YARA-L rule coverage
29 events across 5 providers with Google SecOps / Chronicle YARA-L detection rules, 285 rule mappings total. Each rule links to its own page (predicates, exclusions, shared indicators). For the rule-centric ATT&CK browse across every vendor, see all detection rules; non-Windows YARA-L rules are grouped by platform and technique at YARA-L non-Windows coverage.
Microsoft-Windows-Sysmon
Event ID 1 Process creation 69 rules
- Base64 Encoded PowerShell Command Detected (source)
- ConvertTo-SecureString Cmdlet Usage Via CommandLine (source)
- Copy From Or To Admin Share Or Sysvol Folder (source)
- CreateDump Process Dump (source)
- Direct Autorun Keys Modification (source)
- File Download Using Notepad++ GUP Utility (source)
- File Download Via Windows Defender MpCmpRun.EXE (source)
- Finger.EXE Execution (source)
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage (source)
- GCTI Remote Access Tools (source)
- Google Safebrowsing File Process Creation (source)
- Google Safebrowsing With Prevalence (source)
- HackTool - Dumpert Process Dumper Execution (source)
- Hacktool - IronSharpPack Execution (source)
- HackTool - Mimikatz Execution (source)
- Hacktool - SharpSuccessor Execution (source)
- Hacktool - WinPEAS Execution Patterns (source)
- Hash Prevalence (source)
- Impacket WMIExec CISA Report (source)
- IOC Hash Prevalence (source)
- IOC SHA256 Hash (source)
- IOC SHA256 Hash VT (source)
- Local Accounts Discovery (source)
- Low Prevalence Hash On Process Launch Low Prevalence Domain Accessed (source)
- LSASS Dump Keyword In CommandLine (source)
- MITRE ATT&CK T1003 RW Mimikatz (source)
- MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit (source)
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report (source)
- MITRE ATT&CK T1021.002 Windows Admin Share Basic (source)
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity (source)
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment (source)
- MITRE ATT&CK T1021.002 Windows Admin Share With User Entity (source)
- MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report (source)
- MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task (source)
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source)
- MITRE ATT&CK T1140 Encoded Powershell Command (source)
- MITRE ATT&CK T1570 Suspicious Command PSExec (source)
- New User Created Via Net.EXE (source)
- potential lsass process dump via procdump (source)
- Potential Suspicious Activity Using SeCEdit (source)
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE (source)
- Potential Webshell Process Execution (source)
- PowerShell DownloadFile (source)
- PowerShell Web Download (source)
- PrintBrm ZIP Creation of Extraction (source)
- Process Launch VT Enrichment (source)
- Process Memory Dump Via Comsvcs.DLL (source)
- Process Memory Dump via RdrLeakDiag.exe (source)
- PUA - Nimgrab Execution (source)
- Purple Knight Tool Execution Detected (source)
- Recon Credential Theft CISA Report (source)
- Recon Environment Enumeration Active Directory CISA Report (source)
- Recon Environment Enumeration Network CISA Report (source)
- Recon Environment Enumeration System CISA Report (source)
- Recon Suspicious Commands CISA Report (source)
- Reg Add Suspicious Paths (source)
- Renamed CreateDump Utility Execution (source)
- Safebrowsing Process Creation Hashes Seen More Than 7 Days (source)
- ShimCache Flush (source)
- Suspicious Certreq Command to Download (source)
- Suspicious Curl.EXE Download (source)
- Suspicious Download Via Certutil.EXE (source)
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE (source)
- Suspicious Invoke-WebRequest Execution (source)
- Uncommon or Suspicious RMM Tool Execution Detected (source)
- VT Relationships File Executes File (source)
- W3WP Launching Encoded Powershell (source)
- Whoami Execution (source)
- Windows Event Log Cleared (source)
Event ID 3 Network connection 14 rules
- GCTI Benign Binaries Contacts Tor Exit Node (source)
- GCTI Tor Exit Nodes (source)
- Google Safebrowsing File Contacts Tor Exit Node (source)
- High Risk User Download Executable From Macro (source)
- IOC IP Target (source)
- IP Target Prevalence (source)
- Network Connection First Seen In Past Day (source)
- Network Traffic To Specific Country (source)
- Potential Remote PowerShell Session Initiated (source)
- Suspicious ASN (source)
- Suspicious ASN Watchlist (source)
- VT Relationships File Contacts IP (source)
- VT Relationships File Contacts Tor IP (source)
- WHOIS Recently Created Domain Access (source)
Event ID 10 ProcessAccess 5 rules
Event ID 11 FileCreate 20 rules
- Attempted SharePoint Webshell Creation CVE-2025-53770 (source)
- Cred Dump Tools Dropped Files (source)
- GCTI Remote Access Tools (source)
- Google Safebrowsing File Process Creation (source)
- HackTool - Dumpert Process Dumper Default File (source)
- Impacket WMIExec CISA Report (source)
- IOC Hash Prevalence (source)
- IOC SHA256 Hash (source)
- IOC SHA256 Hash VT (source)
- LSASS Process Memory Dump Creation Via Taskmgr.exe (source)
- LSASS Process Memory Dump Files (source)
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report (source)
- Process Launch VT Enrichment (source)
- Safebrowsing Process Creation Hashes Seen More Than 7 Days (source)
- Successful SharePoint Webshell Creation CVE-2025-53770 (source)
- Suspicious Filewrites To Sharepoint Layouts (source)
- Suspicious Unusual Location LNK File (source)
- VT Relationships File Downloaded From IP (source)
- VT Relationships File Downloaded From URL (source)
- WHOIS Expired Domain Executable Downloaded (source)
Event ID 13 RegistryEvent (Value Set) 15 rules
- Blackbyte Ransomware Registry (source)
- CurrentControlSet Autorun Keys Modification (source)
- CurrentVersion Autorun Keys Modification (source)
- Default RDP Port Changed to Non Standard Port (source)
- Disable Internal Tools or Feature in Registry (source)
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source)
- Modify User Shell Folders Startup Value (source)
- New RUN Key Pointing to Suspicious Folder (source)
- Potential Credential Dumping Via LSASS SilentProcessExit Technique (source)
- RDP Sensitive Settings Changed (source)
- RDP Sensitive Settings Changed to Zero (source)
- RestrictedAdminMode Registry Value Tampering (source)
- Session Manager Autorun Keys Modification (source)
- Suspicious Powershell In Registry Run Keys (source)
- Wdigest Enable UseLogonCredential (source)
Event ID 22 DNSEvent (DNS query) 7 rules
Microsoft-Windows-Security-Auditing
Event ID 4624 An account was successfully logged on. 12 rules
- ADFS DKM Key Access (source)
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage (source)
- GeoIP User Login From Multiple States Or Countries (source)
- Logins From Terminated Employees (source)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One (source)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity (source)
- MITRE ATT&CK T1110.003 RW Windows Password Spray (source)
- Okta Multiple Failed Requests To Access Applications (source)
- sap break glass account login (source)
- sap impossible travel (source)
- sap multi terminal logon (source)
- Windows Short Term Account Use (source)
Event ID 4625 An account failed to log on. 12 rules
- ADFS DKM Key Access (source)
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage (source)
- GeoIP User Login From Multiple States Or Countries (source)
- Logins From Terminated Employees (source)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One (source)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity (source)
- MITRE ATT&CK T1110.003 RW Windows Password Spray (source)
- Okta Multiple Failed Requests To Access Applications (source)
- sap break glass account login (source)
- sap impossible travel (source)
- sap multi terminal logon (source)
- Windows Short Term Account Use (source)
Event ID 4648 A logon was attempted using explicit credentials. 12 rules
- ADFS DKM Key Access (source)
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage (source)
- GeoIP User Login From Multiple States Or Countries (source)
- Logins From Terminated Employees (source)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One (source)
- MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity (source)
- MITRE ATT&CK T1110.003 RW Windows Password Spray (source)
- Okta Multiple Failed Requests To Access Applications (source)
- sap break glass account login (source)
- sap impossible travel (source)
- sap multi terminal logon (source)
- Windows Short Term Account Use (source)
Event ID 4657 A registry value was modified. 15 rules
- Blackbyte Ransomware Registry (source)
- CurrentControlSet Autorun Keys Modification (source)
- CurrentVersion Autorun Keys Modification (source)
- Default RDP Port Changed to Non Standard Port (source)
- Disable Internal Tools or Feature in Registry (source)
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source)
- Modify User Shell Folders Startup Value (source)
- New RUN Key Pointing to Suspicious Folder (source)
- Potential Credential Dumping Via LSASS SilentProcessExit Technique (source)
- RDP Sensitive Settings Changed (source)
- RDP Sensitive Settings Changed to Zero (source)
- RestrictedAdminMode Registry Value Tampering (source)
- Session Manager Autorun Keys Modification (source)
- Suspicious Powershell In Registry Run Keys (source)
- Wdigest Enable UseLogonCredential (source)
Event ID 4688 A new process has been created. 69 rules
- Base64 Encoded PowerShell Command Detected (source)
- ConvertTo-SecureString Cmdlet Usage Via CommandLine (source)
- Copy From Or To Admin Share Or Sysvol Folder (source)
- CreateDump Process Dump (source)
- Direct Autorun Keys Modification (source)
- File Download Using Notepad++ GUP Utility (source)
- File Download Via Windows Defender MpCmpRun.EXE (source)
- Finger.EXE Execution (source)
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage (source)
- GCTI Remote Access Tools (source)
- Google Safebrowsing File Process Creation (source)
- Google Safebrowsing With Prevalence (source)
- HackTool - Dumpert Process Dumper Execution (source)
- Hacktool - IronSharpPack Execution (source)
- HackTool - Mimikatz Execution (source)
- Hacktool - SharpSuccessor Execution (source)
- Hacktool - WinPEAS Execution Patterns (source)
- Hash Prevalence (source)
- Impacket WMIExec CISA Report (source)
- IOC Hash Prevalence (source)
- IOC SHA256 Hash (source)
- IOC SHA256 Hash VT (source)
- Local Accounts Discovery (source)
- Low Prevalence Hash On Process Launch Low Prevalence Domain Accessed (source)
- LSASS Dump Keyword In CommandLine (source)
- MITRE ATT&CK T1003 RW Mimikatz (source)
- MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit (source)
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report (source)
- MITRE ATT&CK T1021.002 Windows Admin Share Basic (source)
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity (source)
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment (source)
- MITRE ATT&CK T1021.002 Windows Admin Share With User Entity (source)
- MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report (source)
- MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task (source)
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report (source)
- MITRE ATT&CK T1140 Encoded Powershell Command (source)
- MITRE ATT&CK T1570 Suspicious Command PSExec (source)
- New User Created Via Net.EXE (source)
- potential lsass process dump via procdump (source)
- Potential Suspicious Activity Using SeCEdit (source)
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE (source)
- Potential Webshell Process Execution (source)
- PowerShell DownloadFile (source)
- PowerShell Web Download (source)
- PrintBrm ZIP Creation of Extraction (source)
- Process Launch VT Enrichment (source)
- Process Memory Dump Via Comsvcs.DLL (source)
- Process Memory Dump via RdrLeakDiag.exe (source)
- PUA - Nimgrab Execution (source)
- Purple Knight Tool Execution Detected (source)
- Recon Credential Theft CISA Report (source)
- Recon Environment Enumeration Active Directory CISA Report (source)
- Recon Environment Enumeration Network CISA Report (source)
- Recon Environment Enumeration System CISA Report (source)
- Recon Suspicious Commands CISA Report (source)
- Reg Add Suspicious Paths (source)
- Renamed CreateDump Utility Execution (source)
- Safebrowsing Process Creation Hashes Seen More Than 7 Days (source)
- ShimCache Flush (source)
- Suspicious Certreq Command to Download (source)
- Suspicious Curl.EXE Download (source)
- Suspicious Download Via Certutil.EXE (source)
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE (source)
- Suspicious Invoke-WebRequest Execution (source)
- Uncommon or Suspicious RMM Tool Execution Detected (source)
- VT Relationships File Executes File (source)
- W3WP Launching Encoded Powershell (source)
- Whoami Execution (source)
- Windows Event Log Cleared (source)
Event ID 5156 The Windows Filtering Platform has permitted a connection. 14 rules
- GCTI Benign Binaries Contacts Tor Exit Node (source)
- GCTI Tor Exit Nodes (source)
- Google Safebrowsing File Contacts Tor Exit Node (source)
- High Risk User Download Executable From Macro (source)
- IOC IP Target (source)
- IP Target Prevalence (source)
- Network Connection First Seen In Past Day (source)
- Network Traffic To Specific Country (source)
- Potential Remote PowerShell Session Initiated (source)
- Suspicious ASN (source)
- Suspicious ASN Watchlist (source)
- VT Relationships File Contacts IP (source)
- VT Relationships File Contacts Tor IP (source)
- WHOIS Recently Created Domain Access (source)