncommon executables
HackTool - SharpEvtMute DLL Load source high: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SILENTTRINITY Stager DLL Load source high: Detects SILENTTRINITY stager dll loading activity
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load source critical: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Elastic # view in coverage

Untrusted DLL Loaded by Azure AD Connect Authentication Agent source high: Identifies the load of an untrusted DLL by the Azure AD Connect Authentication Agent, which may indicate an attempt to persist or intercept credentials passing through the Pass-through Authentication service.
Suspicious Module Loaded by LSASS source medium: Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
Potential Credential Access via Renamed COM+ Services DLL source high: Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.

Show 10 more (13 total)

Potential Windows Session Hijacking via CcmExec source medium: This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an attacker attempt to hijack/impersonate a Windows user session.
Unsigned DLL Side-Loading from a Suspicious Folder source medium: Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.
WPS Office Exploitation via DLL Hijack source high: Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process source high: Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL) or spawning a suspicious child process such as cmd, PowerShell, or rundll32. This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution.
Unsigned DLL Loaded by Svchost source medium: Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.
Suspicious DLL Loaded for Persistence or Privilege Escalation source high: Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.
Compression DLL Loaded by Unusual Process source low: Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration.
Unsigned DLL Loaded by a Trusted Process source low: Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.
Image Loaded with Invalid Signature source low: Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary.
Potential Masquerading as VLC DLL source low: Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.

Splunk # view in coverage

CMLUA Or CMSTPLUA UAC Bypass source: The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by…
Loading Of Dynwrapx Module source: The following analytic detects the loading of the dynwrapx.dll module, which is associated with the DynamicWrapperX ActiveX component. This detection leverages Sysmon EventCode 7 to identify processes that load or register dynwrapx.dll.…
MS Scripting Process Loading Ldap Module source: The following analytic detects the execution of MS scripting processes (wscript.exe or cscript.exe) loading LDAP-related modules (Wldap32.dll, adsldp.dll, adsldpc.dll). It leverages Sysmon EventCode 7 to identify these specific DLL loads.…

Show 17 more (37 total)

MS Scripting Process Loading WMI Module source: The following analytic detects the loading of WMI modules by Microsoft scripting processes like wscript.exe or cscript.exe. It leverages Sysmon EventCode 7 to identify instances where these scripting engines load specific WMI-related DLLs.…
MSI Module Loaded by Non-System Binary source: The following analytic detects the loading of msi.dll by a binary not located in system32, syswow64, winsxs, or windows directories. This is identified using Sysmon EventCode 7, which logs DLL loads, and filters out legitimate…
Spoolsv Suspicious Loaded Modules source: The following analytic detects the suspicious loading of DLLs by spoolsv.exe, potentially indicating PrintNightmare exploitation. It leverages Sysmon EventCode 7 to identify instances where spoolsv.exe loads multiple DLLs from the Windows…
UAC Bypass MMC Load Unsigned Dll source: The following analytic detects the loading of an unsigned DLL by the MMC.exe application, which is indicative of a potential UAC bypass or privilege escalation attempt. It leverages Sysmon EventCode 7 to identify instances where MMC.exe…
UAC Bypass With Colorui COM Object source: The following analytic detects a potential UAC bypass using the colorui.dll COM Object. It leverages Sysmon EventCode 7 to identify instances where colorui.dll is loaded by a process other than colorcpl.exe, excluding common system…
Wbemprox COM Object Execution source: The following analytic detects a suspicious process loading a COM object from wbemprox.dll, fastprox.dll, or wbemcomn.dll. It leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes not typically…
Windows BitDefender Submission Wizard DLL Sideloading source: Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events.
Windows Credentials Access via VaultCli Module source: The following analytic detects potentially abnormal interactions with VaultCLI.dll, particularly those initiated by processes located in publicly writable Windows folder paths. The VaultCLI.dll module allows processes to extract…
Windows Devtunnels Image Loaded source: Detects image load events associated with Microsoft Devtunnels usage. Microsoft Devtunnels is a feature within Visual Studio that allows developers to expose their local development environment to the internet via secure, temporary…
Windows DLL Module Loaded in Temp Dir source: The following analytic detects instances where a Dynamic Link Library (DLL) is loaded from a temporary directory on a Windows system. Loading DLLs from non-standard paths such as %TEMP% is uncommon for legitimate applications and is often…
Windows DLL Search Order Hijacking Hunt with Sysmon source: The following analytic identifies potential DLL search order hijacking or DLL sideloading by detecting known Windows libraries loaded from non-standard directories. It leverages Sysmon EventCode 7 to monitor DLL loads and cross-references…
Windows DLL Side-Loading In Calc source: The following analytic detects the loading of the "WindowsCodecs.dll" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the…
Windows Executable in Loaded Modules source: The following analytic identifies instances where executable files (.exe) are loaded as modules, detected through 'ImageLoaded' events in Sysmon logs. This method leverages Sysmon EventCode 7 to track unusual module loading behavior, which…
Windows Gather Victim Identity SAM Info source: The following analytic detects processes loading the samlib.dll or samcli.dll modules, which are often abused to access Security Account Manager (SAM) objects or credentials on domain controllers. This detection leverages Sysmon EventCode…
Windows Hijack Execution Flow Version Dll Side Load source: The following analytic detects a process loading a version.dll file from a directory other than %windir%\system32 or %windir%\syswow64. This detection leverages Sysmon EventCode 7 to identify instances where an unsigned or improperly…
Windows Input Capture Using Credential UI Dll source: The following analytic detects a process loading the credui.dll or wincredui.dll module. This detection leverages Sysmon EventCode 7 to identify instances where these DLLs are loaded by processes outside typical system directories. This…
Windows InstallUtil Credential Theft source: The following analytic detects instances where the Windows InstallUtil.exe binary loads vaultcli.dll and Samlib.dll. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because…

Kusto # view in coverage

Hijack Execution Flow - DLL Side-Loading source medium: This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token elevation. If done with a full elevated token, the user is apparently admin already.
Detect .NET runtime being loaded in JScript for code execution source medium: This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.
Regsvr32 Rundll32 Image Loads Abnormal Extension source high: This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. Joins the data to public network events. References: https://threathunt.blog/running-live-malware-for-threat-hunting-purposes/

Show 3 more (6 total)

PowerShell without powershell.exe source: This query detects the use of PowerShell through "system.management.automation.dll" which is invoked by a process with a low global prevalence (i.e., fairly unique binary).
Suspicious use of CPL file source: This query identifies .cpl files being loaded and verifies if the corresponding file is suspicious by looking at the signature and global prevalence.
WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches Event ID 2: A process changed a file creation time, Event ID 11: FileCreate

YARA-L # view in coverage

GCTI Remote Access Tools source: Alert process and file create events that are associated with hashes from the GCTI Remote Access Tool list↳ also matches Event ID 1: Process creation, Event ID 11: FileCreate, Event ID 17: PipeEvent (Pipe Created), Event ID 18: PipeEvent (Pipe Connected)

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-7-image-loaded
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-7.yml
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

Event ID 8: CreateRemoteThread

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: CreateRemoteThread detected (rule: CreateRemoteThread)
Opcode: Info

Description

The **CreateRemoteThread** event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction. Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

Message #

CreateRemoteThread detected:
RuleName: %1
UtcTime: %2
SourceProcessGuid: %3
SourceProcessId: %4
SourceImage: %5
TargetProcessGuid: %6
TargetProcessId: %7
TargetImage: %8
NewThreadId: %9
StartAddress: %10
StartModule: %11
StartFunction: %12
SourceUser: %13
TargetUser: %14

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`SourceProcessGuid` GUID	Process GUID of the source process that created a thread in another process
`SourceProcessId` UInt32	Process ID used by the OS to identify the source process that created a thread in another process
`SourceImage` UnicodeString	File path of the source process that created a thread in another process	114 detection rules
`TargetProcessGuid` GUID	Process GUID of the target process
`TargetProcessId` UInt32	Process ID used by the OS to identify the target process
`TargetImage` UnicodeString	File path of the target process	107 detection rules
`NewThreadId` UInt32	ID of the new thread created in the target process
`StartAddress` UnicodeString	New thread start address	3 detection rules
`StartModule` UnicodeString	Module where the new thread starts execution, resolved from the thread start address	1 detection rule
`StartFunction` UnicodeString	Exported function where the new thread starts, if the start address matches a known export	4 detection rules
`SourceUser` UnicodeString	Name of the account of the source process that created a thread in another process.
`TargetUser` UnicodeString	Name of the account of the target process

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 8,
    "version": 2,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:08:51.1140624+00:00",
    "event_record_id": 17610309,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:08:51.101",
    "SourceProcessGuid": "{8a99384c-e939-6a2c-5900-000000001000}",
    "SourceProcessId": "4028",
    "SourceImage": "C:\\Tools\\RPCFW_2.2.5\\rpcFwManager.exe",
    "TargetProcessGuid": "{8a99384c-6471-6a2d-a005-000000001000}",
    "TargetProcessId": "7864",
    "TargetImage": "C:\\Windows\\System32\\wsmprovhost.exe",
    "NewThreadId": "8000",
    "StartAddress": "0x00007FF9A37401F0",
    "StartModule": "C:\\Windows\\System32\\KERNEL32.DLL",
    "StartFunction": "LoadLibraryA",
    "SourceUser": "NT AUTHORITY\\SYSTEM",
    "TargetUser": "cell-c\\domainadmin"
  },
  "message": "CreateRemoteThread detected:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:08:51.101\r\nSourceProcessGuid: {8a99384c-e939-6a2c-5900-000000001000}\r\nSourceProcessId: 4028\r\nSourceImage: C:\\Tools\\RPCFW_2.2.5\\rpcFwManager.exe\r\nTargetProcessGuid: {8a99384c-6471-6a2d-a005-000000001000}\r\nTargetProcessId: 7864\r\nTargetImage: C:\\Windows\\System32\\wsmprovhost.exe\r\nNewThreadId: 8000\r\nStartAddress: 0x00007FF9A37401F0\r\nStartModule: C:\\Windows\\System32\\KERNEL32.DLL\r\nStartFunction: LoadLibraryA\r\nSourceUser: NT AUTHORITY\\SYSTEM\r\nTargetUser: cell-c\\domainadmin"
}

Detection Patterns #

Process Injection

2 rules

Kusto

Process Injection From Untrusted Process (source)

FalconForce

Process Injection Initiated By MMC (source)

FalconForce

Process Injection

Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read

2 rules

Kusto

Process Injection From Untrusted Process (source)

FalconForce

Process Injection Initiated By MMC (source)

FalconForce

Execution: User Execution

Sysmon Event ID 4: Sysmon service state changedOREvent ID 5: Process terminatedOREvent ID 8: CreateRemoteThread

1 rule

Kusto

Suspicious Process Injection from Office application (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`CreateRemoteThreadApiCall`	3 rules	kusto
`EventType`	in	`QueueUserApcRemoteApiCall`	3 rules	kusto
`EventType`	in	`SetThreadContextRemoteApiCall`	3 rules	kusto
`EventType`	in	`NtAllocateVirtualMemoryRemoteApiCall`	2 rules	kusto
`EventType`	in	`NtMapViewOfSectionRemoteApiCall`	2 rules	kusto
`Image`	ends_with	`\powershell.exe`	3 rules	sigma
`Image`	ends_with	`\pwsh.exe`	3 rules	sigma
`Image`	ends_with	`\\rundll32.exe`	2 rules	splunk
`Image`	ends_with	`\excel.exe`	2 rules	sigma
`Image`	ends_with	`\winword.exe`	2 rules	sigma
`TargetImage`	ends_with	`.exe`	2 rules	splunk
`TargetImage`	ends_with	`\lsass.exe`	2 rules	sigma
`TargetImage`	ends_with	`\rundll32.exe`	2 rules	sigma
`TargetImage`	in	`*\\chrome.exe`	2 rules	splunk
`TargetImage`	in	`*\\cmd.exe`	2 rules	splunk

Community Notes #

CreateRemoteThread. Detects some process-injection methods.

Detection Rules #

Sigma # view in coverage

HackTool - CACTUSTORCH Remote Thread Creation source high: Detects remote thread creation from CACTUSTORCH as described in references.
HackTool - Potential CobaltStrike Process Injection source high: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Created In KeePass.EXE source high: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Show 12 more (15 total)

Remote Thread Creation In Mstsc.Exe From Suspicious Location source high: Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Potential Credential Dumping Attempt Via PowerShell Remote Thread source high: Detects remote thread creation by PowerShell processes into "lsass.exe"
Remote Thread Creation Via PowerShell In Uncommon Target source medium: Detects the creation of a remote thread from a Powershell process in an uncommon target process
Password Dumper Remote Thread in LSASS source high: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Rare Remote Thread Creation By Uncommon Source Image source high: Detects uncommon processes creating remote threads.
Remote Thread Creation By Uncommon Source Image source medium: Detects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target Image source medium: Detects uncommon target processes for remote thread creation
Remote Thread Creation Ttdinject.exe Proxy source high: Detects a remote thread creation of Ttdinject.exe used as proxy
Potential Bumblebee Remote Thread Creation source high: Detects remote thread injection events based on action seen used by bumblebee
CreateRemoteThread API and LoadLibrary source medium: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
Remote Thread Creation Via PowerShell source medium: Detects the creation of a remote thread from a Powershell process to another process
Remote Thread Created In Shell Application source medium: Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.

Elastic # view in coverage

Process Injection by the Microsoft Build Engine source low: An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.

Splunk # view in coverage

Create Remote Thread In Shell Application source: The following analytic detects suspicious process injection in command shell applications, specifically targeting cmd.exe and powershell.exe. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell…
Create Remote Thread into LSASS source: The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in…
Powershell Remote Thread To Known Windows Process source: The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in…

Show 8 more (11 total)

Rundll32 Create Remote Thread To A Process source: The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a…
Rundll32 CreateRemoteThread In Browser source: The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8,…
Windows Process Injection Of Wermgr to Known Browser source: The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring…
Windows Process Injection Remote Thread source: The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to…
Windows Process Injection With Public Source Path source: The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical…
Rare Remote Thread (Sysmon) source: Rare remote threads are anomalies within an organization and are normally worth looking at. Although these kinds of detections can be false positive prone, they can be utilized as supporting evidence or as a last resort to detect malicious…
Remote Thread Created by Uncommon Process (Sysmon) source: Remote thread creation involves a process initiating a thread within the address space of another process. While this activity can occur during normal system operation, threat actors may abuse remote threads to attempt privilege…
Remote Thread from Suspicious Folder (Sysmon) source: Detects potential remote threads created from suspicious file locations like temp, appdata, and downloads

Kusto # view in coverage

ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches Event ID 3: Network connection

References #

Event ID 9: RawAccessRead

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: RawAccessRead detected (rule: RawAccessRead)
Opcode: Info

Description

The **RawAccessRead** event detects when a process conducts reading operations from the drive using the .\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.

Message #

RawAccessRead detected:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
Device: %6
User: %7

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that conducted reading operations from the drive
`ProcessId` UInt32	Process ID used by the OS to identify the process that conducted reading operations from the drive
`Image` UnicodeString	File path of the process that conducted reading operations from the drive	36 detection rules
`Device` UnicodeString	Target device	5 detection rules
`User` UnicodeString	Name of the account of the process that conducted reading operations from the drive

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 9,
    "version": 2,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:23:56.8470704+00:00",
    "event_record_id": 16041099,
    "correlation": {},
    "execution": {
      "process_id": 4008,
      "thread_id": 5284
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-b.cell-b.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:23:56.843",
    "ProcessGuid": "{8a99384c-c2a8-6a19-9400-000000000f00}",
    "ProcessId": "6120",
    "Image": "C:\\Windows\\System32\\svchost.exe",
    "Device": "\\Device\\HarddiskVolume1",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": "RawAccessRead detected:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:23:56.843\r\nProcessGuid: {8a99384c-c2a8-6a19-9400-000000000f00}\r\nProcessId: 6120\r\nImage: C:\\Windows\\System32\\svchost.exe\r\nDevice: \\Device\\HarddiskVolume1\r\nUser: NT AUTHORITY\\SYSTEM"
}

Community Notes #

RawAccessRead, may indicate direct disk reads of ntds.dit, SAM, or page files for offline hash extraction.

Detection Rules #

Sysmon Event ID 1: Process creationOREvent ID 10: ProcessAccess

Sigma # view in coverage

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools source low: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Splunk # view in coverage

Windows Raw Access To Disk Volume Partition source: The following analytic detects suspicious raw access reads to the device disk partition of a host machine. It leverages Sysmon EventCode 9 logs to identify processes attempting to read or write to the boot sector, excluding legitimate…
Windows Raw Access To Master Boot Record Drive source: The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR). It leverages Sysmon EventCode 9 to identify processes attempting to read or write to the MBR sector, excluding legitimate…

References #

Event ID 10: ProcessAccess

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: Process accessed (rule: ProcessAccess)
Opcode: Info

Description

The **process accessed** event reports when a process opens another process, an operation that's often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there are diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be done so with filters that remove expected accesses.

Message #

Process accessed:
RuleName: %1
UtcTime: %2
SourceProcessGUID: %3
SourceProcessId: %4
SourceThreadId: %5
SourceImage: %6
TargetProcessGUID: %7
TargetProcessId: %8
TargetImage: %9
GrantedAccess: %10
CallTrace: %11
SourceUser: %12
TargetUser: %13

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`SourceProcessGUID` GUID
`SourceProcessId` UInt32	Process ID used by the os to identify the source process that opened another process. Derived partially from the EPROCESS kernel structure
`SourceThreadId` UInt32	ID of the specific thread inside of the source process that opened another process
`SourceImage` UnicodeString	File path of the source process that opened another process	292 detection rules
`TargetProcessGUID` GUID
`TargetProcessId` UInt32	Process ID used by the OS to identify the target process
`TargetImage` UnicodeString	File path of the target process	110 detection rules
`GrantedAccess` HexInt32	The access flags (bitmask) associated with the process rights requested for the target process Process access rights reference	199 detection rules
`CallTrace` UnicodeString	Stack trace of where OpenProcess is called, including the DLL and relative virtual address of each function in the call stack	52 detection rules
`SourceUser` UnicodeString	Name of the account of the source process that opened another process.	6 detection rules
`TargetUser` UnicodeString	Name of the account of the target process

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 10,
    "version": 3,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:58.2417162+00:00",
    "event_record_id": 17614233,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:58.226",
    "SourceProcessGUID": "{8a99384c-e93e-6a2c-7000-000000001000}",
    "SourceProcessId": "5508",
    "SourceThreadId": "6764",
    "SourceImage": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
    "TargetProcessGUID": "{8a99384c-e976-6a2c-b900-000000001000}",
    "TargetProcessId": "6984",
    "TargetImage": "C:\\Windows\\System32\\RuntimeBroker.exe",
    "GrantedAccess": "0x1410",
    "CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+9f3b4|C:\\Windows\\System32\\KERNELBASE.dll+2aafe|C:\\Windows\\system32\\wbem\\cimwin32.dll+e3a5|C:\\Windows\\system32\\wbem\\cimwin32.dll+ea1c|C:\\Windows\\SYSTEM32\\framedynos.dll+4006|C:\\Windows\\SYSTEM32\\framedynos.dll+4e74|C:\\Windows\\system32\\wbem\\wmiprvse.exe+180e|C:\\Windows\\system32\\wbem\\wmiprvse.exe+1420|C:\\Windows\\System32\\RPCRT4.dll+749d3|C:\\Windows\\System32\\RPCRT4.dll+2f745|C:\\Windows\\System32\\combase.dll+c373b|C:\\Windows\\System32\\RPCRT4.dll+58a85|C:\\Windows\\System32\\combase.dll+9e2fd|C:\\Windows\\System32\\combase.dll+9e08e|C:\\Windows\\System32\\combase.dll+c9de6|C:\\Windows\\System32\\combase.dll+658bd|C:\\Windows\\System32\\combase.dll+ba051|C:\\Windows\\System32\\combase.dll+4b4ce|C:\\Windows\\System32\\combase.dll+49f0f|C:\\Windows\\System32\\combase.dll+48839|C:\\Windows\\System32\\RPCRT4.dll+57ff2|C:\\Windows\\System32\\RPCRT4.dll+4762f|C:\\Windows\\System32\\RPCRT4.dll+47258|C:\\Windows\\System32\\RPCRT4.dll+1d1a3",
    "SourceUser": "NT AUTHORITY\\NETWORK SERVICE",
    "TargetUser": "cell-c\\domainadmin"
  },
  "message": "Process accessed:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:58.226\r\nSourceProcessGUID: {8a99384c-e93e-6a2c-7000-000000001000}\r\nSourceProcessId: 5508\r\nSourceThreadId: 6764\r\nSourceImage: C:\\Windows\\system32\\wbem\\wmiprvse.exe\r\nTargetProcessGUID: {8a99384c-e976-6a2c-b900-000000001000}\r\nTargetProcessId: 6984\r\nTargetImage: C:\\Windows\\System32\\RuntimeBroker.exe\r\nGrantedAccess: 0x1410\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9f3b4|C:\\Windows\\System32\\KERNELBASE.dll+2aafe|C:\\Windows\\system32\\wbem\\cimwin32.dll+e3a5|C:\\Windows\\system32\\wbem\\cimwin32.dll+ea1c|C:\\Windows\\SYSTEM32\\framedynos.dll+4006|C:\\Windows\\SYSTEM32\\framedynos.dll+4e74|C:\\Windows\\system32\\wbem\\wmiprvse.exe+180e|C:\\Windows\\system32\\wbem\\wmiprvse.exe+1420|C:\\Windows\\System32\\RPCRT4.dll+749d3|C:\\Windows\\System32\\RPCRT4.dll+2f745|C:\\Windows\\System32\\combase.dll+c373b|C:\\Windows\\System32\\RPCRT4.dll+58a85|C:\\Windows\\System32\\combase.dll+9e2fd|C:\\Windows\\System32\\combase.dll+9e08e|C:\\Windows\\System32\\combase.dll+c9de6|C:\\Windows\\System32\\combase.dll+658bd|C:\\Windows\\System32\\combase.dll+ba051|C:\\Windows\\System32\\combase.dll+4b4ce|C:\\Windows\\System32\\combase.dll+49f0f|C:\\Windows\\System32\\combase.dll+48839|C:\\Windows\\System32\\RPCRT4.dll+57ff2|C:\\Windows\\System32\\RPCRT4.dll+4762f|C:\\Windows\\System32\\RPCRT4.dll+47258|C:\\Windows\\System32\\RPCRT4.dll+1d1a3\r\nSourceUser: NT AUTHORITY\\NETWORK SERVICE\r\nTargetUser: cell-c\\domainadmin"
}

Detection Patterns #

Credential Access: DCSync

1 rule

Splunk

Mimikatz (Sysmon) (source)

Defender-DeviceEvents OpenProcessApiCall: Process openedORProcessPrimaryTokenModified: Process primary token modifiedORKernel-Audit-API-Calls Event ID 5: OpenProcess API call auditedORSysmon Event ID 10: ProcessAccess

1 rule

Kusto

LSASS Dumping using Debug Privileges (source)

FalconForce

Stealth: Process Hollowing

Sysmon Event ID 1: Process creation→Event ID 10: ProcessAccess

1 rule

Elastic

Suspicious Process Creation CallTrace (source)

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetImage`	ends_with	`\lsass.exe`	14 rules	sigma
`TargetImage`	ends_with	`lsass.exe`	5 rules	splunk
`GrantedAccess`	ends_with	`0x14c2`	4 rules	sigma
`GrantedAccess`	ends_with	`10`	4 rules	sigma
`GrantedAccess`	ends_with	`18`	4 rules	sigma
`GrantedAccess`	ends_with	`1a`	4 rules	sigma
`GrantedAccess`	ends_with	`30`	4 rules	sigma
`GrantedAccess`	ends_with	`38`	4 rules	sigma
`GrantedAccess`	ends_with	`3a`	4 rules	sigma
`GrantedAccess`	ends_with	`50`	4 rules	sigma
`GrantedAccess`	ends_with	`58`	4 rules	sigma
`GrantedAccess`	eq	`0x1fffff`	9 rules	kusto, sigma, splunk
`CallTrace`	contains	`unknown`	5 rules	elastic, sigma
`CallTrace`	contains	`dbgcore.dll`	4 rules	kusto, sigma, splunk
`CallTrace`	contains	`dbghelp.dll`	4 rules	kusto, sigma, splunk

Detection Rules #

Sysmon Event ID 1: Process creationANDEvent ID 11: FileCreate

Sigma # view in coverage

CMSTP Execution Process Access source high: Detects various indicators of Microsoft Connection Manager Profile Installer execution
HackTool - CobaltStrike BOF Injection Pattern source high: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - Generic Process Access source high: Detects process access requests from hacktool processes based on their default image name

Show 17 more (30 total)

HackTool - HandleKatz Duplicating LSASS Handle source high: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
HackTool - LittleCorporal Generated Maldoc Injection source high: Detects the process injection of a LittleCorporal generated Maldoc.
HackTool - SysmonEnte Execution source high: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
Lsass Memory Dump via Comsvcs DLL source high: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
LSASS Memory Access by Tool With Dump Keyword In Name source high: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Potential Credential Dumping Activity Via LSASS source medium: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Credential Dumping Activity By Python Based Tool source high: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Remote LSASS Process Access Through Windows Remote Management source high: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Suspicious LSASS Access Via MalSecLogon source high: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Potentially Suspicious GrantedAccess Flags On LSASS source medium: Detects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFault source high: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed Processes source high: Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Uncommon Process Access Rights For Target Image source low: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs source high: Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Potential Direct Syscall of NtOpenProcess source medium: Detects potential calls to NtOpenProcess directly from NTDLL.
Credential Dumping Attempt Via Svchost source high: Detects when a process tries to access the memory of svchost to potentially dump credentials.
Suspicious Svchost Process Access source high: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Elastic # view in coverage

Potential Credential Access via DuplicateHandle in LSASS source medium: Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.
Suspicious Lsass Process Access source medium: Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.
Potential Credential Access via LSASS Memory Dump source high: Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.

Show 2 more (5 total)

Potential LSASS Memory Dump via PssCaptureSnapShot source high: Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
Suspicious Process Access via Direct System Call source high: Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.

Splunk # view in coverage

Access LSASS Memory for Dump Creation source: The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and…
Detect Credential Dumping through LSASS access source: The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is…
Rubeus Kerberos Ticket Exports Through Winlogon Access source: The following analytic detects a process accessing the winlogon.exe system process, indicative of the Rubeus tool attempting to export Kerberos tickets from memory. This detection leverages Sysmon EventCode 10 logs, focusing on processes…

Show 11 more (14 total)

Spoolsv Suspicious Process Access source: The following analytic detects suspicious process access by spoolsv.exe, potentially indicating exploitation of the PrintNightmare vulnerability (CVE-2021-34527). It leverages Sysmon EventCode 10 to identify when spoolsv.exe accesses…
Windows Access Token Manipulation Winlogon Duplicate Token Handle source: The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is…
Windows Access Token Winlogon Duplicate Handle In Uncommon Path source: The following analytic detects a process attempting to duplicate the handle of winlogon.exe from an uncommon or public source path. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific…
Windows Handle Duplication in Known UAC-Bypass Binaries source: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by…
Windows Hunting System Account Targeting Lsass source: The following analytic identifies processes attempting to access Lsass.exe, which may indicate credential dumping or applications needing credential access. It leverages Sysmon EventCode 10 to detect such activities by analyzing fields…
Windows Non-System Account Targeting Lsass source: The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM…
Windows Possible Credential Dumping source: The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to…
Windows Process Injection into Commonly Abused Processes source: The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and…
Windows Process Injection into Notepad source: The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and…
Windows Terminating Lsass Process source: The following analytic detects a suspicious process attempting to terminate the Lsass.exe process. It leverages Sysmon EventCode 10 logs to identify processes granted PROCESS_TERMINATE access to Lsass.exe. This activity is significant…
Windows WMI Impersonate Token source: The following analytic detects potential WMI token impersonation activities in a process or command. It leverages Sysmon EventCode 10 to identify instances where wmiprvse.exe has a duplicate handle or full granted access in a target…

Kusto # view in coverage

Dumping LSASS Process Into a File source high: Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/

YARA-L # view in coverage

Credential Dumping Attempt Via WerFault source: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up
HackTool - Generic Process Access source: Detects process access requests from hacktool processes based on their default image name
LSASS Memory Access by Tool With Dump Keyword In Name source: Detects LSASS process access requests from a source process with the dump keyword in its image name

Show 2 more (5 total)

Lsass Memory Dump via Comsvcs DLL source: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass
Potential Credential Dumping Activity Via LSASS source: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-10.yml
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection

Event ID 11: FileCreate

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: File created (rule: FileCreate)
Opcode: Info

Description

**File create** operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

Message #

File created:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
TargetFilename: %6
CreationUtcTime: %7
User: %8

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that created the file
`ProcessId` UInt32	Process ID used by the OS to identify the process that created the file
`Image` UnicodeString	File path of the process that created the file	473 detection rules
`TargetFilename` UnicodeString	Name of the file	1760 detection rules
`CreationUtcTime` UnicodeString	File creation time	4 detection rules
`User` UnicodeString	Name of the account who created the file	2 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 11,
    "version": 2,
    "level": 4,
    "task": 11,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:34.7524084+00:00",
    "event_record_id": 17613105,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:34.741",
    "ProcessGuid": "{8a99384c-e971-6a2c-b200-000000001000}",
    "ProcessId": "6816",
    "Image": "C:\\Windows\\Explorer.EXE",
    "TargetFilename": "C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg",
    "CreationUtcTime": "2026-06-13 14:09:34.741",
    "User": "cell-c\\domainadmin"
  },
  "message": "File created:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:34.741\r\nProcessGuid: {8a99384c-e971-6a2c-b200-000000001000}\r\nProcessId: 6816\r\nImage: C:\\Windows\\Explorer.EXE\r\nTargetFilename: C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg\r\nCreationUtcTime: 2026-06-13 14:09:34.741\r\nUser: cell-c\\domainadmin"
}

Detection Patterns #

15 rules

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Elastic

MS Exchange Mailbox Replication service writing Active Server Pages (source)

Elastic

Splunk

Michael Haag, Splunk

Windows Office Product Dropped Cab or Inf File (source)

Bhavin Patel, Splunk

Michael Haag, Splunk

Sysmon Event ID 11: FileCreate→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

12 rules

Elastic

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Elastic

Splunk

Windows Office Product Dropped Cab or Inf File (source)

Bhavin Patel, Splunk

Michael Haag, Splunk

Windows Office Product Dropped Uncommon File (source)

Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github

Security-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreate

10 rules

Kusto

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

SUNBURST and SUPERNOVA backdoor hashes (source)

Google Threat Intelligence - Threat Hunting Hash (source)

(Security-Auditing Event ID 4688: A new process has been created.ANDSysmon Event ID 11: FileCreate)OR(Event ID 1: Process creationANDEvent ID 11: FileCreate)

8 rules

Elastic

Windows Office Product Dropped Cab or Inf File (source)

Elastic

Splunk

Michael Haag, Splunk

Windows Office Product Dropped Uncommon File (source)

Bhavin Patel, Splunk

Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 11: FileCreate

5 rules

Elastic

File with Right-to-Left Override Character (RTLO) Created/Executed (source)

Elastic

Elastic

Elastic

Suspicious writes to windows Recycle Bin (source)

Splunk

Rico Valdez, Splunk

Show All Detection Patterns

Share Access Sysmon

Sysmon Event ID 1: Process creationOREvent ID 11: FileCreate

5 rules

Elastic

Windows Default RDP File Creation By Non MSTSC Process (source)

Elastic

Splunk

Teoderick Contreras, Splunk

Windows Admin$ Share Access (Sysmon) (source)

Windows C$ Share Access (Sysmon) (source)

Sysmon Event ID 3: Network connection→Event ID 11: FileCreate

Remote File Download

4 rules

Elastic

Remote File Download via PowerShell (source)

Elastic

Remote File Download via Script Interpreter (source)

Elastic

Potential Ransomware Note File Dropped via SMB (source)

Elastic

Security-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreateOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

Sunburst And Supernova Backdoor

4 rules

Kusto

RecordedFuture Threat Hunting Hash All Actors (source)

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

SUNBURST and SUPERNOVA backdoor hashes (source)

Sysmon Event ID 11: FileCreateOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

1 rule

Elastic

Sysmon Event ID 11: FileCreateANDEvent ID 23: FileDeleteANDEvent ID 26: FileDeleteDetected

Elastic

1 rule

Elastic

Unusual File Operation by dns.exe (source)

Elastic

Persistence: Boot or Logon Autostart Execution

Sysmon Event ID 11: FileCreateOREvent ID 23: FileDelete

1 rule

Splunk

Additional dll added to Spool Driver (Sysmon) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetFilename`	ends_with	`.dll`	23 rules	sigma
`TargetFilename`	ends_with	`.exe`	21 rules	sigma, splunk
`TargetFilename`	ends_with	`.vbs`	18 rules	sigma
`TargetFilename`	ends_with	`.bat`	17 rules	sigma
`TargetFilename`	ends_with	`.ps1`	17 rules	sigma
`TargetFilename`	ends_with	`.vbe`	15 rules	sigma
`TargetFilename`	ends_with	`.hta`	13 rules	sigma
`TargetFilename`	ends_with	`.js`	9 rules	sigma
`TargetFilename`	starts_with	`c:\users\`	10 rules	elastic, sigma
`event.type`	eq	`creation`	20 rules	elastic
`Image`	ends_with	`\powershell.exe`	13 rules	sigma
`Image`	ends_with	`\pwsh.exe`	12 rules	sigma
`Image`	ends_with	`\mshta.exe`	11 rules	sigma
`Image`	ends_with	`\cmd.exe`	8 rules	sigma
`event_action`	eq	`created`	9 rules	splunk

Detection Rules #

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

Sigma # view in coverage

ADSI-Cache File Creation By Uncommon Tool source medium: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
Advanced IP Scanner - File Event source medium: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
Anydesk Temporary Artefact source medium: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Show 17 more (222 total)

Suspicious Binary Writes Via AnyDesk source high: Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Suspicious File Created by ArcSOC.exe source high: Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Assembly DLL Creation Via AspNetCompiler source medium: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
BloodHound Collection Files source high: Detects default file names outputted by the BloodHound collection tool SharpHound
Potentially Suspicious File Creation by OpenEDR's ITSMService source medium: Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
EVTX Created In Uncommon Location source medium: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
Creation Of Non-Existent System DLL source medium: Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
Suspicious Deno File Written from Remote Source source low: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
New Custom Shim Database Created source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
Suspicious Screensaver Binary File Creation source medium: Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Files With System DLL Name In Unsuspected Locations source medium: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Files With System Process Name In Unsuspected Locations source medium: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Creation Exe for Service with Unquoted Path source high: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Cred Dump Tools Dropped Files source high: Files with well-known filenames (parts of credential dump software or files produced by them) creation
WScript or CScript Dropper - File source high: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
CSExec Service File Creation source medium: Detects default CSExec service filename which indicates CSExec service installation and execution
Dynamic CSharp Compile Artefact source low: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Elastic # view in coverage

GenAI Process Accessing Sensitive Files source high: Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
Remote File Copy via TeamViewer source medium: Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.
Kirbi File Creation source high: Identifies the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz. This can indicate preparation for Kerberos ticket theft or later abuse, including Pass-The-Ticket (PTT), and should be validated with writer process and follow-on activity.

Show 17 more (22 total)

Windows Registry File Creation in SMB Share source medium: Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.
Potential Remote Credential Access via Registry source high: Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.
Executable File Creation with Multiple Extensions source medium: Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Unusual File Creation - Alternate Data Stream source high: Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.
Downloaded Shortcut Files source medium: Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.
Downloaded URL Files source medium: Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.
Potential Ransomware Behavior - Note Files by System source medium: This rule identifies the creation of multiple files with same name and over SMB by the same user. This behavior may indicate the successful remote execution of a ransomware dropping file notes to different folders.
Microsoft Exchange Server UM Writing Suspicious Files source medium: Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.
Lateral Movement via Startup Folder source high: Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.
Deprecated - Adobe Hijack Persistence source low: Detects writing executable files that will be automatically launched by Adobe on launch.
Browser Extension Install source low: Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
Potential Persistence via Mandatory User Profile source medium: Detects the creation or modification of a mandatory user profile hive (NTUSER.MAN) by an unusual process. Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing pre-populated persistence-related registry keys. On the next user logon, Windows loads the registry hive from NTUSER.MAN, causing embedded persistence mechanisms to activate without directly modifying the live registry. This technique can evade traditional registry-based monitoring and indicate a stealthy persistence attempt.
Deprecated - Suspicious PrintSpooler Service Executable File Creation source low: Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.
File Compressed or Archived into Common Format by Unsigned Process source low: Detects files being compressed or archived into common formats by unsigned processes. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.
File Staged in Root Folder of Recycle Bin source low: Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.
Potential Credential Access via Memory Dump File Creation source low: Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory.
Memory Dump File with Unusual Extension source low: Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses.

Splunk # view in coverage

Email files written outside of the Outlook directory source: The following analytic detects email files (.pst or .ost) being created outside the standard Outlook directories. It leverages the Endpoint.Filesystem data model to identify file creation events and filters for email files not located in…
Batch File Write to System32 source: The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and…
Common Ransomware Extensions source: The following analytic detects modifications to files with extensions commonly associated with ransomware. It leverages the Endpoint.Filesystem data model to identify changes in file extensions that match known ransomware patterns. This…

Show 17 more (79 total)

Common Ransomware Notes source: The following analytic detects the creation of files with names commonly associated with ransomware notes. It leverages file-system activity data from the Endpoint Filesystem data model, typically populated by endpoint detection and…
ConnectWise ScreenConnect Path Traversal source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint…
Creation of lsass Dump with Taskmgr source: The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches lsass.dmp. This activity is…
Detect AzureHound File Modifications source: The following analytic detects the creation of specific AzureHound-related files, such as *-azurecollection.zip and various .json files, on disk. It leverages data from the Endpoint.Filesystem datamodel, focusing on file creation…
Detect Certipy File Modifications source: The following analytic detects the use of the Certipy tool to enumerate Active Directory Certificate Services (AD CS) environments by identifying unique file modifications. It leverages endpoint process and filesystem data to spot the…
Detect Exchange Web Shell source: The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell.…
Detect Remote Access Software Usage File source: The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user…
Detect RTLO In File Name source: The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the…
Detect SharpHound File Modifications source: The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model,…
Drop IcedID License dat source: The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for…
Executables Or Script Creation In Suspicious Path source: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in…
Executables Or Script Creation In Temp Path source: The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems. It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in…
File with Samsam Extension source: The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity…
GitHub Workflow File Creation or Modification source: The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints. This hunting query tracks all workflow file activity under .github/workflows…
IcedID Exfiltrated Archived File Creation source: The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages…
LLM Model File Creation source: Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks. This detection identifies potential…
Msmpeng Application DLL Side Loading source: The following analytic detects the suspicious creation of msmpeng.exe or mpsvc.dll in non-default Windows Defender folders. It leverages the Endpoint.Filesystem datamodel to identify instances where these files are created outside their…

Kusto # view in coverage

Credential Dumping Tools - File Artifacts source high: This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names. Ref: https://jpcertcc.github.io/ToolAnalysisResultSheet/
Suspicious office child process created source: This query obtains a list of downloaded Office documents (doc, xls, etc.) by looking at files written by commonly used web browsers. It then searches for invocations of an Office program by double-clicking on these files. If these processes spawn an uncommon child process this is reported as suspicious.↳ also matches Event ID 1: Process creation, Event ID 3: Network connection
Suspicious MSC File Launched source: The query searches for suspicious MSC files that are launched on the system. The following types of suspicious files are detected: MSC files downloaded by web browsers, MSC files in the Downloads folder, MSC files extracted from ZIP files, and MSC files with Mark Of The Web (MOTW).↳ also matches Event ID 1: Process creation

Show 3 more (6 total)

WinRM Plugin Lateral Movement source: This query detects loading of malicious WinRM plugins. These plugins can be used for lateral movement. This tradecraft has been researched and published by Arnau Ortega at FalconForce. Refer to the references for the blog post describing the full attack chain. This detection looks at low-prevalence DLLs being loaded into the WinRM host process. To minimize false-positives, the detection looks for files that are written to disk in the last 30 days, prior to being loaded into the WinRM host process as DLL. Such DLLs are likely WinRM plugins that are being loaded. Since the use of WinRM plugins is extremely scarce in real environments, we assume that any such DLL is malicious and warrants an investigation.↳ also matches Event ID 2: A process changed a file creation time, Event ID 7: Image loaded
Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matches Event ID 1: Process creation, Event ID 3: Network connection, Event ID 13: RegistryEvent (Value Set)
Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matches Event ID 13: RegistryEvent (Value Set)

YARA-L # view in coverage

Attempted SharePoint Webshell Creation CVE-2025-53770 source: Detects the attempted creation of a file containing 'spinstall0' in specific SharePoint LAYOUTS directories. This activity is a strong indicator of an attempt to exploit the SharePoint Server vulnerability CVE-2025-53770.
Successful SharePoint Webshell Creation CVE-2025-53770 source: Detects the creation of a file containing 'spinstall0' in specific SharePoint LAYOUTS directories. This activity is a strong indicator of successful post-exploitation of the SharePoint Server vulnerability CVE-2025-53770, where an attacker has likely placed a web shell for persistent access.
Suspicious Filewrites To Sharepoint Layouts source: Detects a command-line interpreter (cmd.exe or powershell.exe) writing a file to a SharePoint (\TEMPLATE\LAYOUTS) directory.↳ also matches Event ID 2: A process changed a file creation time, Event ID 23: FileDelete (File Delete archived)

Show 17 more (20 total)

Cred Dump Tools Dropped Files source: Files with well-known filenames (parts of credential dump software or files produced by them) creation
HackTool - Dumpert Process Dumper Default File source: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Impacket WMIExec CISA Report source: Detects the artifacts generally associated with the use of wmiexec.py↳ also matches Event ID 1: Process creation
LSASS Process Memory Dump Files source: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
LSASS Process Memory Dump Creation Via Taskmgr.exe source: Detects the creation of an lsass.dmp file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager
Suspicious Unusual Location LNK File source: Detects creation and movement of .lnk files to specific folders↳ also matches Event ID 2: A process changed a file creation time, Event ID 23: FileDelete (File Delete archived)
MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report source: Detects extraction of ntds.dit file using vssadmin.exe or ntdsutil.exe with wmic as identified in CISA Living off the Land pdf↳ also matches Event ID 1: Process creation
GCTI Remote Access Tools source: Alert process and file create events that are associated with hashes from the GCTI Remote Access Tool list↳ also matches Event ID 1: Process creation, Event ID 7: Image loaded, Event ID 17: PipeEvent (Pipe Created), Event ID 18: PipeEvent (Pipe Connected)
Google Safebrowsing File Process Creation source: Detection of process/file events that match Safe Browsing hashes, which are files deemed to be malicious↳ also matches Event ID 1: Process creation
IOC Hash Prevalence source: Detect process/file events that match hashes found in our MISP instance and have low rolling max prevalence↳ also matches Event ID 1: Process creation
IOC SHA256 Hash source: Detect file/process events that match watchlisted hashes in MISP↳ also matches Event ID 1: Process creation
IOC SHA256 Hash VT source: Detect file/process events with watchlisted hashes from MISP that VT flagged as MS Office docx file types↳ also matches Event ID 1: Process creation
Process Launch VT Enrichment source: Identify process creations that are tagged exploit in VT↳ also matches Event ID 1: Process creation
Safebrowsing Process Creation Hashes Seen More Than 7 Days source: Identify process and file creation using safe browsing hashes where the first and last seen are more than 7 days apart↳ also matches Event ID 1: Process creation
VT Relationships File Downloaded From IP source: Alert on downloading a known file hash from a known IP with VT Relationships.
VT Relationships File Downloaded From URL source: Alert on downloading a known file hash from a known IP with VT Relationships.
WHOIS Expired Domain Executable Downloaded source: Detect web traffic to a recently expired domain followed by an exe file creation event

References #

Event ID 12: RegistryEvent (Object create and delete)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Registry object added or deleted (rule: RegistryEvent)
Opcode: Info

Description

**Registry key and value create and delete** operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications.

Message #

Registry object added or deleted:
RuleName: %1
EventType: %2
UtcTime: %3
ProcessGuid: %4
ProcessId: %5
Image: %6
TargetObject: %7
User: %8

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString	Registry event. Either Create or Delete Known values `CreateKey` A new registry key was created. `DeleteKey` An existing registry key was deleted. `CreateValue` A new registry value was created under an existing key. `DeleteValue` An existing registry value was removed.	19 detection rules
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that created or deleted a registry key
`ProcessId` UInt32	Process ID used by the OS to identify the process that created or deleted a registry key
`Image` UnicodeString	File path of the process that created or deleted a registry key	21 detection rules
`TargetObject` UnicodeString	Complete path of the registry key	177 detection rules
`User` UnicodeString	The name of the account that created or deleted a registry key or value	2 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 12,
    "version": 2,
    "level": 4,
    "task": 12,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:44.0868063+00:00",
    "event_record_id": 17613579,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "EventType": "CreateKey",
    "UtcTime": "2026-06-13 14:09:44.085",
    "ProcessGuid": "{8a99384c-e939-6a2c-5500-000000001000}",
    "ProcessId": "3932",
    "Image": "C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe",
    "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": "Registry object added or deleted:\r\nRuleName: -\r\nEventType: CreateKey\r\nUtcTime: 2026-06-13 14:09:44.085\r\nProcessGuid: {8a99384c-e939-6a2c-5500-000000001000}\r\nProcessId: 3932\r\nImage: C:\\Windows\\ADWS\\Microsoft.ActiveDirectory.WebServices.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\nUser: NT AUTHORITY\\SYSTEM"
}

Detection Patterns #

120 rules

Sigma

HybridConnectionManager Service Installation - Registry (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Windows Registry Trust Record Modification (source)

Antonlovesdnb, Trent Liffick (@tliffick)

Show 43 more (46 total) on the rules page

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Elastic

SolarWinds Process Disabling Services via Registry (source)

Elastic

Persistence via WMI Standard Registry Provider (source)

Elastic

Show 53 more (56 total) on the rules page

Elastic

Splunk

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEvent

98 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

Show 27 more (30 total) on the rules page

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Show 46 more (49 total) on the rules page

Elastic

Splunk

Windows WPDBusEnum Registry Key Modification (source)

Steven Dick

Steven Dick

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Show 13 more (16 total) on the rules page

Kusto

Detect Print Processors Registry Driver Key Creation/Modification (source)

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.ORSysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

87 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

Show 19 more (22 total) on the rules page

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Show 45 more (48 total) on the rules page

Elastic

Splunk

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Sysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEvent

68 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Local Account TokenFilter Policy Disabled (source)

Elastic

Elastic

Disabling User Account Control via Registry Modification (source)

Elastic

Creation of a Hidden Local User Account (source)

Elastic

ComputerDefaults UAC Bypass (Sysmon) (source)

Splunk

Potential fodhelper UAC Bypass Attempt (Sysmon) (source)

Sdclt UAC Bypass (source)

Steven Dick, Teoderick Contreras, Splunk

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Kusto

Pete Bryan

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 12: RegistryEventANDEvent ID 13: RegistryEventANDEvent ID 14: RegistryEvent

61 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Trent Liffick

Elastic

Elastic

Elastic

Elastic

Splunk

Michael Haag, Splunk

Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk

Steven Dick, Teoderick Contreras, Splunk

Detect Registry Run Key Creation/Modification (source)

Kusto

Show All Detection Patterns

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

59 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Trent Liffick

Suspicious Print Spooler Point and Print DLL (source)

Elastic

Elastic

Unusual Persistence via Services Registry (source)

Elastic

Potential Privilege Escalation via Service ImagePath Modification (source)

Elastic

Splunk

Michael Haag, Splunk

Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk

Steven Dick, Teoderick Contreras, Splunk

Detect Registry Run Key Creation/Modification (source)

Kusto

Sysmon Event ID 11: FileCreateOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

30 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

Dmitriy Lifanov, oscd.community

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Splunk

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEventOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

25 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Elastic

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Splunk

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 3: Network connection→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

12 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

RDP shadow session configuration enabled (registry) (source)

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

mdecrevoisier

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Show 6 more (9 total) on the rules page

10 rules

Sigma

Registry Tampering by Potentially Suspicious Processes (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

RDP shadow session configuration enabled (registry) (source)

mdecrevoisier

Elastic

Windows Subsystem for Linux Distribution Installed (source)

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

Execution: PowerShell

9 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Registry Tampering by Potentially Suspicious Processes (source)

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

5 rules

Sigma

RDP shadow session configuration enabled (registry) (source)

mdecrevoisier

Elastic

Potential Remote Desktop Shadowing Activity (source)

Elastic

Network-Level Authentication (NLA) Disabled (source)

Elastic

NullSessionPipe Registry Modification (source)

Elastic

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

Stealth: Msiexec

5 rules

Sigma

CMSTP Execution Registry Event (source)

Nik Seetharaman

Atbroker Registry Change (source)

Mateusz Wydra, oscd.community

Elastic

Windows Installer with Suspicious Properties (source)

Elastic

Elastic

Splunk

Sysmon Event ID 12: RegistryEventANDEvent ID 13: RegistryEventANDEvent ID 14: RegistryEvent

Michael Haag, Splunk

Registry Key Modification

3 rules

Elastic

First Time Seen Removable Device (source)

Elastic

Splunk

Windows WPDBusEnum Registry Key Modification (source)

Steven Dick

Steven Dick

Defense Impairment: Modify Registry

Sysmon Event ID 1: Process creationANDEvent ID 12: RegistryEvent

2 rules

Splunk

Windows Deleted Registry By A Non Critical Process File Path (source)

Steven Dick, Teoderick Contreras, Splunk

LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon) (source)

Command & Control: Proxy

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4657: A registry value was modified.OREvent ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEvent

2 rules

Sigma

New PortProxy Registry Entry Added (source)

Andreas Hunkeler (@Karneades)

Elastic

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.type`	eq	`change`	46 rules	elastic
`Details`	ends_with	`.dll`	3 rules	elastic, sigma, splunk
`Details`	eq	`1`	10 rules	elastic, kusto, splunk
`Details`	eq	`0x00000001`	9 rules	elastic, splunk
`Details`	eq	`0`	8 rules	elastic, sigma, splunk
`Details`	eq	`0x00000000`	8 rules	elastic, splunk
`Details`	is_not_null		10 rules	elastic, kusto, splunk
`Details`	length_compare	`0`	4 rules	elastic
`Details`	length_compare	`>`	4 rules	elastic
`EventType`	eq	`SetValue`	5 rules	sigma
`EventType`	eq	`deleted`	4 rules	splunk
`EventType`	in	`RegistryKeyCreated`	5 rules	kusto
`EventType`	in	`RegistryValueSet`	5 rules	kusto
`EventType`	ne	`deletion`	5 rules	elastic
`event.category`	eq	`registry`	4 rules	elastic

Detection Rules #

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

Sigma # view in coverage

Potential Persistence Via Disk Cleanup Handler - Registry source medium: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Potential Ursnif Malware Activity - Registry source high: Detects registry keys related to Ursnif malware.
Potential NetWire RAT Activity - Registry source high: Detects registry keys related to NetWire RAT

Show 1 more (4 total)

SNAKE Malware Covert Store Registry Key source high: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA↳ also matches Event ID 13: RegistryEvent (Value Set), Event ID 14: RegistryEvent (Key and Value Rename)

Splunk # view in coverage

Windows CrowdStrike Agent Registry Key Removal source: Detects delete events on the CrowdStrike registry keys. These keys are removed as part of the agent uninstallation process. This activity should only occur during planned events and any instances outside that should be evaluated for…
Windows Modify Registry Delete Firewall Rules source: The following analytic detects a potential deletion of firewall rules, indicating a possible security breach or unauthorized access attempt. It identifies actions where firewall rules are removed using commands like netsh advfirewall…
Windows Registry Delete Task SD source: The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task. It leverages the Endpoint.Registry data model to identify registry actions performed by the…

Show 2 more (5 total)

Windows RunMRU Registry Key or Value Deleted source: The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as…
Logon Script Registry Key added (Sysmon) source: Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence.↳ also matches Event ID 1: Process creation, Event ID 13: RegistryEvent (Value Set)

YARA-L # view in coverage

MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matches Event ID 1: Process creation, Event ID 13: RegistryEvent (Value Set)

References #

Event ID 13: RegistryEvent (Value Set)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Registry value set (rule: RegistryEvent)
Opcode: Info

Description

This Registry event type identifies **Registry value modifications**. The event records the value written for Registry values of type DWORD and QWORD.

Message #

Registry value set:
RuleName: %1
EventType: %2
UtcTime: %3
ProcessGuid: %4
ProcessId: %5
Image: %6
TargetObject: %7
Details: %8
User: %9

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString	Registry value modification event	25 detection rules
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that modified a registry value
`ProcessId` UInt32	Process ID used by the OS to identify the process that modified a registry value
`Image` UnicodeString	File path of the process that modified a registry value	307 detection rules
`TargetObject` UnicodeString	Complete path of the registry key	992 detection rules
`Details` UnicodeString	Details added to the registry key	1026 detection rules
`User` UnicodeString	The name of the account that modified a registry value.	4 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 13,
    "version": 2,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:29.7259683+00:00",
    "event_record_id": 17612810,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "EventType": "SetValue",
    "UtcTime": "2026-06-13 14:09:29.710",
    "ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
    "ProcessId": "7704",
    "Image": "C:\\ludus\\background\\bginfo.exe",
    "TargetObject": "HKU\\S-1-5-21-1006758700-2167138679-1475694448-1105\\Software\\Winternals\\BGInfo\\WindowPosition",
    "Details": "Binary Data",
    "User": "cell-c\\domainadmin"
  },
  "message": "Registry value set:\r\nRuleName: -\r\nEventType: SetValue\r\nUtcTime: 2026-06-13 14:09:29.710\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nTargetObject: HKU\\S-1-5-21-1006758700-2167138679-1475694448-1105\\Software\\Winternals\\BGInfo\\WindowPosition\r\nDetails: Binary Data\r\nUser: cell-c\\domainadmin"
}

Detection Patterns #

121 rules

Sigma

HybridConnectionManager Service Installation - Registry (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Windows Registry Trust Record Modification (source)

Antonlovesdnb, Trent Liffick (@tliffick)

Show 43 more (46 total) on the rules page

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Elastic

SolarWinds Process Disabling Services via Registry (source)

Elastic

Persistence via WMI Standard Registry Provider (source)

Elastic

Show 53 more (56 total) on the rules page

Elastic

Splunk

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEvent

98 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

Show 27 more (30 total) on the rules page

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Show 46 more (49 total) on the rules page

Elastic

Splunk

Windows WPDBusEnum Registry Key Modification (source)

Steven Dick

Steven Dick

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Show 13 more (16 total) on the rules page

Kusto

Detect Print Processors Registry Driver Key Creation/Modification (source)

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

90 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

Show 19 more (22 total) on the rules page

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Show 45 more (48 total) on the rules page

Elastic

Splunk

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Registry Run Keys - Suspicious Registry Run Keys (source)

Cyb3rMonk

Sysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEvent

73 rules

Sigma

UAC Bypass Via Wsreset (source)

oscd.community, Dmitry Uchakin

Shell Open Registry Keys Manipulation (source)

Christian Burkard (Nextron Systems)

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Local Account TokenFilter Policy Disabled (source)

Elastic

Elastic

Disabling User Account Control via Registry Modification (source)

Elastic

Creation of a Hidden Local User Account (source)

Elastic

ComputerDefaults UAC Bypass (Sysmon) (source)

Splunk

ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon) (source)

EnableLUA Registry Value Modified (Sysmon) (source)

Show 13 more (16 total) on the rules page

Kusto

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 12: RegistryEventANDEvent ID 13: RegistryEventANDEvent ID 14: RegistryEvent

62 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Trent Liffick

Elastic

Elastic

Elastic

Elastic

Splunk

Michael Haag, Splunk

Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk

Steven Dick, Teoderick Contreras, Splunk

Detect Registry Run Key Creation/Modification (source)

Kusto

Show All Detection Patterns

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

60 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Trent Liffick

Suspicious Print Spooler Point and Print DLL (source)

Elastic

Elastic

Unusual Persistence via Services Registry (source)

Elastic

Potential Privilege Escalation via Service ImagePath Modification (source)

Elastic

Splunk

Michael Haag, Splunk

Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk

Steven Dick, Teoderick Contreras, Splunk

Detect Registry Run Key Creation/Modification (source)

Kusto

Defense Impairment: Modify Registry

Sysmon Event ID 13: RegistryEventOREvent ID 14: RegistryEvent

54 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Hieu Tran

Elastic

Elastic

Elastic

Show 37 more (40 total) on the rules page

Elastic

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Raven Tait, Splunk

Teoderick Contreras, Splunk

Kusto

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 11: FileCreateOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

30 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

Dmitriy Lifanov, oscd.community

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Splunk

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEventOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

25 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Elastic

LSA Authentication Packages Registry Key Modified (Sysmon) (source)

Splunk

Startup Folder Location Modified - Windows (Sysmon) (source)

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 1: Process creationOREvent ID 13: RegistryEvent

12 rules

Splunk

Command Line Utility Added to Accessibility Features (Sysmon) (source)

Wow6432Node Classes Autorun Keys Modification (Sysmon) (source)

Suspicious InprocServer32 Registry Modification (Sysmon) (source)

Sysmon Event ID 3: Network connection→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

12 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

RDP shadow session configuration enabled (registry) (source)

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

mdecrevoisier

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Show 6 more (9 total) on the rules page

11 rules

Sigma

Registry Tampering by Potentially Suspicious Processes (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

RDP shadow session configuration enabled (registry) (source)

mdecrevoisier

Elastic

Windows Subsystem for Linux Distribution Installed (source)

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Command Line Utility Added to Accessibility Features (Sysmon) (source)

Splunk

Execution: PowerShell

Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

9 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Registry Tampering by Potentially Suspicious Processes (source)

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Security-Auditing Event ID 4657: A registry value was modified.ORSysmon Event ID 13: RegistryEvent

7 rules

Kusto

Detect Print Processors Registry Driver Key Creation/Modification (source)

Detect Registry Run Key Creation/Modification (source)

Registry Run Keys - Suspicious Registry Run Keys (source)

Cyb3rMonk

Sysmon Event ID 1: Process creationANDEvent ID 13: RegistryEvent

5 rules

Splunk

Windows Process Executed From Removable Media (source)

Steven Dick

Windows Modify Registry Qakbot Binary Data Registry (source)

Teoderick Contreras, Bhavin Patel, Splunk

Defender Registry Values Modified (Sysmon) (source)

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

5 rules

Sigma

RDP shadow session configuration enabled (registry) (source)

mdecrevoisier

Elastic

Potential Remote Desktop Shadowing Activity (source)

Elastic

Network-Level Authentication (NLA) Disabled (source)

Elastic

NullSessionPipe Registry Modification (source)

Elastic

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

Stealth: Msiexec

5 rules

Sigma

CMSTP Execution Registry Event (source)

Nik Seetharaman

Atbroker Registry Change (source)

Mateusz Wydra, oscd.community

Elastic

Windows Installer with Suspicious Properties (source)

Elastic

Elastic

Splunk

Sysmon Event ID 12: RegistryEventANDEvent ID 13: RegistryEventANDEvent ID 14: RegistryEvent

Michael Haag, Splunk

Registry Key Modification

3 rules

Elastic

First Time Seen Removable Device (source)

Elastic

Splunk

Windows WPDBusEnum Registry Key Modification (source)

Steven Dick

Steven Dick

Command & Control: Proxy

2 rules

Sigma

New PortProxy Registry Entry Added (source)

Andreas Hunkeler (@Karneades)

Elastic

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Details`	contains	`powershell`	10 rules	chronicle, sigma
`Details`	contains	`\appdata\local\temp\`	7 rules	sigma
`Details`	contains	`%temp%`	5 rules	chronicle, sigma
`Details`	ends_with	`.dll`	8 rules	elastic, sigma, splunk
`Details`	eq	`0x00000001`	63 rules	elastic, splunk
`Details`	eq	`0x00000000`	43 rules	elastic, splunk
`Details`	eq	`DWORD (0x00000001)`	40 rules	chronicle, sigma
`Details`	eq	`DWORD (0x00000000)`	38 rules	chronicle, sigma
`Details`	eq	`1`	12 rules	elastic, kusto, splunk
`Details`	eq	`DWORD (0x00000002)`	11 rules	chronicle, kusto, sigma
`Details`	eq	`0`	10 rules	elastic, sigma, splunk
`Details`	is_not_null		54 rules	elastic, kusto, splunk
`event.type`	eq	`change`	46 rules	elastic
`EventType`	eq	`SetValue`	6 rules	sigma
`EventType`	eq	`modified`	6 rules	splunk

Detection Rules #

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

Sigma # view in coverage

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback source medium: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Registry Persistence via Service in Safe Mode source high: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
Add Port Monitor Persistence in Registry source medium: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Show 17 more (230 total)

Add Debugger Entry To AeDebug For Persistence source medium: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
Allow RDP Remote Assistance Feature source medium: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Potential AMSI COM Server Hijacking source high: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
AMSI Disabled via Registry Modification source high: Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Classes Autorun Keys Modification source medium: Detects modification of Windows Registry Classes keys used for persistence. Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed. Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths, thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
Common Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
CurrentControlSet Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Office Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
Session Manager Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
System Scripts Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
WinSock2 Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification source medium: Detects modification of autostart extensibility point (ASEP) in registry.

Splunk # view in coverage

Active Setup Registry Autostart source: The following analytic detects suspicious modifications to the Active Setup registry for persistence and privilege escalation. It leverages data from the Endpoint.Registry data model, focusing on changes to the "StubPath" value within the…
Allow Inbound Traffic By Firewall Rule Registry source: The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry…
Allow Operation with Consent Admin source: The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically…

Show 17 more (166 total)

Auto Admin Logon Registry Entry source: The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "AutoAdminLogon" value within the…
Detect Remote Access Software Usage Registry source: The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment.…
Disable AMSI Through Registry source: The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value to "0x00000000". This detection leverages data from the Endpoint.Registry data model,…
Disable Defender AntiVirus Registry source: The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry…
Disable Defender BlockAtFirstSeen Feature source: The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path…
Disable Defender Enhanced Notification source: The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the…
Disable Defender MpEngine Registry source: The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path…
Disable Defender Spynet Reporting source: The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with…
Disable Defender Submit Samples Consent Feature source: The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the…
Disable ETW Through Registry source: The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path…
Disable Registry Tool source: The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path…
Disable Security Logs Using MiniNt Registry source: The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the…
Disable Show Hidden Files source: The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with…
Disable UAC Remote Restriction source: The following analytic detects the modification of the registry to disable UAC remote restriction by setting the "LocalAccountTokenFilterPolicy" value to "0x00000001". It leverages data from the Endpoint.Registry data model, specifically…
Disable Windows App Hotkeys source: The following analytic detects a suspicious registry modification aimed at disabling Windows hotkeys for native applications. It leverages data from the Endpoint.Registry data model, focusing on specific registry paths and values…
Disable Windows Behavior Monitoring source: The following analytic identifies modifications in the registry to disable Windows Defender's real-time behavior monitoring. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths…
Disable Windows SmartScreen Protection source: The following analytic detects modifications to the Windows registry that disable SmartScreen protection. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with…

Kusto # view in coverage

COM Registry Key Modified to Point to File in Color Profile Folder source medium: This query looks for changes to COM registry keys to point to files in C:\Windows\System32\spool\drivers\color. This can be used to enable COM hijacking for persistence. Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
DSRM Account Abuse source high: This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization's Active Directory. Ref: https://adsecurity.org/?p=1785
Registry Persistence via AppCert DLL Modification source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. Ref: https://attack.mitre.org/techniques/T1546/009/

Show 4 more (7 total)

Registry Persistence via AppInit DLLs Modification source medium: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Ref: https://attack.mitre.org/techniques/T1546/010/
WDigest downgrade attack source medium: When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753
Spearphishing Attachment: ISO Images (Microsoft Sentinel) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. WARNING: Check your Sysmon parsing functions and verify you have the logs. Using "Rendered Description" field for parsing causes parsing issues for registry events. Detect opening of a mounted image:↳ also matches Event ID 1: Process creation, Event ID 3: Network connection, Event ID 11: FileCreate
Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) source: ISO images are often meant to be used offline and they are often used by IT Admins and/or used on Servers.
Installation from an iso file don't require network connection most of the time. Activities deviating from these situations can be considered as highly suspicious. Below queries detects opening a mounted image, process creation under a mounted image, and network connection from a process created under a mounted image.
All detections can be used seperately or combined together to generate a higher fidelity alert. Detect opening of a mounted image:↳ also matches Event ID 11: FileCreate

YARA-L # view in coverage

Blackbyte Ransomware Registry source: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
CurrentControlSet Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
CurrentVersion Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry

Show 12 more (15 total)

Default RDP Port Changed to Non Standard Port source: Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Disable Internal Tools or Feature in Registry source: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Modify User Shell Folders Startup Value source: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
New RUN Key Pointing to Suspicious Folder source: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report source: Detects port forwarding being enabled using netsh command and registry settings created or modified in support of portproxy v4tov4↳ also matches Event ID 1: Process creation, Event ID 12: RegistryEvent (Object create and delete)
Potential Credential Dumping Via LSASS SilentProcessExit Technique source: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
RDP Sensitive Settings Changed source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
RDP Sensitive Settings Changed to Zero source: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RestrictedAdminMode Registry Value Tampering source: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Session Manager Autorun Keys Modification source: Detects modification of autostart extensibility point (ASEP) in registry
Suspicious Powershell In Registry Run Keys source: Detects potential PowerShell commands or code within registry run keys
Wdigest Enable UseLogonCredential source: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

References #

Event ID 14: RegistryEvent (Key and Value Rename)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Registry object renamed (rule: RegistryEvent)
Opcode: Info

Description

**Registry key and value rename** operations map to this event type, recording the new name of the key or value that was renamed.

Message #

Registry object renamed:
RuleName: %1
EventType: %2
UtcTime: %3
ProcessGuid: %4
ProcessId: %5
Image: %6
TargetObject: %7
NewName: %8
User: %9

Fields #

Name	Description	Rules
`EventType` UnicodeString → string	Registry event. Registry key and value renamed Known values `RenameKey` An existing registry key was renamed (NewName carries the destination key path). `RenameValue` A registry value name was changed under an existing key.	4 detection rules
`UtcTime` UnicodeString → string	Time in UTC when event was created
`ProcessGuid` GUID → GUID	Process GUID of the process that renamed a registry value and key
`ProcessId` UInt32 → PID	Process ID used by the OS to identify the process that renamed a registry value and key
`Image` UnicodeString → string	File path of the process that renamed a registry value and key	35 detection rules
`TargetObject` UnicodeString → string	Complete path of the registry key	27 detection rules
`NewName` UnicodeString → string	New name of the registry key
`RuleName` UnicodeString → string	custom tag mapped to event. i.e ATT&CK technique ID
`User` UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
    "event_source_name": "",
    "event_id": 14,
    "version": 2,
    "level": 4,
    "task": 14,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-05-29T23:53:07.2285127+00:00",
    "event_record_id": 160620,
    "correlation": {},
    "execution": {
      "process_id": 11572,
      "thread_id": 11700
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "EventType": "RenameKey",
    "UtcTime": "2026-05-29 23:53:07.227",
    "ProcessGuid": "{e124ce79-26e3-6a1a-dc11-000000000700}",
    "ProcessId": "11804",
    "Image": "C:\\caps\\dwrename.exe",
    "TargetObject": "HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key",
    "NewName": "HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key_renamed",
    "User": "DESKTOP-FF3N5XK\\localuser"
  },
  "message": "Registry object renamed:\r\nRuleName: -\r\nEventType: RenameKey\r\nUtcTime: 2026-05-29 23:53:07.227\r\nProcessGuid: {e124ce79-26e3-6a1a-dc11-000000000700}\r\nProcessId: 11804\r\nImage: C:\\caps\\dwrename.exe\r\nTargetObject: HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key\r\nNewName: HKU\\S-1-5-21-3798294047-1846905762-1150995898-1000\\Software\\dwtest_key_renamed\r\nUser: DESKTOP-FF3N5XK\\localuser"
}

Detection Patterns #

107 rules

Sigma

HybridConnectionManager Service Installation - Registry (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Windows Registry Trust Record Modification (source)

Antonlovesdnb, Trent Liffick (@tliffick)

Show 41 more (44 total) on the rules page

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Elastic

SolarWinds Process Disabling Services via Registry (source)

Elastic

Persistence via WMI Standard Registry Provider (source)

Elastic

Show 53 more (56 total) on the rules page

Elastic

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Raven Tait, Splunk

Teoderick Contreras, Splunk

Kusto

Detect Print Processors Registry Driver Key Creation/Modification (source)

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

76 rules

Sigma

Registry Persistence Mechanisms in Recycle Bin (source)

Dmitriy Lifanov, oscd.community

frack113

Show 18 more (21 total) on the rules page

omkar72

Elastic

Suspicious Startup Shell Folder Modification (source)

Elastic

Elastic

Show 45 more (48 total) on the rules page

Elastic

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Raven Tait, Splunk

Teoderick Contreras, Splunk

Kusto

Detect Print Processors Registry Driver Key Creation/Modification (source)

Detect Registry Run Key Creation/Modification (source)

Potential Fodhelper UAC Bypass (ASIM Version) (source)

Pete Bryan

Sysmon Event ID 12: RegistryEventANDEvent ID 13: RegistryEventANDEvent ID 14: RegistryEvent

57 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Hieu Tran

Elastic

Elastic

Elastic

Elastic

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Raven Tait, Splunk

Teoderick Contreras, Splunk

Kusto

Detect Registry Run Key Creation/Modification (source)

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

55 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Hieu Tran

Suspicious Print Spooler Point and Print DLL (source)

Elastic

Elastic

Unusual Persistence via Services Registry (source)

Elastic

Potential Privilege Escalation via Service ImagePath Modification (source)

Elastic

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Raven Tait, Splunk

Teoderick Contreras, Splunk

Kusto

Detect Registry Run Key Creation/Modification (source)

Defense Impairment: Modify Registry

Sysmon Event ID 13: RegistryEventOREvent ID 14: RegistryEvent

54 rules

Sigma

Disable Security Events Logging Adding Reg Key MiniNt (source)

Ilyas Ochkov, oscd.community

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Hieu Tran

Elastic

Elastic

Elastic

Show 37 more (40 total) on the rules page

Elastic

Splunk

Windows Modify Registry to Add or Modify Firewall Rule (source)

Raven Tait, Splunk

Teoderick Contreras, Splunk

Kusto

Detect Registry Run Key Creation/Modification (source)

Show All Detection Patterns

Sysmon Event ID 11: FileCreateOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

26 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

Dmitriy Lifanov, oscd.community

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Detect Print Processors Registry Driver Key Creation/Modification (source)

Kusto

Detect Registry Run Key Creation/Modification (source)

Sysmon Event ID 3: Network connection→(Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)

12 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

RDP shadow session configuration enabled (registry) (source)

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

mdecrevoisier

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Show 6 more (9 total) on the rules page

10 rules

Sigma

Registry Tampering by Potentially Suspicious Processes (source)

Swachchhanda Shrawan Poudel (Nextron Systems)

RDP shadow session configuration enabled (registry) (source)

mdecrevoisier

Elastic

Windows Subsystem for Linux Distribution Installed (source)

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent

Execution: PowerShell

9 rules

Sigma

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Registry Tampering by Potentially Suspicious Processes (source)

Center for Threat Informed Defense (CTID) Summiting the Pyramid Team

Swachchhanda Shrawan Poudel (Nextron Systems)

Elastic

Elastic

Scheduled Task Created by a Windows Script (source)

Elastic

Elastic

Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creationOREvent ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent

5 rules

Sigma

RDP shadow session configuration enabled (registry) (source)

mdecrevoisier

Elastic

Potential Remote Desktop Shadowing Activity (source)

Elastic

Network-Level Authentication (NLA) Disabled (source)

Elastic

NullSessionPipe Registry Modification (source)

Elastic

(Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEvent)→(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)

Stealth: Msiexec

4 rules

Sigma

CMSTP Execution Registry Event (source)

Nik Seetharaman

Atbroker Registry Change (source)

Mateusz Wydra, oscd.community

Elastic

Windows Installer with Suspicious Properties (source)

Elastic

Elastic

Lateral Movement: Replication Through Removable Media

Sysmon Event ID 12: RegistryEventANDEvent ID 13: RegistryEventANDEvent ID 14: RegistryEvent

1 rule

Elastic

First Time Seen Removable Device (source)

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.type`	eq	`change`	46 rules	elastic
`Details`	ends_with	`.dll`	3 rules	elastic, sigma, splunk
`Details`	eq	`1`	10 rules	elastic, kusto, splunk
`Details`	eq	`0x00000001`	9 rules	elastic, splunk
`Details`	eq	`0`	8 rules	elastic, sigma, splunk
`Details`	eq	`0x00000000`	8 rules	elastic, splunk
`Details`	eq	`4`	3 rules	elastic
`Details`	is_not_null		10 rules	elastic, kusto, splunk
`Details`	length_compare	`0`	4 rules	elastic
`Details`	length_compare	`>`	4 rules	elastic
`EventType`	eq	`DeleteValue`	4 rules	sigma, splunk
`EventType`	eq	`SetValue`	4 rules	sigma
`EventType`	ne	`deletion`	5 rules	elastic
`event.category`	eq	`registry`	4 rules	elastic
`Image`	is_not_null		3 rules	elastic, kusto

Detection Rules #

Sysmon Event ID 3: Network connectionOREvent ID 15: FileCreateStreamHash

Sigma # view in coverage

Delete Defender Scan ShellEx Context Menu Registry Key source medium: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
Windows Credential Guard Related Registry Value Deleted - Registry source high: Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted source medium: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Show 8 more (11 total)

Folder Removed From Exploit Guard ProtectedFolders List - Registry source high: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Terminal Server Client Connection History Cleared - Registry source high: Detects the deletion of registry keys containing the MSTSC connection history
Removal Of AMSI Provider Registry Keys source high: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Removal of Potential COM Hijacking Registry Keys source medium: Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
RunMRU Registry Key Deletion - Registry source high: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
Removal Of Index Value to Hide Schedule Task - Registry source medium: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Removal Of SD Value to Hide Schedule Task - Registry source medium: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
SNAKE Malware Covert Store Registry Key source high: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA↳ also matches Event ID 12: RegistryEvent (Object create and delete), Event ID 13: RegistryEvent (Value Set)

References #

Event ID 15: FileCreateStreamHash

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: File stream created (rule: FileCreateStreamHash)
Opcode: Info

Description

This event logs when a **named file stream is created**, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier "mark of the web" stream.

Message #

File stream created:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
TargetFilename: %6
CreationUtcTime: %7
Hash: %8
Contents: %9
User: %10

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that created the named file stream
`ProcessId` UInt32	Process ID used by the OS to identify the process that created the named file stream
`Image` UnicodeString	File path of the process that created the named file stream	24 detection rules
`TargetFilename` UnicodeString	Name of the file	72 detection rules
`CreationUtcTime` UnicodeString	File download time
`Hash` UnicodeString	Hash of the file contents using the algorithms specified in the HashType field	104 detection rules
`Contents` UnicodeString	Content of the named file stream (e.g., Zone.Identifier)	78 detection rules
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 15,
    "version": 2,
    "level": 4,
    "task": 15,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:42:03.6658910+00:00",
    "event_record_id": 6137955,
    "correlation": {},
    "execution": {
      "process_id": 3872,
      "thread_id": 5252
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 13:42:03.651",
    "ProcessGuid": "{8a99384c-5e0b-6a2d-4c00-000000000a00}",
    "ProcessId": "3488",
    "Image": "C:\\Windows\\system32\\DFSRs.exe",
    "TargetFilename": "C:\\Windows\\SYSVOL\\staging\\domain\\ContentSet{F961A193-E171-4E37-B0B3-7E1394CCD8E0}-{02199C3B-68C2-47D3-88A0-F16A83088C75}:ReplicatedFolderList",
    "CreationUtcTime": "2026-05-28 00:46:59.105",
    "Hash": "SHA1=13D7A18758C123CD4479C81E4B2D70301C31F7C3,MD5=2CB80232D48F726137F136C129FB2D2D,SHA256=F0336167989447F25357C51FEF44D321E40A6310DD8DD2FEFF37B8E55E4543A0,IMPHASH=00000000000000000000000000000000",
    "Contents": "{",
    "User": "F"
  },
  "message": "File stream created:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:42:03.651\r\nProcessGuid: {8a99384c-5e0b-6a2d-4c00-000000000a00}\r\nProcessId: 3488\r\nImage: C:\\Windows\\system32\\DFSRs.exe\r\nTargetFilename: C:\\Windows\\SYSVOL\\staging\\domain\\ContentSet{F961A193-E171-4E37-B0B3-7E1394CCD8E0}-{02199C3B-68C2-47D3-88A0-F16A83088C75}:ReplicatedFolderList\r\nCreationUtcTime: 2026-05-28 00:46:59.105\r\nHash: SHA1=13D7A18758C123CD4479C81E4B2D70301C31F7C3,MD5=2CB80232D48F726137F136C129FB2D2D,SHA256=F0336167989447F25357C51FEF44D321E40A6310DD8DD2FEFF37B8E55E4543A0,IMPHASH=00000000000000000000000000000000\r\nContents: {\r\nUser: F"
}

Detection Patterns #

Command & Control: Web Protocols

1 rule

Splunk

Unusual HTTP Download (Sysmon) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetFilename`	contains	`.bat:zone`	3 rules	sigma
`TargetFilename`	contains	`.dll:zone`	3 rules	sigma
`TargetFilename`	contains	`.exe:zone`	3 rules	sigma
`TargetFilename`	contains	`.hta:zone`	3 rules	sigma
`TargetFilename`	contains	`.ps1:zone`	3 rules	sigma
`TargetFilename`	contains	`.vbe:zone`	3 rules	sigma
`TargetFilename`	contains	`.vbs:zone`	3 rules	sigma
`TargetFilename`	contains	`.xll:zone`	3 rules	sigma
`TargetFilename`	ends_with	`:zone.identifier`	3 rules	sigma, splunk
`Contents`	contains	`.githubusercontent.com`	2 rules	sigma
`Contents`	contains	`anonfiles.com`	2 rules	sigma
`Contents`	contains	`cdn.discordapp.com`	2 rules	sigma
`Contents`	contains	`ddns.net`	2 rules	sigma
`Contents`	contains	`dl.dropboxusercontent.com`	2 rules	sigma
`Contents`	contains	`ghostbin.co`	2 rules	sigma

Community Notes #

May contain Mark of the Web, referrer, and host URL data.

Detection Rules #

Sysmon Event ID 4: Sysmon service state changedOREvent ID 16: ServiceConfigurationChange

Sigma # view in coverage

Hidden Executable In NTFS Alternate Data Stream source medium: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Creation Of a Suspicious ADS File Outside a Browser Download source medium: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Suspicious File Download From File Sharing Websites - File Stream source high: Detects the download of suspicious file type from a well-known file and paste sharing domain

Show 6 more (9 total)

Unusual File Download From File Sharing Websites - File Stream source medium: Detects the download of suspicious file type from a well-known file and paste sharing domain
HackTool Named File Stream Created source high: Detects the creation of a named file stream with the imphash of a well-known hack tool
Exports Registry Key To an Alternate Data Stream source high: Exports the target Registry key and hides it in the specified alternate data stream.
Unusual File Download from Direct IP Address source high: Detects the download of suspicious file type from URLs with IP
Potential Suspicious Winget Package Installation source high: Detects potential suspicious winget package installation from a suspicious source.
Potentially Suspicious File Download From ZIP TLD source high: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Splunk # view in coverage

Download Files Using Telegram source: The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a…
Windows Alternate DataStream - Base64 Content source: The following analytic detects the creation of Alternate Data Streams (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which captures file creation events, including the content of named streams. ADS can…
Windows Alternate DataStream - Executable Content source: The following analytic detects the writing of data with an IMPHASH value to an Alternate Data Stream (ADS) in the NTFS file system. It leverages Sysmon Event ID 15 and regex to identify files with a Portable Executable (PE) structure. This…

References #

Event ID 16: ServiceConfigurationChange

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: Sysmon config state changed
Opcode: Info

Description

This event logs changes in the Sysmon configuration.

Message #

Sysmon config state changed:
UtcTime: %1
Configuration: %2
ConfigurationFileHash: %3

Fields #

Name	Description
`UtcTime` UnicodeString → string	Time in UTC when event was created
`Configuration` UnicodeString → string	Name of the Sysmon config file being updated
`ConfigurationFileHash` UnicodeString → string	Hash (SHA1) of the Sysmon config file being updated

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 16,
    "version": 3,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T00:47:11.932399+00:00",
    "event_record_id": 994662,
    "correlation": {},
    "execution": {
      "process_id": 8688,
      "thread_id": 13092
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "UtcTime": "2023-11-06 00:47:11.921",
    "Configuration": "C:\\Users\\User\\Downloads\\Sysmon\\sysmonconfig-trace.xml",
    "ConfigurationFileHash": "SHA256=43F367924B48AF65F121C0D369E7971C0757CC35D984C71887A5840987E154F9"
  },
  "message": ""
}

Detection Patterns #

Stealth: Hide Artifacts

1 rule

Sigma

Sysmon Configuration Modification (source)

frack113

Community Notes #

May indicate an attacker attempting to reduce visibility prior to staging a payload.

Detection Rules #

Sysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent

Sigma # view in coverage

Sysmon Configuration Change source medium: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-16-serviceconfigurationchange
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-16.yml

Event ID 17: PipeEvent (Pipe Created)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Pipe Created (rule: PipeEvent)
Opcode: Info

Description

This event generates when a **named pipe is created**. Malware often uses named pipes for interprocess communication.

Message #

Pipe Created:
RuleName: %1
EventType: %2
UtcTime: %3
ProcessGuid: %4
ProcessId: %5
PipeName: %6
Image: %7
User: %8

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString	The type of pipe event (CreatePipe)	8 detection rules
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that created the pipe
`ProcessId` UInt32	Process ID used by the OS to identify the process that created the pipe
`PipeName` UnicodeString	Name of the pipe created	104 detection rules
`Image` UnicodeString	File path of the process that created the pipe	60 detection rules
`User` UnicodeString	The name of the account that created the named pipe.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 17,
    "version": 1,
    "level": 4,
    "task": 17,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:08:49.4169649+00:00",
    "event_record_id": 17610185,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "EventType": "CreatePipe",
    "UtcTime": "2026-06-13 14:08:49.413",
    "ProcessGuid": "{8a99384c-6471-6a2d-a005-000000001000}",
    "ProcessId": "7864",
    "PipeName": "\\PSHost.134258333292497101.7864.DefaultAppDomain.wsmprovhost",
    "Image": "C:\\Windows\\system32\\wsmprovhost.exe",
    "User": "cell-c\\domainadmin"
  },
  "message": "Pipe Created:\r\nRuleName: -\r\nEventType: CreatePipe\r\nUtcTime: 2026-06-13 14:08:49.413\r\nProcessGuid: {8a99384c-6471-6a2d-a005-000000001000}\r\nProcessId: 7864\r\nPipeName: \\PSHost.134258333292497101.7864.DefaultAppDomain.wsmprovhost\r\nImage: C:\\Windows\\system32\\wsmprovhost.exe\r\nUser: cell-c\\domainadmin"
}

Detection Patterns #

Named Pipe

32 rules

Sigma

WMI Event Consumer Created Named Pipe (source)

Florian Roth (Nextron Systems)

Alternate PowerShell Hosts Pipe (source)

Roberto Rodriguez @Cyb3rWard0g, Tim Shelton

New PowerShell Instance Created (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Show 16 more (19 total) on the rules page

Splunk

Windows Anonymous Pipe Activity (source)

Teoderick Contreras, Splunk

Raven Tait, Splunk

Raven Tait, Splunk

Kusto

Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent

Microsoft Security Research

C2-NamedPipe (source)

Named Pipe

15 rules

Sigma

CobaltStrike Named Pipe (source)

Florian Roth (Nextron Systems), Wojciech Lesicki

CobaltStrike Named Pipe Pattern Regex (source)

Florian Roth (Nextron Systems)

CobaltStrike Named Pipe Patterns (source)

Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)

Trickbot Named Pipe (source)

Splunk

Teoderick Contreras, Splunk

Raven Tait, Splunk

Raven Tait, Splunk

Kusto

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`NamedPipeEvent`	2 rules	kusto
`EventType`	in	`ConnectPipe`	4 rules	splunk
`EventType`	in	`CreatePipe`	4 rules	splunk
`tool`	is_not_null		4 rules	splunk
`PipeName`	eq	`\PSEXESVC`	2 rules	sigma
`PipeName`	eq	`\sdlrpc`	2 rules	sigma
`PipeName`	starts_with	`\PSHost`	2 rules	sigma
`AccessList`	contains	`%%4418`	1 rule	kusto, sigma, splunk
`Hashes`	is_not_null		1 rule	chronicle, elastic, kusto
`Image`	contains	`:\users\public\`	1 rule	sigma
`Image`	contains	`:\windows\temp\`	1 rule	sigma
`Image`	contains	`\appdata\local\temp\`	1 rule	sigma
`Image`	contains	`\desktop\`	1 rule	sigma
`Image`	contains	`\downloads\`	1 rule	sigma
`Image`	ends_with	`\\wermgr.exe`	1 rule	splunk

Detection Rules #

Sysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent

Sigma # view in coverage

HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matches Event ID 18: PipeEvent (Pipe Connected)

Elastic # view in coverage

Privilege Escalation via Rogue Named Pipe Impersonation source high: Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.

YARA-L # view in coverage

ADFS DB Suspicious Named Pipe Connection source: Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes↳ also matches Event ID 18: PipeEvent (Pipe Connected)
GCTI Remote Access Tools source: Alert process and file create events that are associated with hashes from the GCTI Remote Access Tool list↳ also matches Event ID 1: Process creation, Event ID 7: Image loaded, Event ID 11: FileCreate, Event ID 18: PipeEvent (Pipe Connected)

References #

Event ID 18: PipeEvent (Pipe Connected)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Pipe Connected (rule: PipeEvent)
Opcode: Info

Description

This event logs when a named pipe connection is made between a client and a server.

Message #

Pipe Connected:
RuleName: %1
EventType: %2
UtcTime: %3
ProcessGuid: %4
ProcessId: %5
PipeName: %6
Image: %7
User: %8

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString	The type of pipe event (ConnectPipe)
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that connected the pipe
`ProcessId` UInt32	Process ID used by the OS to identify the process that connected the pipe
`PipeName` UnicodeString	Name of the pipe connected	1 detection rule
`Image` UnicodeString	File path of the process that connected the pipe
`User` UnicodeString	The name of the account that made a named pipe connection.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 18,
    "version": 1,
    "level": 4,
    "task": 18,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:29.4179487+00:00",
    "event_record_id": 17612764,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "EventType": "ConnectPipe",
    "UtcTime": "2026-06-13 14:09:29.413",
    "ProcessGuid": "{8a99384c-6499-6a2d-a205-000000001000}",
    "ProcessId": "7704",
    "PipeName": "\\srvsvc",
    "Image": "C:\\ludus\\background\\bginfo.exe",
    "User": "cell-c\\domainadmin"
  },
  "message": "Pipe Connected:\r\nRuleName: -\r\nEventType: ConnectPipe\r\nUtcTime: 2026-06-13 14:09:29.413\r\nProcessGuid: {8a99384c-6499-6a2d-a205-000000001000}\r\nProcessId: 7704\r\nPipeName: \\srvsvc\r\nImage: C:\\ludus\\background\\bginfo.exe\r\nUser: cell-c\\domainadmin"
}

Detection Patterns #

Named Pipe

32 rules

Sigma

WMI Event Consumer Created Named Pipe (source)

Florian Roth (Nextron Systems)

Alternate PowerShell Hosts Pipe (source)

Roberto Rodriguez @Cyb3rWard0g, Tim Shelton

New PowerShell Instance Created (source)

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Show 16 more (19 total) on the rules page

Splunk

Windows Anonymous Pipe Activity (source)

Teoderick Contreras, Splunk

Raven Tait, Splunk

Raven Tait, Splunk

Kusto

Security-Auditing Event ID 5145: A network share object was checked to see whether client can be granted desired access.ORSysmon Event ID 17: PipeEventOREvent ID 18: PipeEvent

Microsoft Security Research

C2-NamedPipe (source)

Named Pipe

15 rules

Sigma

CobaltStrike Named Pipe (source)

Florian Roth (Nextron Systems), Wojciech Lesicki

CobaltStrike Named Pipe Pattern Regex (source)

Florian Roth (Nextron Systems)

CobaltStrike Named Pipe Patterns (source)

Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)

Trickbot Named Pipe (source)

Splunk

Teoderick Contreras, Splunk

Raven Tait, Splunk

Raven Tait, Splunk

Kusto

Microsoft Security Research

Sysmon Event ID 3: Network connectionANDEvent ID 18: PipeEvent

Collection: Data from Local System

1 rule

Kusto

AD FS Remote HTTP Network Connection (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`NamedPipeEvent`	2 rules	kusto
`EventType`	in	`ConnectPipe`	4 rules	splunk
`EventType`	in	`CreatePipe`	4 rules	splunk
`tool`	is_not_null		4 rules	splunk
`Computer`	eq	`ADFS_Servers`	2 rules	kusto
`PipeName`	eq	`\PSEXESVC`	2 rules	sigma
`PipeName`	eq	`\sdlrpc`	2 rules	sigma
`PipeName`	starts_with	`\PSHost`	2 rules	sigma
`AccessList`	contains	`%%4418`	1 rule	kusto, sigma, splunk
`DestinationPort`	eq	`80`	1 rule	elastic, kusto, sigma
`Image`	contains	`:\users\public\`	1 rule	sigma
`Image`	contains	`:\windows\temp\`	1 rule	sigma
`Image`	contains	`\desktop\`	1 rule	sigma
`Image`	contains	`\downloads\`	1 rule	sigma
`Image`	ends_with	`\\wermgr.exe`	1 rule	splunk

Detection Rules #

Sysmon Event ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent

Sigma # view in coverage

HackTool - DiagTrackEoP Default Named Pipe source critical: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.↳ also matches Event ID 17: PipeEvent (Pipe Created)

Kusto # view in coverage

ADFS Database Named Pipe Connection source medium: This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]"

YARA-L # view in coverage

ADFS DB Suspicious Named Pipe Connection source: Connection to ADFS via named pipes that are not using specific Windows ADFS processes may be indicative of user attempting to access ADFS for suspicious purposes↳ also matches Event ID 17: PipeEvent (Pipe Created)
GCTI Remote Access Tools source: Alert process and file create events that are associated with hashes from the GCTI Remote Access Tool list↳ also matches Event ID 1: Process creation, Event ID 7: Image loaded, Event ID 11: FileCreate, Event ID 17: PipeEvent (Pipe Created)

References #

Event ID 19: WmiEvent (WmiEventFilter activity detected)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: WmiEventFilter activity detected (rule: WmiEvent)
Opcode: Info

Description

When a WMI event filter is registered, this event logs the WMI namespace, filter name and filter expression.

Message #

WmiEventFilter activity detected:
RuleName: %1
EventType: %2
UtcTime: %3
Operation: %4
User: %5
EventNamespace: %6
Name: %7
Query: %8

Fields #

Name	Description
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString → string	WMI event type
`UtcTime` UnicodeString → string	Time in UTC when event was created
`Operation` UnicodeString → string	WMI event filter operation Known values `Created` A WMI persistence artifact was registered (filter, consumer, or binding established). `Deleted` An existing WMI persistence artifact was removed. `Modified` An existing WMI persistence artifact was updated in place (rare).
`User` UnicodeString → string	User that created the WMI filter
`EventNamespace` UnicodeString → string	Event namespace where the WMI class is registered
`Name` UnicodeString → string	WMI filter name being created
`Query` UnicodeString → string	WMI filter query

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 19,
    "version": 3,
    "level": 4,
    "task": 19,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-19T14:54:57.044623Z",
    "event_record_id": 4055,
    "correlation": {},
    "execution": {
      "process_id": 2796,
      "thread_id": 1776
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "",
    "EventType": "WmiFilterEvent",
    "UtcTime": "2019-07-19 14:54:57.041",
    "Operation": "Created",
    "User": "MSEDGEWIN10\\IEUser",
    "EventNamespace": " \"root\\\\CimV2\"",
    "Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
    "Query": " \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\""
  }
}

Detection Patterns #

WMI Consumer

4 rules

Sigma

Suspicious Encoded Scripts in a WMI Consumer (source)

Florian Roth (Nextron Systems)

Suspicious Scripting in a WMI Consumer (source)

Florian Roth (Nextron Systems), Jonhnathan Ribeiro

WMI Event Subscription (source)

Tom Ueltschi (@c_APT_ure)

Gain Code Execution on ADFS Server via Remote WMI Execution (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`rundll32`	1 rule	chronicle, kusto, sigma
`Computer`	eq	`ADFS_Servers`	1 rule	kusto

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-19.yml

Event ID 20: WmiEvent (WmiEventConsumer activity detected)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: WmiEventConsumer activity detected (rule: WmiEvent)
Opcode: Info

Description

This event logs the **registration of WMI consumers**, recording the consumer name, log, and destination.

Message #

WmiEventConsumer activity detected:
RuleName: %1
EventType: %2
UtcTime: %3
Operation: %4
User: %5
Name: %6
Type: %7
Destination: %8

Fields #

Name	Description
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString → string	WMI event type
`UtcTime` UnicodeString → string	Time in UTC when event was created
`Operation` UnicodeString → string	WMI consumer operation (e.g., Created, Deleted) Known values `Created` A WMI persistence artifact was registered (filter, consumer, or binding established). `Deleted` An existing WMI persistence artifact was removed. `Modified` An existing WMI persistence artifact was updated in place (rare).
`User` UnicodeString → string	User that created the WMI consumer
`Name` UnicodeString → string	Name of the consumer created
`Type` UnicodeString → string	Type of WMI consumer
`Destination` UnicodeString → string	Destination or command executed by the WMI consumer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 20,
    "version": 3,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-19T14:54:58.819106Z",
    "event_record_id": 4056,
    "correlation": {},
    "execution": {
      "process_id": 2796,
      "thread_id": 1776
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "",
    "EventType": "WmiConsumerEvent",
    "UtcTime": "2019-07-19 14:54:58.807",
    "Operation": "Created",
    "User": "MSEDGEWIN10\\IEUser",
    "Name": " \"AtomicRedTeam-WMIPersistence-Example\"",
    "Type": "Command Line",
    "Destination": " \"C:\\\\Windows\\\\System32\\\\notepad.exe\""
  }
}

Detection Patterns #

WMI Consumer

Sysmon Event ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent

4 rules

Sigma

Suspicious Encoded Scripts in a WMI Consumer (source)

Florian Roth (Nextron Systems)

Suspicious Scripting in a WMI Consumer (source)

Florian Roth (Nextron Systems), Jonhnathan Ribeiro

WMI Event Subscription (source)

Tom Ueltschi (@c_APT_ure)

Gain Code Execution on ADFS Server via Remote WMI Execution (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`rundll32`	1 rule	chronicle, kusto, sigma
`Computer`	eq	`ADFS_Servers`	1 rule	kusto

Detection Rules #

Sysmon Event ID 19: WmiEventOREvent ID 20: WmiEventOREvent ID 21: WmiEvent

Splunk # view in coverage

Detect WMI Event Subscription Persistence source: The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and…

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-20.yml

Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Olaf Hartong, others)
Task: WmiEventConsumerToFilter activity detected (rule: WmiEvent)
Opcode: Info

Description

When a consumer binds to a filter, this event logs the consumer name and filter path.

Message #

WmiEventConsumerToFilter activity detected:
RuleName: %1
EventType: %2
UtcTime: %3
Operation: %4
User: %5
Consumer: %6
Filter: %7

Fields #

Name	Description
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`EventType` UnicodeString → string	WMI event type
`UtcTime` UnicodeString → string	Time in UTC when event was created
`Operation` UnicodeString → string	WMI consumer-to-filter binding operation Known values `Created` A WMI persistence artifact was registered (filter, consumer, or binding established). `Deleted` An existing WMI persistence artifact was removed. `Modified` An existing WMI persistence artifact was updated in place (rare).
`User` UnicodeString → string	User that created the WMI consumer-to-filter binding
`Consumer` UnicodeString → string	Consumer created to bind
`Filter` UnicodeString → string	Filter created to bind

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 21,
    "version": 3,
    "level": 4,
    "task": 21,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-19T14:57:02.378480Z",
    "event_record_id": 4057,
    "correlation": {},
    "execution": {
      "process_id": 2796,
      "thread_id": 4356
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "",
    "EventType": "WmiBindingEvent",
    "UtcTime": "2019-07-19 14:57:02.369",
    "Operation": "Created",
    "User": "MSEDGEWIN10\\IEUser",
    "Consumer": " \"\\\\\\\\.\\\\ROOT\\\\subscription:CommandLineEventConsumer.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\"",
    "Filter": " \"\\\\\\\\.\\\\ROOT\\\\subscription:__EventFilter.Name=\\\"AtomicRedTeam-WMIPersistence-Example\\\"\""
  }
}

Detection Patterns #

WMI Consumer

4 rules

Sigma

Suspicious Encoded Scripts in a WMI Consumer (source)

Florian Roth (Nextron Systems)

Suspicious Scripting in a WMI Consumer (source)

Florian Roth (Nextron Systems), Jonhnathan Ribeiro

WMI Event Subscription (source)

Tom Ueltschi (@c_APT_ure)

Gain Code Execution on ADFS Server via Remote WMI Execution (source)

Lateral Movement: Exploitation of Remote Services

1 rule

Kusto

Microsoft Security Research

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`rundll32`	1 rule	chronicle, kusto, sigma
`Computer`	eq	`ADFS_Servers`	1 rule	kusto

Community Notes #

May surface registration of WMI event-based auto-runs that survive reboots.

Detection Rules #

(Security-Auditing Event ID 4688: A new process has been created.ORSysmon Event ID 1: Process creation)→Event ID 22: DNSEvent

Splunk # view in coverage

WMI Permanent Event Subscription - Sysmon source: The following analytic identifies the creation of WMI permanent event subscriptions, which can be used to establish persistence or perform privilege escalation. It leverages Sysmon data, specifically EventCodes 19, 20, and 21, to detect…

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-21.yml

Event ID 22: DNSEvent (DNS query)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: Dns query (rule: DnsQuery)
Opcode: Info

Description

This event generates when a process executes a **DNS query**, whether the result is successful or fails, cached or not.

Message #

Dns query:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
QueryName: %5
QueryStatus: %6
QueryResults: %7
Image: %8
User: %9

Fields #

Name	Description	Rules
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that executed the DNS query
`ProcessId` UInt32	Process ID of the process that executed the DNS query
`QueryName` UnicodeString	DNS query name	307 detection rules
`QueryStatus` UnicodeString	DNS query status Known values `0` Success (records returned or no error) `5` ERROR_ACCESS_DENIED `87` ERROR_INVALID_PARAMETER `1460` ERROR_TIMEOUT `9001` DNS_ERROR_RCODE_FORMAT_ERROR (FORMERR) `9002` DNS_ERROR_RCODE_SERVER_FAILURE (SERVFAIL) `9003` DNS_ERROR_RCODE_NAME_ERROR (NXDOMAIN) `9004` DNS_ERROR_RCODE_NOT_IMPLEMENTED (NOTIMP) `9005` DNS_ERROR_RCODE_REFUSED `9501` DNS_INFO_NO_RECORDS (no error, zero records) `9701` DNS_ERROR_RECORD_DOES_NOT_EXIST (specific record not found) `9702` DNS_ERROR_RECORD_FORMAT (record format error) `9714` DNS_ERROR_NAME_DOES_NOT_EXIST (name itself does not exist) `9852` DNS_ERROR_NO_DNS_SERVERS (no configured resolvers)
`QueryResults` UnicodeString	DNS query results
`Image` UnicodeString	The full path related to the process that executed the DNS query	175 detection rules
`User` UnicodeString	The name of the account that executes a DNS Query.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 22,
    "version": 5,
    "level": 4,
    "task": 22,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:53.5641227+00:00",
    "event_record_id": 6320060,
    "correlation": {},
    "execution": {
      "process_id": 3872,
      "thread_id": 5372
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:52.247",
    "ProcessGuid": "{8a99384c-5e0c-6a2d-5d00-000000000a00}",
    "ProcessId": "3872",
    "QueryName": "172.210.232.199.in-addr.arpa.",
    "QueryStatus": "9003",
    "QueryResults": "-",
    "Image": "C:\\Windows\\Sysmon64.exe",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": "Dns query:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:52.247\r\nProcessGuid: {8a99384c-5e0c-6a2d-5d00-000000000a00}\r\nProcessId: 3872\r\nQueryName: 172.210.232.199.in-addr.arpa.\r\nQueryStatus: 9003\r\nQueryResults: -\r\nImage: C:\\Windows\\Sysmon64.exe\r\nUser: NT AUTHORITY\\SYSTEM"
}

Detection Patterns #

1 rule

Elastic

MsBuild Making Network Connections (source)

Elastic

Execution: Exploitation for Client Execution

Sysmon Event ID 7: Image loadedANDEvent ID 22: DNSEvent

1 rule

Splunk

Sunburst Correlation DLL and Network Event (source)

Patrick Bareiss, Splunk

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`graph.metadata.entity_type`	eq	`DOMAIN_NAME`	5 rules	chronicle
`dns.question.name`	eq	`*`	3 rules	splunk
`EventType`	eq	`lookup_requested`	2 rules	elastic
`Image`	in	`\\appdata\\`	2 rules	splunk
`Image`	in	`\\perflogs\\`	2 rules	splunk
`Image`	in	`\\programdata\\`	2 rules	splunk
`Image`	in	`\\temp\\`	2 rules	splunk
`Image`	in	`\\users\\public\\`	2 rules	splunk
`Image`	in	`\\windows\\tasks\\`	2 rules	splunk
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	eq	`domain-name:value`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto
`QueryName`	ends_with	`remoteassistance.support.services.microsoft.com`	2 rules	sigma
`QueryName`	in	`*api.ip.sb`	2 rules	splunk
`QueryName`	in	`*api.ipify.org`	2 rules	splunk

Detection Rules #

Sysmon Event ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

Sigma # view in coverage

DNS Query for Anonfiles.com Domain - Sysmon source high: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
AppX Package Installation Attempts Via AppInstaller.EXE source medium: Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
Cloudflared Tunnels Related DNS Requests source medium: Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Show 17 more (27 total)

DNS Query To Common Malware Hosting and Shortener Services source medium: Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
DNS Query To Devtunnels Domain source medium: Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Server Discovery Via LDAP Query source low: Detects DNS server discovery via LDAP query requests from uncommon applications
DNS Query To AzureWebsites.NET By Non-Browser Process source medium: Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
DNS Query by Finger Utility source high: Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Notepad++ Updater DNS Query to Uncommon Domains source medium: Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
DNS HybridConnectionManager Service Bus source high: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing source high: Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Suspicious Cobalt Strike DNS Beaconing - Sysmon source critical: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website source medium: Detects DNS queries for subdomains related to MEGA sharing website
DNS Query Request To OneLaunch Update Service source low: Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
DNS Query Request By QuickAssist.EXE source low: Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
DNS Query Request By Regsvr32.EXE source medium: Detects DNS queries initiated by "Regsvr32.exe"
DNS Query To Remote Access Software Domain From Non-Browser App source medium: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Suspicious DNS Query for IP Lookup Service APIs source medium: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
TeamViewer Domain Query By Non-TeamViewer Application source medium: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
DNS Query Tor .Onion Address - Sysmon source high: Detects DNS queries to an ".onion" address related to Tor routing networks

Elastic # view in coverage

First Time Seen DNS Query to RMM Domain source medium: Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.
External IP Lookup from Non-Browser Process source low: Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.

Splunk # view in coverage

Local LLM Framework DNS Query source: Detects DNS queries related to local LLM models on endpoints by monitoring Sysmon DNS query events (Event ID 22) for known LLM model domains and services. Local LLM frameworks like Ollama, LM Studio, and GPT4All make DNS calls to…
Windows AI Platform DNS Query source: The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is…
Windows BitLockerToGo with Network Activity source: The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for…

Show 17 more (22 total)

Windows DNS Query Request To TinyUrl source: The following analytic detects a process located in a potentially suspicious location making DNS queries to known URL shortening services, specifically tinyurl. URL shorteners are frequently used by threat actors to obfuscate malicious…
Windows Visual Basic Commandline Compiler DNSQuery source: The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS…
3CX Supply Chain Attack Network Indicators source: The following analytic identifies DNS queries to domains associated with the 3CX supply chain attack. It leverages the Network_Resolution datamodel to detect these suspicious domain indicators. This activity is significant because it can…
Detect DNS Query to Decommissioned S3 Bucket source: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for…
Detect hosts connecting to dynamic domain providers source: The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the Network_Resolution data model and cross-references them with a lookup file containing known dynamic DNS…
Detect Remote Access Software Usage DNS source: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and…
DNS Kerberos Coercion source: Detects DNS-based Kerberos coercion attacks where adversaries inject marshaled credential structures into DNS records to spoof SPNs and redirect authentication such as in CVE-2025-33073. This detection leverages suricata looking for…
DNS Query Length With High Standard Deviation source: The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding two times the standard deviation. It leverages DNS query data from the…
Ngrok Reverse Proxy on Network source: The following analytic detects DNS queries to common Ngrok domains, indicating potential use of the Ngrok reverse proxy tool. It leverages the Network Resolution datamodel to identify queries to domains such as "*.ngrok.com" and…
Rundll32 DNSQuery source: The following analytic detects a suspicious rundll32.exe process making HTTP connections and performing DNS queries to web domains. It leverages Sysmon EventCode 22 logs to identify these activities. This behavior is significant as it is…
Suspicious Process DNS Query Known Abuse Web Services source: The following analytic detects a suspicious process making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms. It leverages Sysmon EventID 22 logs to identify queries from…
Suspicious Process With Discord DNS Query source: The following analytic identifies a process making a DNS query to Discord, excluding legitimate Discord application paths. It leverages Sysmon logs with Event ID 22 to detect DNS queries containing "discord" in the QueryName field. This…
Wermgr Process Connecting To IP Check Web Services source: The following analytic detects the wermgr.exe process attempting to connect to known IP check web services. It leverages Sysmon EventCode 22 to identify DNS queries made by wermgr.exe to specific IP check services. This activity is…
Windows Abused Web Services source: The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon…
Windows DNS Query Request by Telegram Bot API source: The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By…
Windows Gather Victim Network Info Through Ip Check Web Services source: The following analytic detects processes attempting to connect to known IP check web services. This behavior is identified using Sysmon EventCode 22 logs, specifically monitoring DNS queries to services like "wtfismyip.com" and…
Windows Multi hop Proxy TOR Website Query source: The following analytic identifies DNS queries to known TOR proxy websites, such as "*.torproject.org" and "www.theonionrouter.com". It leverages Sysmon EventCode 22 to detect these queries by monitoring DNS query events from endpoints.…

Kusto # view in coverage

DNS events related to mining pools (ASIM DNS Schema) source low: Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
DNS events related to ToR proxies (ASIM DNS Schema) source low: Identifies IP addresses performing DNS lookups associated with common ToR proxies. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema
Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) source medium: This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM DNS schema

Show 8 more (11 total)

Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) source medium: This rule generates an alert when the configured threshold for DNS queries to non-existent domains is breached. This helps in identifying possible C2 communications. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) source medium: This rule creates an alert when multiple clients report errors for the same DNS query. This helps in identifying possible similar C2 communications originating from different clients. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
Ngrok Reverse Proxy on Network (ASIM DNS Solution) source medium: This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.
Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) source medium: This rule identifies clients with a high NXDomain count, which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). An alert is generated when a new IP address is seen (based on not being seen associated with NXDomain records in prior 10-day baseline period). It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) source medium: This rule makes use of the series decompose anomaly method to identify clients with high reverse DNS counts. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) source medium: This rule identifies clients with high reverse DNS counts, which could be carrying out reconnaissance or discovery activity. This helps in detecting the possible initial phases of an attack, like discovery and reconnaissance. It utilizes ASIM normalization and is applied to any source that supports the ASIM DNS schema.
Google Threat Intelligence - Threat Hunting Domain source medium: Google Threat Intelligence domain correlation.
RecordedFuture Threat Hunting Domain All Actors source medium: Recorded Future Threat Hunting domain correlation for all actors.

YARA-L # view in coverage

Recon Environment Enumeration Network CISA Report source: Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into↳ also matches Event ID 1: Process creation
DNS Query To Recently Created Domain source: DNS query to a recently created domain
Domain Prevalence source: Detects DNS events querying domains that have a low rolling max prevalence.

Show 4 more (7 total)

IOC Domain C2 source: Detect DNS events that indicate communication to a C2 domain in MISP
IOC Domain Internal Policy source: Detect DNS events that communicate with gaming sites in MISP. These violate policy.
VT Relationships File Contacts Domain source: Alert on known Hash querying a known hostname with VT Relationships
WHOIS DNS Query To Typesquatting Domain source: Provides example usage of WHOIS data, detecting a DNS query for a domain that contains a specific string and is not registered with the defined domain registrar.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-22.yml
NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
MS Learn DNS_ERROR_* (winerror.h codes 9000-11999) https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--9000-11999-

Event ID 23: FileDelete (File Delete archived)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: File Delete archived (rule: FileDelete)
Opcode: Info

Description

A file was deleted. Additionally the deleted file is saved in the ArchiveDirectory.

Message #

File Delete archived:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8
IsExecutable: %9
Archived: %10

Fields #

Name	Description	Rules
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString → string	Time in UTC when event was created
`ProcessGuid` GUID → GUID	Process GUID of the process that deleted the file
`ProcessId` UInt32 → PID	Process ID used by the OS to identify the process that deleted the file
`User` UnicodeString → string	Name of the account who deleted the file.	2 detection rules
`Image` UnicodeString → string	File path of the process that deleted the file	22 detection rules
`TargetFilename` UnicodeString → string	Full path name of the deleted file	79 detection rules
`Hashes` UnicodeString → string	Hashes captured by the Sysmon driver of the deleted file
`IsExecutable` Boolean → boolean	Whether the deleted file is a PE executable
`Archived` UnicodeString → string	States if the file was archived when deleted

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 23,
    "version": 5,
    "level": 4,
    "task": 23,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2020-10-20T11:50:55.461859Z",
    "event_record_id": 769,
    "correlation": {},
    "execution": {
      "process_id": 7212,
      "thread_id": 9748
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "DESKTOP-NTSSLJD",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2020-10-20 11:50:55.457",
    "ProcessGuid": "23F38D93-CF1F-5F8E-CA08-000000000C00",
    "ProcessId": 8736,
    "User": "DESKTOP-NTSSLJD\\den",
    "Image": "C:\\Program Files\\Internet Explorer\\IEInstal.exe",
    "TargetFilename": "C:\\Users\\den\\AppData\\Local\\Temp\\dfcc1807-03a1-4ae1-ab29-5675b285edea\\consent.exe.dat",
    "Hashes": "SHA1=6BFB38629570909D3D9EEDFC783A948CE7849105,MD5=EE2A1C85C472F89B146CC8EE598CCCBC,SHA256=19FD0010DA92B654D1CA270247061A39EA13C0A58529FD8257A97E2EF7794911,IMPHASH=522D83761201075834F05037F5307949",
    "IsExecutable": true,
    "Archived": "true"
  }
}

Detection Patterns #

23 rules

Sigma

Unusual File Deletion by Dns.exe (source)

Tim Rauch (Nextron Systems), Elastic (idea)

Exchange PowerShell Cmdlet History Deleted (source)

Nasreddine Bencherchali (Nextron Systems)

Nasreddine Bencherchali (Nextron Systems)

Elastic

Elastic

Third-party Backup Files Deleted via Unexpected Process (source)

Elastic

Elastic

Splunk

Teoderick Contreras, Splunk

Teoderick Contreras, Splunk

Teoderick Contreras, Splunk

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEventOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

15 rules

Sigma

Exchange PowerShell Cmdlet History Deleted (source)

Nasreddine Bencherchali (Nextron Systems)

Nasreddine Bencherchali (Nextron Systems)

IIS WebServer Access Logs Deleted (source)

Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Elastic

Elastic

Elastic

Splunk

Teoderick Contreras, Splunk

Teoderick Contreras, Splunk

Security-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreateOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

Teoderick Contreras, Splunk

Threat Hunting Hash

3 rules

Kusto

RecordedFuture Threat Hunting Hash All Actors (source)

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

Google Threat Intelligence - Threat Hunting Hash (source)

Sysmon Event ID 11: FileCreateANDEvent ID 23: FileDeleteANDEvent ID 26: FileDeleteDetected

1 rule

Elastic

Unusual File Operation by dns.exe (source)

Elastic

Persistence: Boot or Logon Autostart Execution

Sysmon Event ID 11: FileCreateOREvent ID 23: FileDelete

1 rule

Splunk

Additional dll added to Spool Driver (Sysmon) (source)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetFilename`	ends_with	`:zone.identifier`	3 rules	sigma, splunk
`TargetFilename`	ends_with	`.log`	2 rules	sigma
`event.type`	eq	`deletion`	3 rules	elastic
`event.type`	in	`change`	2 rules	elastic
`event.type`	in	`deletion`	2 rules	elastic
`Hashes`	is_not_null		2 rules	chronicle, elastic, kusto
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	contains	`file:hashes`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto
`count`	ge	`100`	2 rules	splunk
`event.category`	eq	`file`	2 rules	elastic
`Anomalies`	gt	`0`	1 rule	kusto
`FilePath`	contains	`account details`	1 rule	kusto
`FilePath`	contains	`bank account`	1 rule	kusto
`FilePath`	contains	`bank details`	1 rule	kusto

Detection Rules #

Sigma # view in coverage

Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matches Event ID 26: FileDeleteDetected (File Delete logged)

Splunk # view in coverage

Windows Mark Of The Web Bypass source: The following analytic identifies a suspicious process that deletes the Mark-of-the-Web (MOTW) data stream. It leverages Sysmon EventCode 23 to detect when a file's Zone.Identifier stream is removed. This activity is significant because it…
Windows MSI Rollback Script Deleted By Non-Msiexec Process source: Detects deletion of a Rollback Script (.rbs) file under C:\Config.Msi, the critical filesystem manipulation step in an MSI Rollback privilege escalation attack that converts an arbitrary file delete primitive into full SYSTEM code…
Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records…↳ also matches Event ID 26: FileDeleteDetected (File Delete logged)

YARA-L # view in coverage

Suspicious Filewrites To Sharepoint Layouts source: Detects a command-line interpreter (cmd.exe or powershell.exe) writing a file to a SharePoint (\TEMPLATE\LAYOUTS) directory.↳ also matches Event ID 2: A process changed a file creation time, Event ID 11: FileCreate
Suspicious Unusual Location LNK File source: Detects creation and movement of .lnk files to specific folders↳ also matches Event ID 2: A process changed a file creation time, Event ID 11: FileCreate

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-file-delete-archived
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-23.yml

Event ID 24: ClipboardChange (New content in the clipboard)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: Clipboard changed (rule: ClipboardChange)
Opcode: Info

Description

This event is generated when the system clipboard contents change.

Message #

Clipboard changed:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
Session: %6
ClientInfo: %7
Hashes: %8
Archived: %9
User: %10

Fields #

Name	Description
`RuleName` UnicodeString → string
`UtcTime` UnicodeString → string
`ProcessGuid` GUID → GUID
`ProcessId` UInt32 → PID
`Image` UnicodeString → string
`Session` UInt32 → unsignedInt
`ClientInfo` UnicodeString → string
`Hashes` UnicodeString → string
`Archived` UnicodeString → string
`User` UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 24,
    "version": 5,
    "level": 4,
    "task": 24,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:34:43.177918+00:00",
    "event_record_id": 1300545,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 18652
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2023-11-06 01:34:43.168",
    "ProcessGuid": "E56ADA26-3DE0-6548-E908-000000000D00",
    "ProcessId": 11112,
    "Image": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe\\WindowsTerminal.exe",
    "Session": 1,
    "ClientInfo": "user: WINDEV2310EVAL\\User",
    "Hashes": "SHA1=179A4D08834E913B14727CF6474BAC31E082D275,MD5=64D76D5B160C1EB41680025DD778622D,SHA256=35EC5A2FD3F20757A957DC280EF330892A9D76378252CD381BF34518E6A30427,IMPHASH=00000000000000000000000000000000",
    "Archived": "true",
    "User": "WINDEV2310EVAL\\User"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-24-clipboardchange-new-content-in-the-clipboard
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 25: ProcessTampering (Process image change)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: Process Tampering (rule: ProcessTampering)
Opcode: Info

Description

This event is generated when process hiding techniques are being detected.

Message #

Process Tampering:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
Image: %5
Type: %6
User: %7

Fields #

Name	Description	Rules
`RuleName` UnicodeString
`UtcTime` UnicodeString
`ProcessGuid` GUID
`ProcessId` UInt32
`Image` UnicodeString		7 detection rules
`Type` UnicodeString	Known values `Image is replaced` The on-disk image backing the process was modified after the process started (process hollowing variant detected via PsSetCreateProcessNotifyRoutineEx hash comparison against the loaded image). `Image is unmapped` The PE image was unmapped from the process address space after creation; the loader's expected image is no longer present. `Image is locked for access` Sysmon could not open the on-disk PE for read because another handle holds it with an exclusive sharing mode. May indicate process herpaderping using the optional exclusive-lock variant (jxy-s/herpaderping `-e` flag; the herpaderping primitive itself is content modification after image mapping, not the lock — see https://github.com/jxy-s/herpaderping). Benign locking by AV/EDR scan engines and installers can produce the same Sysmon signal; the catalog sample observed Avira wsc_agent.exe triggering this Type.	1 detection rule
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 25,
    "version": 5,
    "level": 4,
    "task": 25,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:41:34.2634917+00:00",
    "event_record_id": 6122317,
    "correlation": {},
    "execution": {
      "process_id": 3872,
      "thread_id": 5252
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 13:41:19.666",
    "ProcessGuid": "{00000000-0000-0000-0000-000000000000}",
    "ProcessId": "604",
    "Image": "<unknown process>",
    "Type": "Image is replaced",
    "User": "NT AUTHORITY\\SYSTEM"
  },
  "message": "Process Tampering:\r\nRuleName: -\r\nUtcTime: 2026-06-13 13:41:19.666\r\nProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nProcessId: 604\r\nImage: <unknown process>\r\nType: Image is replaced\r\nUser: NT AUTHORITY\\SYSTEM"
}

Community Notes #

Process tampering, detects process herpaderping.

Detection Rules #

Sysmon Event ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

Sigma # view in coverage

Potential Process Hollowing Activity source medium: Detects when a memory process image does not match the disk image, indicative of process hollowing.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-25-processtampering-process-image-change
jxy-s/herpaderping research repository https://github.com/jxy-s/herpaderping
Process Herpaderping technique writeup https://jxy-s.github.io/herpaderping/

Event ID 26: FileDeleteDetected (File Delete logged)

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (JSCU-NL)
Task: File Delete logged (rule: FileDeleteDetected)
Opcode: Info

Description

A file was deleted.

Message #

File Delete logged:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8
IsExecutable: %9

Fields #

Name	Description
`RuleName` UnicodeString	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString	Time in UTC when event was created
`ProcessGuid` GUID	Process GUID of the process that deleted the file
`ProcessId` UInt32	Process ID used by the OS to identify the process that deleted the file
`User` UnicodeString	Name of the account who deleted the file.
`Image` UnicodeString	File path of the process that deleted the file
`TargetFilename` UnicodeString	Full path name of the deleted file
`Hashes` UnicodeString	Hashes captured by the Sysmon driver of the deleted file
`IsExecutable` Boolean	Whether the deleted file is a PE executable

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 26,
    "version": 5,
    "level": 4,
    "task": 26,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:09:29.6982228+00:00",
    "event_record_id": 17612805,
    "correlation": {},
    "execution": {
      "process_id": 4080,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-13 14:09:29.694",
    "ProcessGuid": "{8a99384c-e971-6a2c-b200-000000001000}",
    "ProcessId": "6816",
    "User": "cell-c\\domainadmin",
    "Image": "C:\\Windows\\Explorer.EXE",
    "TargetFilename": "C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg",
    "Hashes": "SHA1=45418D43C67E2CEE415B678094EABC2A7D9FF2E4,MD5=210CC081ECEF04E020E21D53341EE954,SHA256=4F3BA3A9948CDDF013F02C82832BE6CE9203B2E874D9675BAEF3F9026C3B266F,IMPHASH=00000000000000000000000000000000",
    "IsExecutable": "false"
  },
  "message": "File Delete logged:\r\nRuleName: -\r\nUtcTime: 2026-06-13 14:09:29.694\r\nProcessGuid: {8a99384c-e971-6a2c-b200-000000001000}\r\nProcessId: 6816\r\nUser: cell-c\\domainadmin\r\nImage: C:\\Windows\\Explorer.EXE\r\nTargetFilename: C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1024_768_POS1.jpg\r\nHashes: SHA1=45418D43C67E2CEE415B678094EABC2A7D9FF2E4,MD5=210CC081ECEF04E020E21D53341EE954,SHA256=4F3BA3A9948CDDF013F02C82832BE6CE9203B2E874D9675BAEF3F9026C3B266F,IMPHASH=00000000000000000000000000000000\r\nIsExecutable: false"
}

Detection Patterns #

23 rules

Sigma

Unusual File Deletion by Dns.exe (source)

Tim Rauch (Nextron Systems), Elastic (idea)

Exchange PowerShell Cmdlet History Deleted (source)

Nasreddine Bencherchali (Nextron Systems)

Nasreddine Bencherchali (Nextron Systems)

Elastic

Elastic

Third-party Backup Files Deleted via Unexpected Process (source)

Elastic

Elastic

Splunk

Teoderick Contreras, Splunk

Teoderick Contreras, Splunk

Teoderick Contreras, Splunk

Sysmon Event ID 12: RegistryEventOREvent ID 13: RegistryEventOREvent ID 14: RegistryEventOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

15 rules

Sigma

Exchange PowerShell Cmdlet History Deleted (source)

Nasreddine Bencherchali (Nextron Systems)

Nasreddine Bencherchali (Nextron Systems)

IIS WebServer Access Logs Deleted (source)

Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Elastic

Elastic

Elastic

Splunk

Teoderick Contreras, Splunk

Teoderick Contreras, Splunk

Security-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreateOREvent ID 23: FileDeleteOREvent ID 26: FileDeleteDetected

Teoderick Contreras, Splunk

Threat Hunting Hash

3 rules

Kusto

RecordedFuture Threat Hunting Hash All Actors (source)

SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)

Yaron

Google Threat Intelligence - Threat Hunting Hash (source)

Sysmon Event ID 11: FileCreateANDEvent ID 23: FileDeleteANDEvent ID 26: FileDeleteDetected

1 rule

Elastic

Unusual File Operation by dns.exe (source)

Elastic

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.type`	eq	`deletion`	3 rules	elastic
`event.type`	in	`change`	2 rules	elastic
`event.type`	in	`deletion`	2 rules	elastic
`Hashes`	is_not_null		2 rules	chronicle, elastic, kusto
`IsActive`	eq	`true`	2 rules	kusto
`ObservableKey`	contains	`file:hashes`	2 rules	kusto
`ObservableValue`	is_not_null		2 rules	kusto
`TargetFilename`	ends_with	`.log`	2 rules	sigma
`TargetFilename`	ends_with	`:zone.identifier`	2 rules	sigma, splunk
`count`	ge	`100`	2 rules	splunk
`event.category`	eq	`file`	2 rules	elastic
`Anomalies`	gt	`0`	1 rule	kusto
`FilePath`	contains	`account details`	1 rule	kusto
`FilePath`	contains	`bank account`	1 rule	kusto
`FilePath`	contains	`bank details`	1 rule	kusto

Detection Rules #

Sigma # view in coverage

Process Deletion of Its Own Executable source medium: Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.↳ also matches Event ID 23: FileDelete (File Delete archived)

Splunk # view in coverage

Windows Rdp AutomaticDestinations Deletion source: This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records…↳ also matches Event ID 23: FileDelete (File Delete archived)

References #

Event ID 27: FileBlockExecutable

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Task: File Block Executable (rule: FileBlockExecutable)
Opcode: Info

Description

This event is generated when Sysmon detects and blocks the creation of executable files.

Message #

File Block Executable:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8

Fields #

Name	Description
`RuleName` UnicodeString → string
`UtcTime` UnicodeString → string
`ProcessGuid` GUID → GUID
`ProcessId` UInt32 → PID
`User` UnicodeString → string
`Image` UnicodeString → string
`TargetFilename` UnicodeString → string
`Hashes` UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 27,
    "version": 5,
    "level": 4,
    "task": 27,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-08-29T04:43:48.128507Z",
    "event_record_id": 1341,
    "correlation": {},
    "execution": {
      "process_id": 2060,
      "thread_id": 7132
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "DESKTOP-VQBONAV",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "ImageBlock",
    "UtcTime": "2022-08-29 04:43:48.117",
    "ProcessGuid": "3E153517-4404-630C-0003-000000000400",
    "ProcessId": 8636,
    "User": "DESKTOP-VQBONAV\\user",
    "Image": "C:\\Windows\\system32\\certutil.exe",
    "TargetFilename": "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\02E7958E9A9619FDA0A027756E601291",
    "Hashes": "MD5=E112A827FAB9F8378C76040187A6F336,SHA256=ED369187681A62247E38D930320F1CD771756D0B7B67072D8EC655EF99E14AEB,IMPHASH=8EEAA9499666119D13B3F44ECD77A729"
  }
}

Detection Rules #

Sigma # view in coverage

Sysmon Blocked Executable source high: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 28: FileBlockShredding

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Task: File Block Shredding (rule: FileBlockShredding)
Opcode: Info

Description

This event is generated when Sysmon detects and blocks file shredding.

Message #

File Block Shredding:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8
IsExecutable: %9

Fields #

Name	Description
`RuleName` UnicodeString → string
`UtcTime` UnicodeString → string
`ProcessGuid` GUID → GUID
`ProcessId` UInt32 → PID
`User` UnicodeString → string
`Image` UnicodeString → string
`TargetFilename` UnicodeString → string
`Hashes` UnicodeString → string
`IsExecutable` Boolean → boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 28,
    "version": 5,
    "level": 4,
    "task": 28,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T03:06:00.105995+00:00",
    "event_record_id": 36714962,
    "correlation": {},
    "execution": {
      "process_id": 3860,
      "thread_id": 5148
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-03-12 03:06:00.101",
    "ProcessGuid": "3792AB3B-0B4D-69B1-4300-000000000F00",
    "ProcessId": 3544,
    "User": "NT AUTHORITY\\LOCAL SERVICE",
    "Image": "C:\\Windows\\System32\\svchost.exe",
    "TargetFilename": "C:\\Windows\\System32\\sru\\SRU.log",
    "Hashes": "SHA1=1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961,MD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000",
    "IsExecutable": false
  },
  "message": ""
}

Detection Rules #

Sigma # view in coverage

Sysmon Blocked File Shredding source high: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-28-fileblockshredding

Event ID 29: FileExecutableDetected

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Task: File Executable Detected (rule: FileExecutableDetected)
Opcode: Info

Description

This event is generated when Sysmon detects the creation of a new executable file.

Message #

File Executable Detected:
RuleName: %1
UtcTime: %2
ProcessGuid: %3
ProcessId: %4
User: %5
Image: %6
TargetFilename: %7
Hashes: %8

Fields #

Name	Description	Rules
`RuleName` UnicodeString → string
`UtcTime` UnicodeString → string
`ProcessGuid` GUID → GUID
`ProcessId` UInt32 → PID
`User` UnicodeString → string
`Image` UnicodeString → string
`TargetFilename` UnicodeString → string		1 detection rule
`Hashes` UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 29,
    "version": 5,
    "level": 4,
    "task": 29,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:50.724328+00:00",
    "event_record_id": 25592993,
    "correlation": {},
    "execution": {
      "process_id": 3516,
      "thread_id": 4964
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-03-13 19:59:50.723",
    "ProcessGuid": "3792AB3B-6CAF-69B4-C304-000000000800",
    "ProcessId": 6332,
    "User": "NT AUTHORITY\\SYSTEM",
    "Image": "C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe",
    "TargetFilename": "C:\\Windows\\WinSxS\\Temp\\InFlight\\4d85a1f323b3dc0131020000bc18500b\\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.22621.1_none_e8f6dc1e2b2810c4\\hcsdiag.exe",
    "Hashes": "SHA1=4151B8801065408E851608F5F586E83F841DDF73,MD5=5CDE58E943D06BF77B4595CF917E4BD6,SHA256=148B44E4D5251D533F66EB2352AE396DB612AE926703682C8CD271ADC8A8B03A,IMPHASH=BC0760AED3654197B70538C4350C093A"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`TargetFilename`	ends_with	`.sed`	1 rule	sigma

Detection Rules #

Sigma # view in coverage

Potentially Suspicious Self Extraction Directive File Created source medium: Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
Sysmon File Executable Creation Detected source medium: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

Splunk # view in coverage

Windows Executable Masquerading as Benign File Types source: The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables…

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-29-fileexecutabledetected

Event ID 255: Error report: UtcTime: UtcTime ID: ID Description: Description.

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Error
Collection Priority: Recommended (JSCU-NL)
Task: Error report
Opcode: Info

Description

This event is generated when an **error occurred within Sysmon**. They can happen if the system is under heavy load and certain tasks could not be performed or a bug exists in the Sysmon service.

Message #

Error report:
UtcTime: %1
ID: %2
Description: %3

Fields #

Name	Description	Rules
`UtcTime` UnicodeString
`ID` UnicodeString
`Description` UnicodeString		6 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
    "event_source_name": "",
    "event_id": 255,
    "version": 3,
    "level": 2,
    "task": 255,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:41:07.6428879+00:00",
    "event_record_id": 6120904,
    "correlation": {},
    "execution": {
      "process_id": 3720,
      "thread_id": 5400
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UtcTime": "2026-06-13 13:41:07.630",
    "ID": "GetConfigurationOptions",
    "Description": "Failed to open service configuration with error 92 - Last error: The media is write protected.\n"
  },
  "message": "Error report:\r\nUtcTime: 2026-06-13 13:41:07.630\r\nID: GetConfigurationOptions\r\nDescription: Failed to open service configuration with error 92 - Last error: The media is write protected.\r\n"
}

Detection Rules #