Detection rules › By event
Defender-DeviceProcessEvents any
Kusto (42)
- Access Token Manipulation - Create Process with Token
- Account Creation
- Bitsadmin Activity
- Clearing of forensic evidence from event logs using wevtutil
- Deletion of data on multiple drives using cipher exe
- Detect Rare scheduled task created
- Detect Suspicious Commands Initiated by Webserver Processes
- Detect Unknown process launched via WinRM
- Detect Unsigned executable launch from scheduled task
- Detecting UAC bypass - ChangePK and SLUI registry tampering
- Detecting UAC bypass - elevated COM interface
- Detecting UAC bypass - modify Windows Store settings
- Dev-0228 File Path Hashes November 2021
- Disable or Modify Windows Defender
- Disabling Security Services via Registry
- Doppelpaymer Stop Services
- DopplePaymer Procdump
- Exchange Worker Process Making Remote Call
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
- Ingress Tool Transfer - Certutil
- Java Executing cmd to run Powershell
- LaZagne Credential Theft
- LSASS Credential Dumping with Procdump
- Match Legitimate Name or Location - 2
- Office Apps Launching Wscipt
- Oracle suspicious command execution
- Potential Build Process Compromise - MDE
- Potential Lateral Movement via MSI ODBC Driver Install over DCOM
- Probable AdFind Recon Tool Usage
- Process Tree Analysis
- Qakbot Campaign Self Deletion
- Qakbot Discovery Activies
- Rare Process as a Service
- Regsvr32 Rundll32 with Anomalous Parent Process
- Remote Desktop Protocol - SharpRDP
- Rename System Utilities
- Scheduled Task - Suspicious Network Connection
- Shadow Copy Deletions
- Stopping multiple processes using taskkill
- SUNBURST suspicious SolarWinds child processes
- Suspicious parentprocess relationship - Office child processes.
- Trusted Developer Utilities Proxy Execution