Detection rules › By event
Microsoft-Windows-Sysmon Event ID 1
Sigma (1476)
- 7Zip Compressing Dump Files
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abused Debug Privilege by Arbitrary Parent Processes
- Abusing Print Executable
- Active Directory Database Snapshot Via ADExplorer
- Active Directory Structure Export Via Csvde.EXE
- Active Directory Structure Export Via Ldifde.EXE
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Add Potential Suspicious New Download Source To Winget
- Add SafeBoot Keys Via Reg Utility
- Add Windows Capability Via PowerShell Cmdlet
- AddinUtil.EXE Execution From Uncommon Directory
- Adwind RAT / JRAT
- AgentExecutor PowerShell Execution
- All Backups Deleted Via Wbadmin.EXE
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT31 Judgement Panda Activity
- Arbitrary Binary Execution Using GUP Utility
- Arbitrary Command Execution Using WSL
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary File Download Via Squirrel.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- AspNetCompiler Execution
- Assembly Loading Via CL_LoadAssembly.ps1
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Audio Capture via PowerShell
- Audio Capture via SoundRecorder
- Audit policy disabled by command line
- Audit policy enumerated
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Automated Collection Command Prompt
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Axios NPM Compromise Indicators - Windows
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Base64 Encoded PowerShell Command Detected
- Base64 MZ Header In CommandLine
- Binary Proxy Execution Via Dotnet-Trace.EXE
- BitLocker feature configuration (Reg via command)
- BitLockerTogo.EXE Execution
- BITS payload downloaded via commandline
- Blue Mockingbird
- Boot Configuration Tampering Via Bcdedit.EXE
- Browser Execution In Headless Mode
- Browser Started with Remote Debugging
- Bypass UAC via CMSTP
- Bypass UAC via Fodhelper.exe
- Bypass UAC via WSReset.exe
- C# IL Code Compilation Via Ilasm.EXE
- Cab File Extraction Via Wusa.EXE
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Capture Credentials with Rpcping.exe
- Certificate Exported Via Certutil.EXE
- Certificate Exported Via PowerShell
- Certutil payload download (command)
- Certutil payload obfuscation (command)
- Certutil root certificate installation
- Change Default File Association To Executable Via Assoc
- Change Default File Association Via Assoc
- Change PowerShell Policies to an Insecure Level
- Changing Existing Service ImagePath Value Via Reg.EXE
- Chopper Webshell Process Pattern
- ChromeLoader Malware Execution
- Chromium Browser Headless Execution To Mockbin Like Site
- Chromium Browser Instance Executed With Custom Extension
- ClickOnce Deployment Execution - Dfsvc.EXE Child Process
- Cloudflared Portable Execution
- Cloudflared Quick Tunnel Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Cmd Launched with Hidden Start Flags to Suspicious Targets
- CMD Shell Output Redirect
- Cmd.EXE Missing Space Characters Execution Anomaly
- CMSTP Execution Process Creation
- CMSTP UAC Bypass via COM Object Access
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- CodePage Modification Via MODE.COM
- CodePage Modification Via MODE.COM To Russian Language
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- COM Object Execution via Xwizard.EXE
- Command Line Execution with Suspicious URL and AppData Strings
- Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
- Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
- Compress Data and Lock With Password for Exfiltration With 7-ZIP
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Compressed File Creation Via Tar.EXE
- Compressed File Extraction Via Tar.EXE
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Computer Password Change Via Ksetup.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Conhost Spawned By Uncommon Parent Process
- Conhost.exe CommandLine Path Traversal
- Console CodePage Lookup Via CHCP
- Conti NTDS Exfiltration Command
- Conti Volume Shadow Listing
- Control Panel Items
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- Copy From Or To Admin Share Or Sysvol Folder
- Copy From VolumeShadowCopy Via Cmd.EXE
- Copying Sensitive Files with Credential Data
- CreateDump Process Dump
- Csc.EXE Execution Form Potentially Suspicious Parent
- Cscript/Wscript Potentially Suspicious Child Process
- Cscript/Wscript Uncommon Script Extension Execution
- Curl Download And Execute Combination
- Curl Web Request With Potential Custom User-Agent
- Curl.EXE Execution
- Curl.EXE Execution With Custom UserAgent
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- CVE-2024-50623 Exploitation Attempt - Cleo
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - User Created Via Net.EXE
- DarkSide Ransomware Pattern
- Data Copied To Clipboard Via Clip.EXE
- Data Export From MSSQL Table Via BCP.EXE
- Defrag Deactivation
- Delete All Scheduled Tasks
- Delete Important Scheduled Task
- Deleted Data Overwritten Via Cipher.EXE
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Detected Windows Software Discovery
- Detection of PowerShell Execution via Sqlps.exe
- Devcon Execution Disabling VMware VMCI Device
- DeviceCredentialDeployment Execution
- Devtoolslauncher.exe Executes Specified Binary
- Diamond Sleet APT Process Activity Indicators
- Direct Autorun Keys Modification
- Directory Removal Via Rmdir
- DirLister Execution
- Disable Important Scheduled Task
- Disable Windows Defender AV Security Monitoring
- Disable Windows IIS HTTP Logging
- Disabled IE Security Features
- Disabled Volume Snapshots
- Disabling Windows Defender WMI Autologger Session via Reg.exe
- Discovery of a System Time
- Diskshadow Child Process Spawned
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Diskshadow Script Mode - Uncommon Script Extension Execution
- Diskshadow Script Mode Execution
- Dism Remove Online Package
- DLL Call by Ordinal Via Rundll32.EXE
- DLL Execution via Rasautou.exe
- DLL Execution Via Register-cimprovider.exe
- DLL Loaded via CertOC.EXE
- DLL ServerLevelPluginDll command installation
- DLL Sideloading by VMware Xfer Utility
- Dllhost.EXE Execution Anomaly
- DllUnregisterServer Function Call Via Msiexec.EXE
- DNS Exfiltration and Tunneling Tools Execution
- DNS RCE CVE-2020-1350
- Domain Trust Discovery Via Dsquery
- Driver/DLL Installation Via Odbcconf.EXE
- DriverQuery.EXE Execution
- Droppers Exploiting CVE-2017-11882
- Dropping Of Password Filter DLL
- DSInternals Suspicious PowerShell Cmdlets
- Dumping of Sensitive Hives Via Reg.EXE
- Dumping Process via Sqldumper.exe
- DumpMinitool Execution
- DumpStack.log Defender Evasion
- Dynamic .NET Compilation Via Csc.EXE
- Dynamic .NET Compilation Via Csc.EXE - Hunting
- EAP service activation by Liontail framework for DLL sideloading (via command)
- Elevated System Shell Spawned
- Elevated System Shell Spawned From Uncommon Parent Location
- Elise Backdoor Activity
- Email Exifiltration Via Powershell
- Emotet Loader Execution Via .LNK File
- Enable LM Hash Storage - ProcCreation
- Encoded PowerShell payload deployed via process execution
- Enumerate All Information With Whoami.EXE
- Enumeration for 3rd Party Creds From CLI
- Enumeration for Credentials in Registry
- Equation Group DLL_U Export Function Load
- Esentutl Gather Credentials
- Esentutl Steals Browser Information
- ETW Logging Tamper In .NET Processes Via CommandLine
- ETW Trace Evasion Activity
- Event log clear attempt (command)
- Event log clear attempt (wmi)
- Event log deactivation or size reduction (command)
- EventLog Query Requests By Builtin Utilities
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Exchange PowerShell Snap-Ins Usage
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Execute Files with Msdeploy.exe
- Execute From Alternate Data Streams
- Execute Pcwrun.EXE To Leverage Follina
- Execution From Webserver Root Folder
- Execution Of Non-Existing File
- Execution of Powershell Script in Public Folder
- Execution of Suspicious File Type Extension
- Execution via stordiag.exe
- Execution via WorkFolders.exe
- Exploit for CVE-2015-1641
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
- Exploited CVE-2020-10189 Zoho ManageEngine
- Exploiting CVE-2019-1388
- Exploiting SetupComplete.cmd CVE-2019-1378
- Explorer NOUACCHECK Flag
- Explorer Process Tree Break
- Exports Critical Registry Keys To a File
- Exports Registry Key To a File
- FakeUpdates/SocGholish Activity
- File And SubFolder Enumeration Via Dir Command
- File Decoded From Base64/Hex Via Certutil.EXE
- File Decryption Using Gpg4win
- File Deletion Via Del
- File Download And Execution Via IEExec.EXE
- File Download From Browser Process Via Inline URL
- File Download From IP Based URL Via CertOC.EXE
- File Download From IP URL Via Curl.EXE
- File Download Using Notepad++ GUP Utility
- File Download Using ProtocolHandler.exe
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download via CertOC.EXE
- File Download Via Curl.EXE
- File Download Via InstallUtil.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- File Download with Headless Browser
- File Encoded To Base64 Via Certutil.EXE
- File Encryption Using Gpg4win
- File Encryption/Decryption Via Gpg4win From Suspicious Locations
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- File or Folder Permissions Modifications
- File Recovery From Backup Via Wbadmin.EXE
- File With Suspicious Extension Downloaded Via Bitsadmin
- Files Added To An Archive Using Rar.EXE
- Filter Driver Unloaded Via Fltmc.EXE
- Findstr GPP Passwords
- Findstr Launching .lnk File
- Finger.EXE Execution
- Fireball Archer Install
- Firewall Configuration Discovery Via Netsh.EXE
- Firewall Disabled via Netsh.EXE
- Firewall Rule Deleted Via Netsh.EXE
- Firewall Rule Update Via Netsh.EXE
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
- Forest Blizzard APT - Process Creation Activity
- Forfiles Command Execution
- Forfiles.EXE Child Process Masquerading
- Formbook Process Creation
- Fsutil Drive Enumeration
- Fsutil Suspicious Invocation
- FTP Connection Open Attempt Via Winscp CLI
- GALLIUM IOCs
- Github Self-Hosted Runner Execution
- Gpresult Display Group Policy Information
- Gpscript Execution
- Greedy File Deletion Using Del
- Greenbug Espionage Group Indicators
- Griffon Malware Attack Pattern
- Grixba Malware Reconnaissance Activity
- Group discovery (command)
- Group Membership Reconnaissance Via Whoami.EXE
- Gzip Archive Decode Via PowerShell
- HackTool - ADCSPwn Execution
- HackTool - Bloodhound/Sharphound Execution
- HackTool - Certify Execution
- HackTool - Certipy Execution
- HackTool - CoercedPotato Execution
- HackTool - Covenant PowerShell Launcher
- HackTool - CrackMapExec Execution
- HackTool - CrackMapExec Execution Patterns
- HackTool - CrackMapExec PowerShell Obfuscation
- HackTool - CrackMapExec Process Patterns
- HackTool - CreateMiniDump Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- HackTool - DInjector PowerShell Cradle Execution
- HackTool - Doppelanger LSASS Dumper Execution
- HackTool - Dumpert Process Dumper Execution
- Hacktool - EDR-Freeze Execution
- HackTool - EDRSilencer Execution
- HackTool - Empire PowerShell Launch Parameters
- HackTool - Empire PowerShell UAC Bypass
- HackTool - F-Secure C3 Load by Rundll32
- HackTool - GMER Rootkit Detector and Remover Execution
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool - Hashcat Password Cracker Execution
- HackTool - HollowReaper Execution
- HackTool - Htran/NATBypass Execution
- HackTool - Hydra Password Bruteforce Execution
- HackTool - Impacket Tools Execution
- HackTool - Impersonate Execution
- HackTool - Inveigh Execution
- HackTool - Jlaive In-Memory Assembly Execution
- HackTool - Koadic Execution
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - LaZagne Execution
- HackTool - LocalPotato Execution
- HackTool - Mimikatz Execution
- HackTool - NetExec Execution
- HackTool - PCHunter Execution
- HackTool - Potential Impacket Lateral Movement Activity
- HackTool - PowerTool Execution
- HackTool - PPID Spoofing SelectMyParent Tool Execution
- HackTool - PurpleSharp Execution
- HackTool - Pypykatz Credentials Dumping Activity
- HackTool - Quarks PwDump Execution
- HackTool - RedMimicry Winnti Playbook Execution
- HackTool - RemoteKrbRelay Execution
- HackTool - Rubeus Execution
- HackTool - SafetyKatz Execution
- HackTool - SecurityXploded Execution
- HackTool - SharpChisel Execution
- HackTool - SharpDPAPI Execution
- HackTool - SharPersist Execution
- HackTool - SharpEvtMute Execution
- HackTool - SharpImpersonation Execution
- HackTool - SharpLDAPmonitor Execution
- HackTool - SharpLdapWhoami Execution
- HackTool - SharpMove Tool Execution
- HackTool - SharpUp PrivEsc Tool Execution
- HackTool - SharpView Execution
- HackTool - SharpWSUS/WSUSpendu Execution
- HackTool - SILENTTRINITY Stager Execution
- HackTool - Sliver C2 Implant Activity Pattern
- HackTool - SOAPHound Execution
- HackTool - Stracciatella Execution
- HackTool - SysmonEOP Execution
- HackTool - TruffleSnout Execution
- HackTool - UACMe Akagi Execution
- HackTool - Windows Credential Editor (WCE) Execution
- HackTool - winPEAS Execution
- HackTool - WinPwn Execution
- HackTool - WinRM Access Via Evil-WinRM
- HackTool - Wmiexec Default Powershell Command
- HackTool - WSASS Execution
- HackTool - XORDump Execution
- Hacktool Execution - Imphash
- Hacktool Execution - PE Metadata
- HAFNIUM Exchange Exploitation Activity
- Hardware Model Reconnaissance Via Wmic.EXE
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Headless Process Launched Via Conhost.EXE
- Hermetic Wiper TG Process Patterns
- HH.EXE Execution
- Hidden Powershell in Link File Pattern
- Hiding Files with Attrib.exe
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- HKTL - SharpSuccessor Privilege Escalation Tool Execution
- HTML File Opened From Download Folder
- HTML Help HH.EXE Suspicious Child Process
- Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Ie4uinit Lolbin Use From Invalid Path
- IFM creation detected from commandline (installation from media)
- IIS Application Pool credential dumping
- IIS Native-Code Module Command Line Installation
- IIS WebServer Log Deletion via CommandLine Utilities
- ImagingDevices Unusual Parent/Child Processes
- Impacket DCOMexec process abuse via MMC
- Impacket WMIexec process execution
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Import New Module Via PowerShell CommandLine
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- Imports Registry Key From a File
- Imports Registry Key From an ADS
- Indirect Command Execution By Program Compatibility Wizard
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Command Execution via SFTP ProxyCommand
- Indirect Inline Command Execution Via Bash.EXE
- InfDefaultInstall.exe .inf Execution
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- Insecure Proxy/DOH Transfer Via Curl.EXE
- Insecure Transfer Via Curl.EXE
- Insensitive Subfolder Search Via Findstr.EXE
- Install New Package Via Winget Local Manifest
- Installation of WSL Kali-Linux
- Interactive AT Job
- Interesting Service Enumeration Via Sc.EXE
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation Obfuscated IEX Invocation
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Invoke-Obfuscation Via Stdin
- Invoke-Obfuscation Via Use Clip
- Invoke-Obfuscation Via Use MSHTA
- Java Running with Remote Debugging
- JScript Compiler Execution
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Kapeka Backdoor Execution Via RunDLL32.EXE
- Kapeka Backdoor Persistence Activity
- Kavremover Dropped Binary LOLBIN Usage
- Kernel Memory Dump Via LiveKD
- Lace Tempest Cobalt Strike Download
- Lace Tempest Malware Loader Execution
- Launch-VsDevShell.PS1 Proxy Execution
- Lazarus Group Activity
- Lazarus System Binary Masquerading
- Loaded Module Enumeration Via Tasklist.EXE
- Local Accounts Discovery
- Local File Read Using Curl.EXE
- Local Groups Reconnaissance Via Wmic.EXE
- LockerGoga Ransomware Activity
- Logged-On User Password Change Via Ksetup.EXE
- LOL-Binary Copied From System Directory
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- LOLBIN Execution From Abnormal Drive
- Lolbin Runexehelper Use As Proxy
- Lolbin Unregmp2.exe Use As Proxy
- LSA PPL Protection Setting Modification via CommandLine
- LSASS credential dump with LSASSY (process)
- LSASS Dump Keyword In CommandLine
- LSASS Process Reconnaissance Via Findstr.EXE
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- Malicious Base64 Encoded PowerShell Keywords in Command Lines
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious Windows Script Components File Execution by TAEF Detection
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Manual Execution of Script Inside of a Compressed File
- Massive processes termination burst
- Massive services deletion burst
- Massive services termination burst
- Mavinject Inject DLL Into Running Process
- MERCURY APT Activity
- Metasploit reverse shell injection in SQL Server
- Microsoft Defender service deactivation attempt (command)
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Microsoft Workflow Compiler Execution
- Mint Sandstorm - AsperaFaspex Suspicious Process Execution
- Mint Sandstorm - Log4J Wstomcat Process Execution
- Mint Sandstorm - ManageEngine Suspicious Process Execution
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- MMC Spawning Windows Shell
- MMC20 Lateral Movement
- Modify Group Policy Settings
- Monitoring For Persistence Via BITS
- MpiExec Lolbin
- MSDT Execution Via Answer File
- MSExchange Transport Agent Installation
- MSHTA Execution with Suspicious File Extensions
- Mshtml.DLL RunHTMLApplication Suspicious Usage
- Msiexec Quiet Installation
- MsiExec Web Install
- Mstsc.EXE Execution From Uncommon Parent
- Mstsc.EXE Execution With Local RDP File
- Msxsl.EXE Execution
- Mustang Panda Dropper
- Net WebClient Casing Anomalies
- Net.EXE Execution
- Netsh Allow Group Policy on Microsoft Defender Firewall
- Network Reconnaissance Activity
- Network share discovery and/or connection via commandline
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- New Capture Session Launched Via DXCap.EXE
- New DLL Registered Via Odbcconf.EXE
- New DMSA Service Account Created in Specific OUs
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- New Firewall Rule Added Via Netsh.EXE
- New Generic Credentials Added Via Cmdkey.EXE
- New Kernel Driver Via SC.EXE
- New Network Trace Capture Started Via Netsh.EXE
- New Port Forwarding Rule Added Via Netsh.EXE
- New Process Created Via Taskmgr.EXE
- New Process Created Via Wmic.EXE
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- New Root Certificate Installed Via CertMgr.EXE
- New Root Certificate Installed Via Certutil.EXE
- New Self Extracting Package Created Via IExpress.EXE
- New Service Creation Using PowerShell
- New Service Creation Using Sc.EXE
- New User Created Via Net.EXE
- New User Created Via Net.EXE With Never Expire Option
- New Virtual Smart Card Created Via TpmVscMgr.EXE
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
- Nltest.EXE Execution
- Node Process Executions
- NodeJS Execution of JavaScript File
- Non Interactive PowerShell Process Spawned
- Non-privileged Usage of Reg or Powershell
- Notepad Password Files Discovery
- NotPetya Ransomware Activity
- Nslookup PowerShell Download Cradle - ProcessCreation
- NtdllPipe Like Activity Execution
- NTFS symbolic link configuration change
- NTFS symbolic link creation
- NTLM Hash Leak Via Curl NTLM Authentication
- Number of oustanding SMB requests increased
- Obfuscated IP Download Activity
- Obfuscated IP Via CLI
- Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Obfuscated PowerShell OneLiner Execution
- Odbcconf.EXE Suspicious DLL Location
- OilRig APT Activity
- OneNote.EXE Execution of Malicious Embedded Scripts
- OpenEDR Spawning Command Shell
- OpenWith.exe Executes Specified Binary
- Operation Wocao Activity
- Operator Bloopers Cobalt Strike Commands
- Operator Bloopers Cobalt Strike Modules
- Outlook EnableUnsafeClientMailRules Setting Enabled
- PaperCut MF/NG Exploitation Related Indicators
- PaperCut MF/NG Potential Exploitation
- Password policy discovery via commandline
- Password Protected Compressed File Extraction Via 7Zip
- Password Provided In Command Line Of Net.EXE
- Password Set to Never Expire via WMI
- PDQ Deploy Remote Adminstartion Tool Execution
- Peach Sandstorm APT Process Activity Indicators
- Perl Inline Command Execution
- Permission Check Via Accesschk.EXE
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- Persistence Via Sticky Key Backdoor
- Persistence Via TypedPaths - CommandLine
- Phishing Pattern ISO in Archive
- Php Inline Command Execution
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- Ping Hex IP
- Pingback Backdoor Activity
- PktMon.EXE Execution
- Port Forwarding Activity Via SSH.EXE
- Portable Gpg.EXE Execution
- Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line
- Possible Privilege Escalation via Weak Service Permissions
- Potential ACTINIUM Persistence Activity
- Potential Active Directory Enumeration Using AD Module - ProcCreation
- Potential Adplus.EXE Abuse
- Potential Amazon SSM Agent Hijacking
- Potential AMSI Bypass Using NULL Bits
- Potential AMSI Bypass Via .NET Reflection
- Potential Application Whitelisting Bypass via Dnx.EXE
- Potential APT FIN7 Exploitation Activity
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
- Potential APT Mustang Panda Activity Against Australian Gov
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
- Potential APT10 Cloud Hopper Activity
- Potential Arbitrary Code Execution Via Node.EXE
- Potential Arbitrary Command Execution Using Msdt.EXE
- Potential Arbitrary Command Execution Via FTP.EXE
- Potential Arbitrary DLL Load Using Winword
- Potential Arbitrary File Download Using Office Application
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Potential Baby Shark Malware Activity
- Potential BearLPE Exploitation
- Potential Binary Impersonating Sysinternals Tools
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Binary Proxy Execution Via VSDiagnostics.EXE
- Potential BlackByte Ransomware Activity
- Potential BOINC Software Execution (UC-Berkeley Signature)
- Potential Browser Data Stealing
- Potential CobaltStrike Process Patterns
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential Command Line Path Traversal Evasion Attempt
- Potential Commandline Obfuscation Using Escape Characters
- Potential CommandLine Obfuscation Using Unicode Characters
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Potential CommandLine Path Traversal Via Cmd.EXE
- Potential Compromised 3CXDesktopApp Execution
- Potential Compromised 3CXDesktopApp Update Activity
- Potential Configuration And Service Reconnaissance Via Reg.EXE
- Potential Conti Ransomware Activity
- Potential Conti Ransomware Database Dumping Activity Via SQLCmd
- Potential Cookies Session Hijacking
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Potential Credential Dumping Via LSASS Process Clone
- Potential Credential Dumping Via WER
- Potential Crypto Mining Activity
- Potential CVE-2021-26857 Exploitation Attempt
- Potential CVE-2021-40444 Exploitation Attempt
- Potential CVE-2021-41379 Exploitation Attempt
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Potential CVE-2022-26809 Exploitation Attempt
- Potential CVE-2022-29072 Exploitation Attempt
- Potential CVE-2023-21554 QueueJumper Exploitation
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
- Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
- Potential Data Exfiltration Activity Via CommandLine Tools
- Potential Data Exfiltration Via Curl.EXE
- Potential Data Stealing Via Chromium Headless Debugging
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- Potential Defense Evasion Via Binary Rename
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Potential Defense Evasion Via Right-to-Left Override
- Potential Devil Bait Malware Reconnaissance
- Potential Discovery Activity Via Dnscmd.EXE
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential DLL Injection Or Execution Using Tracker.exe
- Potential DLL Injection Via AccCheckConsole
- Potential DLL Sideloading Activity Via ExtExport.EXE
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Potential Dosfuscation Activity
- Potential Download/Upload Activity Using Type Command
- Potential Dridex Activity
- Potential Dropper Script Execution Via WScript/CScript/MSHTA
- Potential Dtrack RAT Activity
- Potential Emotet Activity
- Potential Emotet Rundll32 Execution
- Potential EmpireMonkey Activity
- Potential Encoded PowerShell Patterns In CommandLine
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- Potential Executable Run Itself As Sacrificial Process
- Potential Execution of Sysinternals Tools
- Potential Exploitation Attempt From Office Application
- Potential Exploitation Attempt Of Undocumented WindowsServer RCE
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
- Potential Exploitation of GoAnywhere MFT Vulnerability
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- Potential Fake Instance Of Hxtsr.EXE Executed
- Potential File Download Via MS-AppInstaller Protocol Handler
- Potential File Override/Append Via SET Command
- Potential File Overwrite Via Sysinternals SDelete
- Potential Goofy Guineapig Backdoor Activity
- Potential Goofy Guineapig GoolgeUpdate Process Anomaly
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Potential Homoglyph Attack Using Lookalike Characters
- Potential KamiKakaBot Activity - Lure Document Execution
- Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
- Potential Ke3chang/TidePool Malware Activity
- Potential Lateral Movement via Windows Remote Shell
- Potential LethalHTA Technique Execution
- Potential LSASS Process Dump Via Procdump
- Potential Manage-bde.wsf Abuse To Proxy Execution
- Potential Maze Ransomware Activity
- Potential Memory Dumping Activity Via LiveKD
- Potential Meterpreter/CobaltStrike Activity
- Potential Mftrace.EXE Abuse
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- Potential MsiExec Masquerading
- Potential MSTSC Shadowing Activity
- Potential MuddyWater APT Activity
- Potential Network Sniffing Activity Using Network Tools
- Potential Notepad++ CVE-2025-49144 Exploitation
- Potential NTLM Coercion Via Certutil.EXE
- Potential Obfuscated Ordinal Call Via Rundll32
- Potential Password Reconnaissance Via Findstr.EXE
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potential Persistence Attempt Via Existing Service Tampering
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Potential Persistence Via Logon Scripts - CommandLine
- Potential Persistence Via Microsoft Compatibility Appraiser
- Potential Persistence Via Netsh Helper DLL
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Pikabot Discovery Activity
- Potential Pikabot Hollowing Activity
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- Potential PlugX Activity
- Potential PowerShell Command Line Obfuscation
- Potential PowerShell Console History Access Attempt via History File
- Potential PowerShell Downgrade Attack
- Potential PowerShell Execution Policy Tampering - ProcCreation
- Potential PowerShell Execution Via DLL
- Potential PowerShell Obfuscation Via Reversed Commands
- Potential PowerShell Obfuscation Via WCHAR/CHAR
- Potential Powershell ReverseShell Connection
- Potential Privilege Escalation To LOCAL SYSTEM
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Potential Privilege Escalation via Service Permissions Weakness
- Potential Process Execution Proxy Via CL_Invocation.ps1
- Potential Process Injection Via Msra.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- Potential Product Reconnaissance Via Wmic.EXE
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Potential Proxy Execution Via Explorer.EXE From Shell Process
- Potential PsExec Remote Execution
- Potential Qakbot Rundll32 Execution
- Potential QBot Activity
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Potential Raspberry Robin CPL Execution Activity
- Potential Raspberry Robin Dot Ending File
- Potential RDP Session Hijacking Activity
- Potential RDP Tunneling Via Plink
- Potential RDP Tunneling Via SSH
- Potential Recon Activity Using DriverQuery.EXE
- Potential Recon Activity Via Nltest.EXE
- Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potential Register_App.Vbs LOLScript Abuse
- Potential Regsvr32 Commandline Flag Anomaly
- Potential Remote Desktop Tunneling
- Potential Remote SquiblyTwo Technique Execution
- Potential Renamed Rundll32 Execution
- Potential Rundll32 Execution With DLL Stored In ADS
- Potential Russian APT Credential Theft Activity
- Potential Ryuk Ransomware Activity
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
- Potential ShellDispatch.DLL Functionality Abuse
- Potential Shim Database Persistence via Sdbinst.EXE
- Potential Signing Bypass Via Windows Developer Features
- Potential SMB Relay Attack Tool Execution
- Potential SNAKE Malware Installation Binary Indicator
- Potential SNAKE Malware Installation CLI Arguments Indicator
- Potential SNAKE Malware Persistence Service Execution
- Potential Snatch Ransomware Activity
- Potential SPN Enumeration Via Setspn.EXE
- Potential SSH Tunnel Persistence Install Using A Scheduled Task
- Potential Suspicious Activity Using SeCEdit
- Potential Suspicious Browser Launch From Document Reader Process
- Potential Suspicious Child Process Of 3CXDesktopApp
- Potential Suspicious Execution From GUID Like Folder Names
- Potential Suspicious Mofcomp Execution
- Potential Suspicious Registry File Imported Via Reg.EXE
- Potential Suspicious Windows Feature Enabled - ProcCreation
- Potential SysInternals ProcDump Evasion
- Potential SystemNightmare Exploitation Attempt
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Potential Tampering With Security Products Via WMIC
- Potential UAC Bypass Via Sdclt.EXE
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Potential WinAPI Calls Via CommandLine
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Potential Windows Defender Tampering Via Wmic.EXE
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- Potentially Suspicious Cabinet File Expansion
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Potentially Suspicious Child Process Of ClickOnce Application
- Potentially Suspicious Child Process Of DiskShadow.EXE
- Potentially Suspicious Child Process of KeyScrambler.exe
- Potentially Suspicious Child Process Of Regsvr32
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Child Process Of WinRAR.EXE
- Potentially Suspicious Child Processes Spawned by ConHost
- Potentially Suspicious CMD Shell Output Redirect
- Potentially Suspicious Command Targeting Teams Sensitive Files
- Potentially Suspicious Compression Tool Parameters
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Potentially Suspicious Electron Application CommandLine
- Potentially Suspicious Event Viewer Child Process
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Potentially Suspicious Execution From Parent Process In Public Folder
- Potentially Suspicious Execution Of PDQDeployRunner
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Potentially Suspicious GoogleUpdate Child Process
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- Potentially Suspicious JWT Token Search Via CLI
- Potentially Suspicious NTFS Symlink Behavior Modification
- Potentially Suspicious Office Document Executed From Trusted Location
- Potentially Suspicious Ping/Copy Command Combination
- Potentially Suspicious PowerShell Child Processes
- Potentially Suspicious Powershell Script Execution From Temp Folder
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- Potentially Suspicious Regsvr32 HTTP/FTP Pattern
- Potentially Suspicious Rundll32 Activity
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Potentially Suspicious Usage Of Qemu
- Potentially Suspicious WebDAV LNK Execution
- Potentially Suspicious Windows App Activity
- PowerShell Base64 Encoded FromBase64String Cmdlet
- PowerShell Base64 Encoded IEX Cmdlet
- PowerShell Base64 Encoded Invoke Keyword
- Powershell Base64 Encoded MpPreference Cmdlet
- PowerShell Base64 Encoded Reflective Assembly Load
- PowerShell Base64 Encoded WMI Classes
- Powershell Defender Disable Scan Feature
- Powershell Defender Exclusion
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- PowerShell Download and Execution Cradles
- PowerShell Download Pattern
- Powershell Executed From Headless ConHost Process
- PowerShell Execution With Potential Decryption Capabilities
- PowerShell Get-Clipboard Cmdlet Via CLI
- PowerShell Get-Process LSASS
- Powershell Inline Execution From A File
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- PowerShell SAM Copy
- PowerShell Script Change Permission Via Set-Acl
- PowerShell Script Run in AppData
- PowerShell Set-Acl On Windows Folder
- Powershell Token Obfuscation - Process Creation
- PowerShell Web Access Feature Enabled Via DISM
- PPL Tampering Via WerFaultSecure
- PrintBrm ZIP Creation of Extraction
- Private Keys Reconnaissance Via CommandLine Tools
- Privilege Escalation via Named Pipe Impersonation
- Procdump Execution
- Process Access via TrolleyExpress Exclusion
- Process Creation Using Sysnative Folder
- Process Execution From A Potentially Suspicious Folder
- Process Execution From WebDAV Share
- Process Launched Without Image Name
- Process Memory Dump Via Comsvcs.DLL
- Process Memory Dump Via Dotnet-Dump
- Process Memory Dump via RdrLeakDiag.EXE
- Process Proxy Execution Via Squirrel.EXE
- Process Reconnaissance Via Wmic.EXE
- Process Terminated Via Taskkill
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Proxy Execution via Vshadow
- Proxy Execution Via Wuauclt.EXE
- Ps.exe Renamed SysInternals Tool
- PSexec application execution
- Psexec Execution
- PsExec Service Child Process Execution as LOCAL SYSTEM
- PsExec Service Execution
- PsExec/PAExec Escalation to LOCAL SYSTEM
- PUA - 3Proxy Execution
- PUA - AdFind Suspicious Execution
- PUA - AdFind.EXE Execution
- PUA - Adidnsdump Execution
- PUA - Advanced IP Scanner Execution
- PUA - Advanced Port Scanner Execution
- PUA - AdvancedRun Execution
- PUA - AdvancedRun Suspicious Execution
- PUA - Chisel Tunneling Tool Execution
- PUA - CleanWipe Execution
- PUA - Crassus Execution
- PUA - CsExec Execution
- PUA - DefenderCheck Execution
- PUA - DIT Snapshot Viewer
- PUA - Fast Reverse Proxy (FRP) Execution
- PUA - Kernel Driver Utility (KDU) Execution
- PUA - Memory Dump Mount Via MemProcFS
- PUA - Mouse Lock Execution
- PUA - Netcat Suspicious Execution
- PUA - Ngrok Execution
- PUA - Nimgrab Execution
- PUA - NimScan Execution
- PUA - NirCmd Execution
- PUA - NirCmd Execution As LOCAL SYSTEM
- PUA - Nmap/Zenmap Execution
- PUA - NPS Tunneling Tool Execution
- PUA - NSudo Execution
- PUA - PingCastle Execution
- PUA - PingCastle Execution From Potentially Suspicious Parent
- PUA - Potential PE Metadata Tamper Using Rcedit
- PUA - Process Hacker Execution
- PUA - Radmin Viewer Utility Execution
- PUA - Rclone Execution
- PUA - Restic Backup Tool Execution
- PUA - RunXCmd Execution
- PUA - Seatbelt Execution
- PUA - SoftPerfect Netscan Execution
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- PUA - System Informer Execution
- PUA - TruffleHog Execution
- PUA - WebBrowserPassView Execution
- PUA - Wsudo Suspicious Execution
- PUA- IOX Tunneling Tool Execution
- Pubprn.vbs Proxy Execution
- Python Function Execution Security Warning Disabled In Excel
- Python Inline Command Execution
- Python One-Liners with Base64 Decoding
- Python Spawning Pretty TTY on Windows
- Qakbot Regsvr32 Calc Pattern
- Qakbot Rundll32 Exports Execution
- Qakbot Rundll32 Fake DLL Extension Execution
- Qakbot Uninstaller Execution
- Query Usage To Exfil Data
- QuickAssist Execution
- Raccine Uninstall
- Rar Usage with Password and Compression Level
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands
- RDP Connection Allowed Via Netsh.EXE
- RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
- RDP Port Forwarding Rule Added Via Netsh.EXE
- RDP shadow session started (command)
- RDP tunneling configuration enabled for port forwarding
- Read Contents From Stdin Via Cmd.EXE
- Rebuild Performance Counter Values Via Lodctr.EXE
- Recon Command Output Piped To Findstr.EXE
- Recon Information for Export with Command Prompt
- RedSun - Conhost.exe Spawned by TieringEngineService.exe
- Reg Add Suspicious Paths
- RegAsm.EXE Execution Without CommandLine Flags or Files
- Regedit as Trusted Installer
- REGISTER_APP.VBS Proxy Execution
- Registry Export of Third-Party Credentials
- Registry Manipulation via WMI Stdregprov
- Registry Modification Attempt Via VBScript
- Registry Modification of MS-settings Protocol Handler
- Registry Modification Via Regini.EXE
- Regsvr32 DLL Execution With Suspicious File Extension
- Regsvr32 DLL Execution With Uncommon Extension
- Regsvr32 Execution From Highly Suspicious Location
- Regsvr32 Execution From Potential Suspicious Location
- Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
- Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
- Remote Access Tool - Ammy Admin Agent Execution
- Remote Access Tool - AnyDesk Execution
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Remote Access Tool - AnyDesk Silent Installation
- Remote Access Tool - Cmd.EXE Execution via AnyViewer
- Remote Access Tool - GoToAssist Execution
- Remote Access Tool - LogMeIn Execution
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Remote Access Tool - NetSupport Execution
- Remote Access Tool - NetSupport Execution From Unusual Location
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Remote Access Tool - RURAT Execution From Unusual Location
- Remote Access Tool - ScreenConnect Execution
- Remote Access Tool - ScreenConnect Installation Execution
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- Remote Access Tool - ScreenConnect Remote Command Execution
- Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
- Remote Access Tool - ScreenConnect Server Web Shell Execution
- Remote Access Tool - Simple Help Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Remote Access Tool - Team Viewer Session Started On Windows Host
- Remote Access Tool - UltraViewer Execution
- Remote CHM File Download/Execution Via HH.EXE
- Remote Code Execute via Winrm.vbs
- Remote File Download Via Desktopimgdownldr Utility
- Remote File Download Via Findstr.EXE
- Remote PowerShell Session Host Process (WinRM)
- Remote XSL Execution Via Msxsl.EXE
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Remotely Hosted HTA File Executed Via Mshta.EXE
- Renamed AdFind Execution
- Renamed AutoHotkey.EXE Execution
- Renamed AutoIt Execution
- Renamed BOINC Client Execution
- Renamed BrowserCore.EXE Execution
- Renamed Cloudflared.EXE Execution
- Renamed CreateDump Utility Execution
- Renamed CURL.EXE Execution
- Renamed FTP.EXE Execution
- Renamed Gpg.EXE Execution
- Renamed Jusched.EXE Execution
- Renamed Mavinject.EXE Execution
- Renamed MegaSync Execution
- Renamed Microsoft Teams Execution
- Renamed Msdt.EXE Execution
- Renamed NetSupport RAT Execution
- Renamed NirCmd.EXE Execution
- Renamed Office Binary Execution
- Renamed PAExec Execution
- Renamed PingCastle Binary Execution
- Renamed Plink Execution
- Renamed ProcDump Execution
- Renamed Procdump tool used for dumping LSASS process
- Renamed PsExec Service Execution
- Renamed Remote Utilities RAT (RURAT) Execution
- Renamed Schtasks Execution
- Renamed SysInternals DebugView Execution
- Renamed Sysinternals Sdelete Execution
- Renamed Visual Studio Code Tunnel Execution
- Renamed Vmnat.exe Execution
- Renamed Whoami Execution
- Renamed ZOHO Dctask64 Execution
- Replace.exe Usage
- Response File Execution Via Odbcconf.EXE
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- REvil Kaseya Incident Malware Patterns
- Rhadamanthys Stealer Module Launch Via Rundll32.EXE
- Root Certificate Installed From Susp Locations
- Rorschach Ransomware Execution Activity
- Ruby Inline Command Execution
- Run Once Task Execution as Configured in Registry
- Run PowerShell Script from ADS
- Run PowerShell Script from Redirected Input Stream
- Rundll32 Execution With Uncommon DLL Extension
- Rundll32 Execution Without CommandLine Parameters
- Rundll32 Execution Without Parameters
- Rundll32 InstallScreenSaver Execution
- Rundll32 Registered COM Objects
- Rundll32 Spawned Via Explorer.EXE
- RunDLL32 Spawning Explorer
- Rundll32 UNC Path Execution
- Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
- RunMRU Registry Key Deletion
- SafeBoot Registry Key Deleted Via Reg.EXE
- SC.EXE Query Execution
- Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Scheduled persistent task with SYSTEM privileges creation
- Scheduled Task Creation From Potential Suspicious Parent Location
- Scheduled Task Creation Masquerading as System Processes
- Scheduled Task Creation Via Schtasks.EXE
- Scheduled task creation with command line
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- Schtasks Creation Or Modification With SYSTEM Privileges
- Schtasks From Suspicious Folders
- Screen Capture Activity Via Psr.EXE
- Script Event Consumer Spawning Process
- Script Interpreter Execution From Suspicious Folder
- Script Interpreter Spawning Credential Scanner - Windows
- Scripting/CommandLine Process Spawned Regsvr32
- Sdclt Child Processes
- Sdiagnhost Calling Suspicious Child Process
- SearchIndexer suspicious process activity
- Security Event Logging Disabled via MiniNt Registry Key - Process
- Security package (SSP) added (Reg via command)
- Security Privileges Enumeration Via Whoami.EXE
- Security Service Disabled Via Reg.EXE
- Security Tools Keyword Lookup Via Findstr.EXE
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Sensitive File Access Via Volume Shadow Copy Backup
- Sensitive File Dump Via Print.EXE
- Sensitive File Dump Via Wbadmin.EXE
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Serial console process spawning CMD shell (via command)
- Serpent Backdoor Payload Execution Via Scheduled Task
- Serv-U Exploitation CVE-2021-35211 by DEV-0322
- Service abuse with malicious ImagePath (service)
- Service creation (command)
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service deactivation (command)
- Service permissions hijacked for privileges abuse (service)
- Service Reconnaissance Via Wmic.EXE
- Service Registry Key Deleted Via Reg.EXE
- Service Security Descriptor Tampering Via Sc.EXE
- Service Started/Stopped Via Wmic.EXE
- Service Startup Type Change Via Wmic.EXE
- Service StartupType Change Via PowerShell Set-Service
- Service StartupType Change Via Sc.EXE
- Set Files as System Files Using Attrib.EXE
- Set Suspicious Files as System Files Using Attrib.EXE
- Setup16.EXE Execution With Custom .Lst File
- Shadow Copies Creation Using Operating Systems Utilities
- Shadow Copies Deletion Using Operating Systems Utilities
- Shai-Hulud 2.0 Malicious NPM Package Installation
- Shai-Hulud Malicious Bun Execution
- Shai-Hulud Malware Indicators - Windows
- Share And Session Enumeration Using Net.EXE
- Shell Process Spawned by Java.EXE
- Shell32 DLL Execution in Suspicious Directory
- ShimCache Flush
- Small Sieve Malware CommandLine Indicator
- SMB over QUIC Via Net.EXE
- Sofacy Trojan Loader Activity
- SOURGUM Actor Behaviours
- SPN added to an account by command line
- Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958)
- SQL Client Tools PowerShell Session Detection
- SQL Server database's table enumeration
- SQL server sqlcmd utility abuse for privilege escalation
- SQLite Chromium Profile Data DB Access
- SQLite Firefox Profile Data DB Access
- Start of NT Virtual DOS Machine
- Start Windows Service Via Net.EXE
- Stickey key called CMD via command execution
- Stickey key called CMD via command execution (hash detection)
- Sticky Key Like Backdoor Execution
- Stop Windows Service Via Net.EXE
- Stop Windows Service Via PowerShell Stop-Service
- Stop Windows Service Via Sc.EXE
- Suspect Svchost Activity
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Suspicious AddinUtil.EXE CommandLine Execution
- Suspicious Advpack Call Via Rundll32.EXE
- Suspicious AgentExecutor PowerShell Execution
- Suspicious ArcSOC.exe Child Process
- Suspicious Autorun Registry Modified via WMI
- Suspicious Binary In User Directory Spawned From Office Application
- Suspicious BitLocker Access Agent Update Utility Execution
- Suspicious Cabinet File Execution Via Msdt.EXE
- Suspicious Calculator Usage
- Suspicious CertReq Command to Download
- Suspicious Child Process Created as System
- Suspicious Child Process of AspNetCompiler
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Child Process Of Manage Engine ServiceDesk
- Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Suspicious Child Process of SAP NetWeaver
- Suspicious Child Process of SolarWinds WebHelpDesk
- Suspicious Child Process Of SQL Server
- Suspicious Child Process Of Veeam Dabatase
- Suspicious Child Process Of Wermgr.EXE
- Suspicious Chromium Browser Instance Executed With Custom Extension
- Suspicious ClickFix/FileFix Execution Pattern
- Suspicious CodePage Switch Via CHCP
- Suspicious Command Patterns In Scheduled Task Creation
- Suspicious Control Panel DLL Load
- Suspicious Copy From or To System Directory
- Suspicious CrushFTP Child Process
- Suspicious Csi.exe Usage
- Suspicious Curl.EXE Download
- Suspicious CustomShellHost Execution
- Suspicious Debugger Registration Cmdline
- Suspicious Desktopimgdownldr Command
- Suspicious Diantz Alternate Data Stream Execution
- Suspicious Diantz Download and Compress Into a CAB File
- Suspicious DLL Loaded via CertOC.EXE
- Suspicious Double Extension File Execution
- Suspicious Download From Direct IP Via Bitsadmin
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Suspicious Download from Office Domain
- Suspicious Download Via Certutil.EXE
- Suspicious Driver Install by pnputil.exe
- Suspicious Driver/DLL Installation Via Odbcconf.EXE
- Suspicious DumpMinitool Execution
- Suspicious Electron Application Child Processes
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Suspicious Encoded PowerShell Command Line
- Suspicious Eventlog Clearing or Configuration Change Activity
- Suspicious Execution From Outlook Temporary Folder
- Suspicious Execution Location Of Wermgr.EXE
- Suspicious Execution of Hostname
- Suspicious Execution of InstallUtil Without Log
- Suspicious Execution of Powershell with Base64
- Suspicious Execution of Shutdown
- Suspicious Execution of Shutdown to Log Out
- Suspicious Execution of Systeminfo
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious Extrac32 Execution
- Suspicious File Characteristics Due to Missing Fields
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Suspicious File Download From File Sharing Domain Via Wget.EXE
- Suspicious File Download From IP Via Curl.EXE
- Suspicious File Download From IP Via Wget.EXE
- Suspicious File Download From IP Via Wget.EXE - Paths
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Suspicious File Encoded To Base64 Via Certutil.EXE
- Suspicious File Execution From Internet Hosted WebDav Share
- Suspicious FileFix Execution Pattern
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation
- Suspicious Git Clone
- Suspicious Greedy Compression Using Rar.EXE
- Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- Suspicious GrpConv Execution
- Suspicious GUP Usage
- Suspicious HH.EXE Execution
- Suspicious High IntegrityLevel Conhost Legacy Option
- Suspicious HWP Sub Processes
- Suspicious IIS Module Registration
- Suspicious IIS URL GlobalRules Rewrite Via AppCmd
- Suspicious Invoke-WebRequest Execution
- Suspicious Invoke-WebRequest Execution With DirectIP
- Suspicious JavaScript Execution Via Mshta.EXE
- Suspicious Kerberos Ticket Request via CLI
- Suspicious Kernel Dump Using Dtrace
- Suspicious Key Manager Access
- Suspicious LNK Command-Line Padding with Whitespace Characters
- Suspicious Manipulation Of Default Accounts Via Net.EXE
- Suspicious Microsoft Office Child Process
- Suspicious Microsoft OneNote Child Process
- Suspicious Modification Of Scheduled Tasks
- Suspicious Msbuild Execution By Uncommon Parent Process
- Suspicious MSDT Parent Process
- Suspicious MSHTA Child Process
- Suspicious Mshta.EXE Execution Patterns
- Suspicious MsiExec Embedding Parent
- Suspicious Msiexec Execute Arbitrary DLL
- Suspicious Msiexec Quiet Install From Remote Location
- Suspicious Mstsc.EXE Execution With Local RDP File
- Suspicious Network Command
- Suspicious New Instance Of An Office COM Object
- Suspicious New Service Creation
- Suspicious NTLM Authentication on the Printer Spooler Service
- Suspicious Obfuscated PowerShell Code
- Suspicious Outlook Child Process
- Suspicious Parent Double Extension File Execution
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Suspicious Ping/Del Command Combination
- Suspicious Plink Port Forwarding
- Suspicious Powercfg Execution To Change Lock Screen Timeout
- Suspicious PowerShell Download and Execute Pattern
- Suspicious PowerShell Encoded Command Patterns
- Suspicious PowerShell IEX Execution Patterns
- Suspicious PowerShell Invocation From Script Engines
- Suspicious PowerShell Invocations - Specific - ProcessCreation
- Suspicious PowerShell Mailbox Export to Share
- Suspicious PowerShell Parameter Substring
- Suspicious PowerShell Parent Process
- Suspicious PrinterPorts Creation (CVE-2020-1048)
- Suspicious Process By Web Server Process
- Suspicious Process Created Via Wmic.EXE
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Suspicious Process Masquerading As SvcHost.EXE
- Suspicious Process Parents
- Suspicious Process Patterns NTDS.DIT Exfil
- Suspicious Process Spawned by CentreStack Portal AppPool
- Suspicious Process Start Locations
- Suspicious Processes Spawned by Java.EXE
- Suspicious Processes Spawned by WinRM
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Suspicious Program Names
- Suspicious Provlaunch.EXE Child Process
- Suspicious Query of MachineGUID
- Suspicious RASdial Activity
- Suspicious RazerInstaller Explorer Subprocess
- Suspicious RDP Redirect Using TSCON
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Suspicious Recursive Takeown
- Suspicious Redirection to Local Admin Share
- Suspicious Reg Add BitLocker
- Suspicious Registry Modification From ADS Via Regini.EXE
- Suspicious Regsvr32 Execution From Remote Share
- Suspicious Remote Child Process From Outlook
- Suspicious Response File Execution Via Odbcconf.EXE
- Suspicious RunAs-Like Flag Combination
- Suspicious Rundll32 Activity Invoking Sys File
- Suspicious Rundll32 Execution With Image Extension
- Suspicious Rundll32 Invoking Inline VBScript
- Suspicious Rundll32 Setupapi.dll Activity
- Suspicious Runscripthelper.exe
- Suspicious Scan Loop Network
- Suspicious Scheduled Task Creation Involving Temp Folder
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Suspicious Scheduled Task Name As GUID
- Suspicious Schtasks Execution AppData Folder
- Suspicious Schtasks Schedule Type With High Privileges
- Suspicious Schtasks Schedule Types
- Suspicious ScreenSave Change by Reg.exe
- Suspicious Serv-U Process Pattern
- Suspicious Service Binary Directory
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- Suspicious Service Path Modification
- Suspicious ShellExec_RunDLL Call Via Ordinal
- Suspicious Shells Spawn by Java Utility Keytool
- Suspicious Speech Runtime Binary Child Process
- Suspicious Splwow64 Without Params
- Suspicious SPN enumeration previous to Kerberoasting attack (native commands)
- Suspicious Spool Service Child Process
- Suspicious SysAidServer Child
- Suspicious Sysmon as Execution Parent
- Suspicious SYSTEM User Process Creation
- Suspicious SYSVOL Domain Group Policy Access
- Suspicious Tasklist Discovery Command
- Suspicious TSCON Start as SYSTEM
- Suspicious UltraVNC Execution
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- Suspicious Usage of For Loop with Recursive Directory Search in CMD
- Suspicious Usage Of ShellExec_RunDLL
- Suspicious Use of CSharp Interactive Console
- Suspicious Use of PsLogList
- Suspicious Userinit Child Process
- Suspicious VBoxDrvInst.exe Parameters
- Suspicious VBScript UN2452 Pattern
- Suspicious Velociraptor Child Process
- Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Suspicious WebDav Client Execution Via Rundll32.EXE
- Suspicious Where Execution
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Suspicious Windows Service Tampering
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- Suspicious Windows Update Agent Empty Cmdline
- Suspicious WindowsTerminal Child Processes
- Suspicious WMIC Execution Via Office Process
- Suspicious WmiPrvSE Child Process
- Suspicious Workstation Locking via Rundll32
- Suspicious X509Enrollment - Process Creation
- Suspicious XOR Encoded PowerShell Command
- Suspicious ZipExec Execution
- SyncAppvPublishingServer Execute Arbitrary PowerShell Code
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Sysinternals PsService Execution
- Sysinternals PsSuspend Execution
- Sysinternals PsSuspend Suspicious Execution
- Sysmon Configuration Update
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- Sysmon Driver Unloaded Via Fltmc.EXE
- Sysprep on AppData Folder
- System Disk And Volume Reconnaissance Via Wmic.EXE
- System File Execution Location Anomaly
- System Information Discovery via Registry Queries
- System Information Discovery Via Wmic.EXE
- System Language Discovery via Reg.Exe
- System Network Connections Discovery Via Net.EXE
- System Restore Registry Modification via CommandLine
- TAIDOOR RAT DLL Load
- Tamper Windows Defender Remove-MpPreference
- Tap Installer Execution
- Task Manager access indicator for potential LSASS dump
- Taskkill Symantec Endpoint Protection
- Taskmgr as LOCAL_SYSTEM
- Tasks Folder Evasion
- Terminal Service Process Spawn
- Time Travel Debugging Utility Usage
- Tor Client/Browser Execution
- Trickbot Malware Activity
- TropicTrooper Campaign November 2018
- TrustedPath UAC Bypass Pattern
- Tunneling Tool Execution
- Turla Group Commands May 2020
- Turla Group Lateral Movement
- UAC Bypass Abusing Winsat Path Parsing - Process
- UAC Bypass Tools Using ComputerDefaults
- UAC Bypass Using ChangePK and SLUI
- UAC Bypass Using Consent and Comctl32 - Process
- UAC Bypass Using Disk Cleanup
- UAC Bypass Using DismHost
- UAC Bypass Using Event Viewer RecentViews
- UAC Bypass Using IDiagnostic Profile
- UAC Bypass Using IEInstal - Process
- UAC Bypass Using MSConfig Token Modification - Process
- UAC Bypass Using NTFS Reparse Point - Process
- UAC Bypass Using PkgMgr and DISM
- UAC Bypass Using Windows Media Player - Process
- UAC Bypass via ICMLuaUtil
- UAC Bypass via Windows Firewall Snap-In Hijack
- UAC Bypass WSReset
- UEFI Persistence Via Wpbbin - ProcessCreation
- UNC2452 PowerShell Pattern
- UNC2452 Process Creation Patterns
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- Uncommon AddinUtil.EXE CommandLine Execution
- Uncommon Child Process Of AddinUtil.EXE
- Uncommon Child Process Of Appvlp.EXE
- Uncommon Child Process Of BgInfo.EXE
- Uncommon Child Process Of Conhost.EXE
- Uncommon Child Process Of Defaultpack.EXE
- Uncommon Child Process Of Setres.EXE
- Uncommon Child Process Spawned By Odbcconf.EXE
- Uncommon Child Processes Of SndVol.exe
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Uncommon FileSystem Load Attempt By Format.com
- Uncommon Link.EXE Parent Process
- Uncommon One Time Only Scheduled Task At 00:00
- Uncommon Sigverif.EXE Child Process
- Uncommon Svchost Command Line Parameter
- Uncommon Svchost Parent Process
- Uncommon System Information Discovery Via Wmic.EXE
- Uncommon Userinit Child Process
- Uninstall Crowdstrike Falcon Sensor
- Uninstall Sysinternals Sysmon
- Unmount Share Via Net.EXE
- Unsigned AppX Installation Attempt Using Add-AppxPackage
- Unusual Child Process of dns.exe
- Unusual Parent Process For Cmd.EXE
- Unusually Long PowerShell CommandLine
- Ursnif Redirection Of Discovery Commands
- Usage Of Web Request Commands And Cmdlets
- Use Icacls to Hide File to Everyone
- Use NTFS Short Name in Command Line
- Use NTFS Short Name in Image
- Use of FSharp Interpreters
- Use of OpenConsole
- Use of Pcalua For Execution
- Use of Remote.exe
- Use of Scriptrunner.exe
- Use Of The SFTP.EXE Binary As A LOLBIN
- Use of TTDInject.exe
- Use of UltraVNC Remote Access Software
- Use of VisualUiaVerifyNative.exe
- Use of VSIISExeLauncher.exe
- Use of W32tm as Timer
- Use of Wfc.exe
- Use Short Name Path in Command Line
- Use Short Name Path in Image
- User added to a group via commandline
- User Added To Highly Privileged Group
- User Added to Local Administrators Group
- User Added to Remote Desktop Users Group
- User creation via commandline
- User Discovery And Export Via Get-ADUser Cmdlet
- User enumeration and creation related to Manic Menagerie 2.0 (via cmdline)
- User properties enumeration via commandline
- User Shell Folders Registry Modification via CommandLine
- Using SettingSyncHost.exe as LOLBin
- UtilityFunctions.ps1 Proxy Dll
- Veeam Backup Database Suspicious Query
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
- Verclsid.exe Runs COM Object
- Virtualbox Driver Installation or Starting of VMs
- Visual Basic Command Line Compiler Usage
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Service Installation
- Visual Studio Code Tunnel Shell Execution
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- VMToolsd Suspicious Child Process
- VolumeShadowCopy Symlink Creation Via Mklink
- VSS backup deletion (WMI)
- Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- Wab Execution From Non Default Location
- Wab/Wabmig Unusual Parent Or Child Processes
- WannaCry Ransomware Activity
- Wdigest authentication enabled (Reg via command)
- Weak or Abused Passwords In CLI
- WebDav Client Execution Via Rundll32.EXE
- Webserver IIS module installed (command)
- Webserver IIS module installed (command)
- Webshell Detection With Command Line Keywords
- Webshell Hacking Activity Patterns
- Webshell Tool Reconnaissance Activity
- WhoAmI as Parameter
- Whoami.EXE Execution Anomaly
- Whoami.EXE Execution From Privileged Process
- Whoami.EXE Execution With Output Option
- Windows Admin Share Mount Via Net.EXE
- Windows AMSI Related Registry Tampering Via CommandLine
- Windows Backup Deleted Via Wbadmin.EXE
- Windows Binary Executed From WSL
- Windows Credential Guard Registry Tampering Via CommandLine
- Windows Credential Manager Access via VaultCmd
- Windows Default Domain GPO Modification via GPME
- Windows Defender Context Menu Removed
- Windows Defender Definition Files Removed
- Windows EventLog Autologger Session Registry Modification Via CommandLine
- Windows Firewall Disabled via PowerShell
- Windows Hotfix Updates Reconnaissance Via Wmic.EXE
- Windows Internet Hosted WebDav Share Mount Via Net.EXE
- Windows Kernel Debugger Execution
- Windows MSIX Package Support Framework AI_STUBS Execution
- Windows native backup deletion
- Windows native Pktmon sniffer abuse
- Windows Processes Suspicious Parent Directory
- Windows Recall Feature Enabled Via Reg.EXE
- Windows Recovery Environment Disabled Via Reagentc
- Windows Share Mount Via Net.EXE
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Windows Subsystem for Linux (WSL) installation (command)
- Windows Suspicious Child Process from Node.js - React2Shell
- Windows traffic capture abuse
- Winlogon process contact to C2 - Blacklotus (Sysmon)
- Winnti Malware HK University Campaign
- Winnti Pipemon Characteristics
- Winrar Compressing Dump Files
- WinRAR Execution in Non-Standard Folder
- WinRM listening service reconnaissance (process)
- Winrs Local Command Execution
- WinRS usage for remote execution
- Winscp Execution From Non Standard Folder
- Wlrmdr.EXE Uncommon Argument Or Child Process
- WMI Backdoor Exchange Transport Agent
- WMI Persistence - Script Event Consumer
- WMI spwaning PowerShell process - WMImplant
- WMIC Remote Command Execution
- WmiPrvSE Spawned A Process
- Write Protect For Storage Disabled
- Writing Of Malicious Files To The Fonts Folder
- Wscript Shell Run In CommandLine
- WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
- WSL Child Process Anomaly
- WSL Kali-Linux Usage
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- XBAP Execution From Uncommon Locations Via PresentationHost.EXE
- XSL Script Execution Via WMIC.EXE
- Xwizard.EXE Execution From Non-Default Location
- ZxShell Malware
Elastic (259)
- Accessing Outlook Data Files
- Account Discovery Command via SYSTEM Account
- Active Directory Discovery using AdExplorer
- Adding Hidden File Attribute via Attrib
- AdFind Command Activity
- Alternate Data Stream Creation/Execution at Volume Root Directory
- At.exe Command Lateral Movement
- Attempt to Establish VScode Remote Tunnel
- Attempt to Install or Run Kali Linux via WSL
- Attempted Private Key Access
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Backup Deletion with Wbadmin
- Binary Content Copy via Cmd.exe
- Bitsadmin Activity
- Browser Process Spawned from an Unusual Parent
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools
- Command and Scripting Interpreter via Windows Scripts
- Command Execution via ForFiles
- Command Execution via SolarWinds Process
- Command Obfuscation via Unicode Modifier Letters
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Credential Acquisition via Registry Hive Dumping
- Delayed Execution via Ping
- Delete Volume USN Journal with Fsutil
- Disable Windows Event and Security Logs Using Built-in Tools
- Disable Windows Firewall Rules via Netsh
- Disabling Windows Defender Security Settings via PowerShell
- Enable Host Network Discovery via Netsh
- Encrypting Files with WinRar or 7z
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE
- Enumeration Command Spawned via WMIPrvSE
- Enumeration of Administrator Accounts
- Execution from a Removable Media with Network Connection
- Execution from Unusual Directory - Command Line
- Execution of a Downloaded Windows Script
- Execution of COM object via Xwizard
- Execution of File Written or Modified by Microsoft Office
- Execution of Persistent Suspicious Program
- Execution via Microsoft DotNet ClickOnce Host
- Execution via MS VisualStudio Pre/Post Build Events
- Execution via TSClient Mountpoint
- Execution via Windows Command Debugging Utility
- Execution via Windows Subsystem for Linux
- Exporting Exchange Mailbox via PowerShell
- File and Directory Permissions Modification
- File or Directory Deletion Command
- File with Right-to-Left Override Character (RTLO) Created/Executed
- First Time Seen Remote Monitoring and Management Tool
- Group Policy Discovery via Microsoft GPResult Utility
- Host File System Changes via Windows Subsystem for Linux
- IIS HTTP Logging Disabled
- ImageLoad via Windows Update Auto Update Client
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell
- Indirect Command Execution via Forfiles/Pcalua
- InstallUtil Activity
- InstallUtil Process Making Network Connections
- Local Scheduled Task Creation
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Worker Spawning Suspicious Processes
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Microsoft Management Console File from Unusual Path
- Modification of Boot Configuration
- Mofcomp Activity
- Mounting Hidden or WebDav Remote Shares
- MsBuild Making Network Connections
- Mshta Making Network Connections
- MsiExec Service Child Process With Network Connection
- Multiple Remote Management Tool Vendors on Same Host
- NetSupport Manager Execution from an Unusual Path
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Registration Utility
- Network Connection via Signed Binary
- New ActiveSyncAllowedDeviceID Added via PowerShell
- NTDS Dump via Wbadmin
- NTDS or SAM Database File Copied
- Parent Process PID Spoofing
- Peripheral Device Discovery
- Persistence via BITS Job Notify Cmdline
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via Update Orchestrator Service Hijack
- Persistence via WMI Event Subscription
- Potential Application Shimming via Sdbinst
- Potential Command and Control via Internet Explorer
- Potential Command Shell via NetCat
- Potential Credential Access via Trusted Developer Utility
- Potential Credential Access via Windows Utilities
- Potential CVE-2025-33053 Exploitation
- Potential Data Exfiltration via Rclone
- Potential Defense Evasion via CMSTP.exe
- Potential DLL Side-Loading via Trusted Microsoft Programs
- Potential DNS Tunneling via NsLookup
- Potential Escalation via Vulnerable MSI Repair
- Potential Evasion via Filter Manager
- Potential Execution via FileFix Phishing Attack
- Potential Exploitation of an Unquoted Service Path Vulnerability
- Potential Fake CAPTCHA Phishing Attack
- Potential File Download via a Headless Browser
- Potential File Transfer via Certreq
- Potential File Transfer via Curl for Windows
- Potential Foxmail Exploitation
- Potential Local NTLM Relay via HTTP
- Potential Masquerading as Browser Process
- Potential Masquerading as Business App Installer
- Potential Masquerading as Communication Apps
- Potential Masquerading as System32 Executable
- Potential Modification of Accessibility Binaries
- Potential Notepad Markdown RCE Exploitation
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Process Injection from Malicious Document
- Potential Protocol Tunneling via Cloudflared
- Potential Protocol Tunneling via Yuze
- Potential Remote Desktop Shadowing Activity
- Potential Remote Desktop Tunneling Detected
- Potential Remote File Execution via MSIEXEC
- Potential Remote Install via MsiExec
- Potential SAP NetWeaver Exploitation
- Potential SharpRDP Behavior
- Potential Veeam Credential Access Command
- Potential Windows Error Manager Masquerading
- Potential WSUS Abuse for Lateral Movement
- Privilege Escalation via Named Pipe Impersonation
- Privileges Elevation via Parent Process PID Spoofing
- Process Activity via Compiled HTML File
- Process Created with a Duplicated Token
- Process Created with an Elevated Token
- Process Creation via Secondary Logon
- Process Discovery Using Built-in Tools
- Process Execution from an Unusual Directory
- Program Files Directory Masquerading
- Proxy Execution via Console Window Host
- Proxy Execution via Windows OpenSSH
- PsExec Network Connection
- Remote Desktop Enabled in Windows Firewall by Netsh
- Remote Desktop File Opened from Suspicious Path
- Remote Execution via File Shares
- Remote File Copy to a Hidden Share
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpCmdRun
- Remote Management Access Launch After MSI Install
- Remote System Discovery Commands
- Remote XSL Script Execution via COM
- Remotely Started Services via RPC
- Renamed Automation Script Interpreter
- Renamed Utility Executed with Short Program Name
- ROT Encoded Python Script Execution
- ScreenConnect Server Spawning Suspicious Processes
- Script Execution via Microsoft HTML Application
- Searching for Saved Credentials via VaultCmd
- Security Software Discovery using WMIC
- Service Command Lateral Movement
- Service Control Spawned via Script Interpreter
- Service DACL Modification via sc.exe
- Signed Proxy Execution via MS Work Folders
- SMB Connections via LOLBin or Untrusted Process
- Startup Folder Persistence via Unsigned Process
- Suspicious .NET Code Compilation
- Suspicious CertUtil Commands
- Suspicious Cmd Execution via WMI
- Suspicious Command Prompt Network Connection
- Suspicious Communication App Child Process
- Suspicious Endpoint Security Parent Process
- Suspicious Execution from a Mounted Device
- Suspicious Execution from a WebDav Share
- Suspicious Execution from INET Cache
- Suspicious Execution from VS Code Extension
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious Execution via MSIEXEC
- Suspicious Execution via Scheduled Task
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Execution with NodeJS
- Suspicious Explorer Child Process
- Suspicious HTML File Creation
- Suspicious Instance Metadata Service (IMDS) API Command Line Execution
- Suspicious Inter-Process Communication via Outlook
- Suspicious JavaScript Execution via Deno
- Suspicious JetBrains TeamCity Child Process
- Suspicious Microsoft Antimalware Service Execution
- Suspicious Microsoft Diagnostics Wizard Execution
- Suspicious Microsoft HTML Application Child Process
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Outlook Child Process
- Suspicious PDF Reader Child Process
- Suspicious Process Creation CallTrace
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious ScreenConnect Client Child Process
- Suspicious Shell Execution via Velociraptor
- Suspicious SolarWinds Child Process
- Suspicious Troubleshooting Pack Cabinet Execution
- Suspicious WerFault Child Process
- Suspicious Windows Command Shell Arguments
- Suspicious Windows Powershell Arguments
- Suspicious WMIC XSL Script Execution
- Suspicious Zoom Child Process
- Symbolic Link to Shadow Copy Created
- System File Ownership Change
- System Information Discovery via Windows Command Shell
- System Service Discovery through built-in Windows Utilities
- System Shells via Services
- System Time Discovery
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Windows Directory Masquerading
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- UAC Bypass via Windows Firewall Snap-In Hijack
- Unusual Child Process from a System Virtual Process
- Unusual Child Process of dns.exe
- Unusual Child Processes of RunDLL32
- Unusual Execution via Microsoft Common Console File
- Unusual Network Activity from a Windows System Binary
- Unusual Network Connection via DllHost
- Unusual Network Connection via RunDLL32
- Unusual Parent Process for cmd.exe
- Unusual Parent-Child Relationship
- Unusual Print Spooler Child Process
- Unusual Process Execution on WBEM Path
- Unusual Process Execution Path - Alternate Data Stream
- Unusual Process Extension
- Unusual Process For MSSQL Service Accounts
- Unusual Process Network Connection
- Unusual Service Host Child Process - Childless Service
- User Account Creation
- Veeam Backup Library Loaded by Unusual Process
- Volume Shadow Copy Deleted or Resized via VssAdmin
- Volume Shadow Copy Deletion via PowerShell
- Volume Shadow Copy Deletion via WMIC
- Whoami Process Activity
- Windows Account or Group Discovery
- Windows Defender Exclusions Added via PowerShell
- Windows Firewall Disabled via PowerShell
- Windows Installer with Suspicious Properties
- Windows Network Enumeration
- Windows Sandbox with Sensitive Configuration
- Windows Script Executing PowerShell
- Windows Script Execution from Archive
- Windows Script Interpreter Executing Process via WMI
- Windows Server Update Service Spawning Suspicious Processes
- Windows Subsystem for Linux Enabled via Dism Utility
- Windows System Information Discovery
- Wireless Credential Dumping using Netsh Command
- WMI Incoming Lateral Movement
- WMI WBEMTEST Utility Execution
- WMIC Remote Command
Splunk (826)
- .msc Executed from Unusual Location (Sysmon)
- 3CXDesktopApp.exe Execution (EDR)
- 3CXDesktopApp.exe Execution (Sysmon)
- 7zip CommandLine To SMB Share Path
- Abuse EQNEDT32.EXE (EDR)
- Abuse EQNEDT32.EXE (Sysmon)
- Access Common Package Config file (EDR)
- Access Common Package Config file (Sysmon)
- Account set to active via Net.exe (EDR)
- Account set to active via Net.exe (Sysmon)
- Add or Set Windows Defender Exclusion
- ADExplorer Execution (Sysmon)
- ADExplorer Snapshot Creation (Sysmon)
- Adfind Commands (Sysmon)
- Adfind Execution (EDR)
- Adfind Execution (Sysmon)
- Advanced IP or Port Scanner Execution
- Advanced IP Scanner Execution (Sysmon)
- Advanced Port Scanner Execution (Sysmon)
- Allow File And Printing Sharing In Firewall
- Allow Network Discovery In Firewall
- Anomalous usage of 7zip
- AnyDesk Command Line Execution (Sysmon)
- AnyDesk Execution from Suspicious Folder (Sysmon)
- AnyDesk Silent Install (Sysmon)
- Application Discovery - Windows (Sysmon)
- ATBroker.exe Execution (Sysmon)
- Attacker Tools On Endpoint
- Attempted Veeam Database Credential Dump (Sysmon)
- Attrib.exe Metasploit File Dropper (EDR)
- Attrib.exe Metasploit File Dropper (Sysmon)
- AutoHotkey Execution (Sysmon)
- AutoIt Execution (Sysmon)
- Bash -c Execution - Windows (Sysmon)
- Bcdedit Command Back To Normal Mode Boot
- BCDEdit Failure Recovery Modification
- BITS Job Persistence
- BITSAdmin Download File
- BITSadmin Execution (Sysmon)
- BitsAdmin NetCat PowerCat File Transfer (EDR)
- BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- Browser Started with Remote Debugging - Windows (Sysmon)
- CDB Execution (Sysmon)
- Certificate Abuse - Windows (Sysmon)
- Certutil De-Obfuscate_Decode Files (Sysmon)
- Certutil exe certificate extraction
- Certutil Execution (Sysmon)
- Certutil File Download (Sysmon)
- Certutil Obfuscate_Encode Files (EDR)
- Certutil Obfuscate_Encode Files (Sysmon)
- CertUtil With Decode Argument
- Change To Safe Mode With Network Config
- Check Elevated CMD using whoami
- Child Processes of Spoolsv exe
- Cipher.exe Execution (Sysmon)
- Clear Unallocated Sector Using Cipher App
- Clop Common Exec Parameter
- CMD Carry Out String Command Parameter
- CMD Echo Pipe - Escalation
- CMD execution with _c (Sysmon)
- Cmstp Execution (Sysmon)
- Command Line .cmd Execution (Sysmon)
- Command Line Homoglyphs - Windows (Sysmon)
- Command Line lsass request (Sysmon)
- Command Line Spawned by Archive Utility - Windows (Sysmon)
- Command Line Utility Added to Accessibility Features (Sysmon)
- Command-Line Interface Execution (Sysmon)
- Common Active Directory Commands (Sysmon)
- Common Recon Commands in Short Burst (Sysmon)
- Common Reconnaissance Commands (Sysmon)
- ComputerDefaults UAC Bypass (Sysmon)
- comsvcs.dll Lsass Memory Dump (Sysmon)
- Conhost.exe Kernel call (Sysmon)
- Consent.exe Suspicious Child Process (Sysmon)
- ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon)
- Conti Common Exec parameter
- Control Loading from World Writable Directory
- Control Panel Abuse (Sysmon)
- Control_RunDLL Call from Command Line (Sysmon)
- Create or delete windows shares using net exe
- Create_Add Local_Domain User (EDR)
- Create_Add Local_Domain User (Sysmon)
- Create_Modify Schtasks (Sysmon)
- Creation of Shadow Copy
- Creation of Shadow Copy with wmic and powershell
- Credential Dumping via Copy Command from Shadow Copy
- Credential Dumping via Symlink to Shadow Copy
- CSC Execution (EDR)
- CSC Net On The Fly Compilation
- CSVDE Export Active Directory (Sysmon)
- Curl Execution with Percent Encoded URL
- CVE-2022-30190: Microsoft Office Code Execution Vulnerability (EDR)
- CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Sysmon)
- Data Exfiltration via AWS CLI - Windows (Sysmon)
- Data Staged to File (Sysmon)
- Defender Registry Values Modified (Sysmon)
- Deleting Shadow Copies
- Detect AzureHound Command-Line Arguments
- Detect Certify Command Line Arguments
- Detect HTML Help Renamed
- Detect HTML Help Spawn Child Process
- Detect HTML Help URL in Command Line
- Detect HTML Help Using InfoTech Storage Handlers
- Detect mshta inline hta execution
- Detect mshta renamed
- Detect MSHTA Url in Command Line
- Detect Outlook exe writing a zip file
- Detect Path Interception By Creation Of program exe
- Detect Prohibited Applications Spawning cmd exe
- Detect PsExec With accepteula Flag
- Detect Rare Executables
- Detect RClone Command-Line Usage
- Detect Regasm Spawning a Process
- Detect Regasm with no Command Line Arguments
- Detect Regsvcs Spawning a Process
- Detect Regsvcs with No Command Line Arguments
- Detect Regsvr32 Application Control Bypass
- Detect Remote Access Software Usage FileInfo
- Detect Remote Access Software Usage Process
- Detect Renamed 7-Zip
- Detect Renamed PSExec
- Detect Renamed RClone
- Detect Renamed WinRAR
- Detect RTLO In Process
- Detect Rundll32 Inline HTA Execution
- Detect SharpHound Command-Line Arguments
- Detect SharpHound Usage
- Detect Use of cmd exe to Launch Script Interpreters
- Detection of tools built by NirSoft
- Disable Logs Using WevtUtil
- Disable Schedule Task
- Disabling Firewall with Netsh
- Discovery using CHCP (Sysmon)
- DLL Called with RS32 (Sysmon)
- DLL Called with Uncommon Function (Sysmon)
- DLL Concatenation (Sysmon)
- DLL Execution from Uncommon Process (Sysmon)
- DLLHost with no Command Line Arguments with Network
- DLLRegisterServer Called from Command Line (Sysmon)
- DNS Exfiltration Using Nslookup App
- Domain Account Discovery with Dsquery
- Domain Account Discovery with Wmic
- Domain Controller Discovery with Nltest
- Domain Controller Discovery with Wmic
- Domain Controller Enumeration via nltest (Sysmon)
- Domain Group Discovery With Dsquery
- Domain Group Discovery With Wmic
- DSQuery Domain Discovery
- Dump File Identified (Sysmon)
- Dump LSASS via comsvcs DLL
- Dump LSASS via procdump
- Elevated Group Discovery With Wmic
- EnableLUA Registry Value Modified (Sysmon)
- Encoded Powershell Command (Sysmon)
- Esentutl Execution (Sysmon)
- Esentutl SAM Copy
- Esentutl.exe Collecting Browser Data (Sysmon)
- Event Logs Queried for RDP Sessions (Sysmon)
- Excessive Attempt To Disable Services
- Excessive distinct processes from Windows Temp
- Excessive number of service control start as disabled
- Excessive number of taskhost processes
- Excessive Usage Of Cacls App
- Excessive Usage of NSLOOKUP App
- Excessive Usage Of SC Service Utility
- Excessive Usage Of Taskkill
- Executable Create Script Process (Sysmon)
- Executable Process from Suspicious Folder (Sysmon)
- Execute Javascript With Jscript COM CLSID
- Execution from Startup Folder (Sysmon)
- Execution of File with Multiple Extensions
- Exfiltration via curl.exe - Windows (Sysmon)
- Expand.exe Execution (Sysmon)
- Explorer Child Process with Suspicious Command Line Padding (Sysmon)
- File and Directory Discovery Output to File - Windows (Sysmon)
- File Download or Read to Pipe Execution
- File Executed from INetCache (Sysmon)
- File_Folder Hidden - Windows (Sysmon)
- Finger Execution (Sysmon)
- Firewall Allowed Program Enable
- First Time Seen Child Process of Zoom
- FodHelper UAC Bypass
- FScan.exe Network Scan (Sysmon)
- Fsutil fsinfo execution (EDR)
- Fsutil Zeroing File
- Full Control Permissions Granted to Everyone - Windows (Sysmon)
- Get ADDefaultDomainPasswordPolicy with Powershell
- Get ADUser with PowerShell
- Get ADUserResultantPasswordPolicy with Powershell
- Get DomainPolicy with Powershell
- Get DomainUser with PowerShell
- Get WMIObject Group Discovery
- Get-DomainTrust with PowerShell
- Get-ForestTrust with PowerShell
- GetAdComputer with PowerShell
- GetAdGroup with PowerShell
- GetCurrent User with PowerShell
- GetDomainComputer with PowerShell
- GetDomainController with PowerShell
- GetDomainGroup with PowerShell
- GetLocalUser with PowerShell
- GetNetTcpconnection with PowerShell
- GetWmiObject Ds Computer with PowerShell
- GetWmiObject Ds Group with PowerShell
- GetWmiObject DS User with PowerShell
- GetWmiObject User Account with PowerShell
- Git Hooks Spawn System32 Process (Sysmon)
- Git Spawns System32 Process (Sysmon)
- Git Submodule Cloned - Windows (Sysmon)
- Go Run Execution (Sysmon)
- GPUpdate with no Command Line Arguments with Network
- Group Policy Editor Execution (Sysmon)
- Headless Browser Mockbin or Mocky Request
- Headless Browser Usage
- hh.exe Execution (Sysmon)
- hh.exe Remote File Execution (Sysmon)
- Hidden User Created - Windows (Sysmon)
- Hiding Files And Directories With Attrib exe
- Hunting 3CXDesktopApp Software
- Icacls Deny Command
- ICACLS Grant Command
- IcedID Discovery Commands (EDR)
- IcedID Discovery Commands (Sysmon)
- Impacket atexec.py Execution (Sysmon)
- Impacket Lateral Movement Activity (Sysmon)
- Impacket Lateral Movement Commandline Parameters
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec Commandline Parameters
- Indirect Command Execution (Sysmon)
- Invoke-DCOM.ps1 - PowerShell (Sysmon)
- Invoke-Expression Command (Sysmon)
- Invoke-WebRequest Command (Sysmon)
- Jscript Execution Using Cscript App
- Known Process Injection Commands (Sysmon)
- Live Sysinternals Execution (Sysmon)
- Local Account Discovery With Wmic
- LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
- Locate Credentials (Sysmon)
- Logon Script Registry Key added (EDR)
- Logon Script Registry Key added (Sysmon)
- MacOS - Re-opened Applications
- Malicious Document Execution (Sysmon)
- Malicious PowerShell Process - Encoded Command
- Malicious PowerShell Process - Execution Policy Bypass
- Malicious PowerShell Process With Obfuscation Techniques
- masscan Execution - Windows (Sysmon)
- Mavinject Execution (EDR)
- Mavinject Execution (Sysmon)
- Mega Utility Execution - Windows (Sysmon)
- Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (EDR)
- Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Sysmon)
- Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Mimikatz (Sysmon)
- Mimikatz PassTheTicket CommandLine Parameters
- Mmc LOLBAS Execution Process Spawn
- Mock System Directory - Windows (Sysmon)
- Modify ACL permission To Files Or Folder
- Modify Windows Defender (EDR)
- Modify Windows Defender (Sysmon)
- MS Exchange Mailbox Replication service writing Active Server Pages
- MSBuild Suspicious Spawned By Script Process
- Mshta spawning Rundll32 OR Regsvr32 Process
- MSHTA.exe execution (Sysmon)
- mshta.exe File Download (Sysmon)
- MSI Installation via Appcert (Sysmon)
- Msiexec Abuse (Sysmon)
- MSIExec Install MSI File (Sysmon)
- MSIExec.exe Execution (Sysmon)
- MSTSC Execution (EDR)
- Msxsl Execution (EDR)
- Msxsl Execution (Sysmon)
- MultiDump.exe Execution (Sysmon)
- Multiple nslookup commands (Sysmon)
- Native Archive Commands (Sysmon)
- Net.exe Use with URL (Sysmon)
- Network Connection Discovery With Arp
- Network Connection Discovery With Netstat
- Network Discovery Using Route Windows App
- ngen.exe File Download (Sysmon)
- ngrok Execution - Windows (Sysmon)
- NirCmd Execution (Sysmon)
- Nishang PowershellTCPOneLine
- NLTest Domain Trust Discovery
- NMAP Execution (EDR)
- Notepad with no Command Line Arguments
- ntds.dit Access from Unexpected Location (Sysmon)
- ntds.dit Command Line (Sysmon)
- Ntdsutil Export NTDS
- NTDSUtil.exe execution (Sysmon)
- Office Spawns Suspicious Child Process (Sysmon)
- Outbound Network Connection from Java Using Default Ports
- Package installation (Sysmon)
- Parent in Public Folder Suspicious Process (Sysmon)
- Permission Groups Discovery: Domain Groups (Sysmon)
- Permission Groups Discovery: Local Groups (Sysmon)
- Permission Modification using Takeown App
- Permissions Replaced by icacls - Windows (Sysmon)
- Ping Sleep Batch Command
- Possible Browser Pass View Parameter
- Possible Lateral Movement PowerShell Spawn
- Potential AutoHotkey .ahk Execution (Sysmon)
- Potential Cryptomining Commands (Sysmon)
- Potential CVE-2023-23397 (EDR)
- Potential CVE-2023-23397 (Sysmon)
- Potential Executable Masquerading as Document - Windows (Sysmon)
- Potential fodhelper UAC Bypass Attempt (Sysmon)
- Potential PowerShell Post-Exploitation Activity (Sysmon)
- Potential Proxy Malware via AutoRun Key (Sysmon)
- Potential Sysinternals Tool Execution (Sysmon)
- Potential System Network Configuration Discovery Activity
- Potential Telegram API Request Via CommandLine
- PowerHuntShares Commands (Sysmon)
- PowerShell - Connect To Internet With Hidden Window
- PowerShell CreateDecryptor (Sysmon)
- Powershell Disable Security Monitoring
- PowerShell DownloadFile_DownloadString (Sysmon)
- PowerShell Get LocalGroup Discovery
- PowerShell Modifying Registry Values (Sysmon)
- PowerShell Start-BitsTransfer
- PowerShell XML Retrieval (Sysmon)
- Prevent Automatic Repair Mode using Bcdedit
- ProcDump Credential Harvest (Sysmon)
- Process Creation Using Sysnative Folder (Sysmon)
- Process Deleting Its Process File Path
- Process Executed from Downloads Folder - Windows (Sysmon)
- Process Executed with Null Command Line (Sysmon)
- Process Execution From Suspicious Folder (Sysmon)
- Process Execution via WMI
- Process Kill Base On File Path
- PromptOnSecureDesktop Registry Value Modified (Sysmon)
- ProtocolHandler.exe File Download (Sysmon)
- Proxy Execution via Appcert (Sysmon)
- PuTTY Secure Copy Client Execution (Sysmon)
- QEMU Network Tunneling - Windows (Sysmon)
- Radmin execution (EDR)
- Radmin execution (Sysmon)
- Rare executable from Microsoft Office (Sysmon)
- Rare Process Execution (Sysmon)
- Rclone Execution (Sysmon)
- RDP Enabled (Sysmon)
- RDP File Executed from Outlook Temp Directory (Sysmon)
- RdrLeakDiag.exe Memory Dump (Sysmon)
- Read-Only Attribute Removed - Windows (Sysmon)
- Recursive Delete of Directory In Batch CMD
- Reg exe Manipulating Windows Services Registry Keys
- Reg.exe Process Execution (Sysmon)
- Regini.exe Execution (Sysmon)
- Registry key added with reg.exe (Sysmon)
- regsvr32 Execution (Sysmon)
- regsvr32 Referencing Unusual Paths (Sysmon)
- Regsvr32 Silent and Install Param Dll Loading
- Regsvr32 with Known Silent Switch Cmdline
- Remote .msi Installation (Sysmon)
- Remote .msi Installation (Sysmon)
- Remote Access Software Execution (Sysmon)
- Remote Admin Tools (EDR)
- Remote Admin Tools (Sysmon)
- Remote Desktop Process Running On System
- Remote Process Instantiation via DCOM and PowerShell
- Remote Process Instantiation via WinRM and PowerShell
- Remote Process Instantiation via WinRM and Winrs
- Remote Process Instantiation via WMI
- Remote Process Instantiation via WMI and PowerShell
- Remote Share Directory Listing - Windows (Sysmon)
- Remote System Discovery with Dsquery
- Remote System Discovery with Wmic
- Remote WMI Command Attempt
- Renamed Process (Sysmon)
- Resize ShadowStorage volume
- Revil Common Exec Parameter
- Rubeus Command Line Parameters
- Rubeus Commands (Sysmon)
- Runas Execution in CommandLine
- RunDLL Loading DLL By Ordinal
- Rundll32 Command Line (Sysmon)
- Rundll32 Control RunDLL Hunt
- Rundll32 Control RunDLL World Writable Directory
- Rundll32 LockWorkStation
- Rundll32 Shimcache Flush
- Rundll32 Spawned by Disk Cleanup (Sysmon)
- Rundll32 Suspicious Command Line (Sysmon)
- rundll32 Suspicious Parent Process (Sysmon)
- Rundll32 with no Command Line Arguments with Network
- rundll32 with No DLL in Command Line (Sysmon)
- Rundll32.exe as Parent Process (Sysmon)
- rundll32.exe Executing DLL from Non-standard Directory (Sysmon)
- Ryuk Wake on LAN Command
- Scheduled Task Creation on Remote Endpoint using At
- Scheduled Task Deleted Or Created via CMD
- Scheduled Task Initiation on Remote Endpoint
- Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
- Schtasks Run Task On Demand
- Schtasks scheduling job on remote system
- Schtasks used for forcing a reboot
- Script Execution via WMI
- Sdelete Application Execution
- SearchProtocolHost with no Command Line with Network
- SecretDumps Offline NTDS Dumping Tool
- Security Software Discovery via Findstr.exe (Sysmon)
- Security Software Discovery via WMI (Sysmon)
- Service Stop Commands (Sysmon)
- ServicePrincipalNames Discovery with SetSPN
- Services Escalate Exe
- Services LOLBAS Execution Process Spawn
- Shim Database Installation With Suspicious Parameters
- SimpleHelp Remote Access Tool Execution (Sysmon)
- Single Letter Process On Endpoint
- Sliver C2 Implant Activity Pattern (Sysmon)
- SLUI RunAs Elevated
- SLUI Spawning a Process
- SoftPerfect Network Scanner Execution (Sysmon)
- Spoolsv Spawning Rundll32
- Spoolsv Writing a DLL
- ssh.exe Execution (Sysmon)
- Suspicious AteraAgent Installation - Windows (Sysmon)
- Suspicious Child Process for hh.exe (Sysmon)
- Suspicious Child Process for lsass.exe (Sysmon)
- Suspicious Child Process for mshta.exe (Sysmon)
- Suspicious ComputerDefaults.exe Execution (Sysmon)
- Suspicious Confluence Child Process - Windows (Sysmon)
- Suspicious Conhost.exe Commands (Sysmon)
- Suspicious Copy on System32
- Suspicious csc.exe Source File Folder (Sysmon)
- Suspicious Curl Network Connection
- Suspicious DLLhost Execution (EDR)
- Suspicious DLLHost no Command Line Arguments
- Suspicious Executable by CMD.exe (Sysmon)
- Suspicious Executable by Powershell (EDR)
- Suspicious Executable by Powershell (Sysmon)
- Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Suspicious Execution via Microsoft Common Console (Sysmon)
- Suspicious GPUpdate no Command Line Arguments
- Suspicious IcedID Rundll32 Cmdline
- Suspicious Image Creation In Appdata Folder
- Suspicious InprocServer32 Registry Modification (Sysmon)
- Suspicious microsoft workflow compiler rename
- Suspicious microsoft workflow compiler usage
- Suspicious msbuild path
- Suspicious MSBuild Rename
- Suspicious MSBuild Spawn
- Suspicious mshta child process
- Suspicious mshta spawn
- Suspicious ntds.dit Commands (Sysmon)
- Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
- Suspicious Parent Process for msiexec.exe (Sysmon)
- Suspicious Parent Process for spoolsv.exe (Sysmon)
- Suspicious PlistBuddy Usage
- Suspicious PowerShell Clipboard Activity (Sysmon)
- Suspicious PowerShell Parameter Substring (Sysmon)
- Suspicious Process Executed From Container File
- Suspicious reCAPTCHA Command Line (Sysmon)
- Suspicious Reg exe Process
- Suspicious Regsvr32 Register Suspicious Path
- Suspicious Rundll32 dllregisterserver
- Suspicious Rundll32 no Command Line Arguments
- Suspicious Rundll32 PluginInit
- Suspicious Rundll32 StartW
- Suspicious Scheduled Task from Public Directory
- Suspicious SearchProtocolHost no Command Line Arguments
- Suspicious SQLite3 LSQuarantine Behavior
- Suspicious WAV file in Appdata Folder
- Suspicious wevtutil Usage
- Suspicious writes to windows Recycle Bin
- Svchost LOLBAS Execution Process Spawn
- System Enumeration with WMIC (Sysmon)
- System Info Gathering Using Dxdiag Application
- System Information Discovery - Windows (Sysmon)
- System Information Discovery Detection
- System Network Connections Discovery - Windows (Sysmon)
- System Owner_User Discovery - Windows (Sysmon)
- System Processes Run From Unexpected Locations
- System User Discovery With Query
- System User Discovery With Whoami
- Temporary File Executed from Public Folder (Sysmon)
- Tunneling Process Created (Sysmon)
- Uninstall App Using MsiExec
- Unknown Process Using The Kerberos Protocol
- Unload Sysmon Filter Driver
- Unusual AppCert Child Process (Sysmon)
- Unusual svchost Child Process (Sysmon)
- Unusual winlogon.exe Child Process (Sysmon)
- Unusually Long Command Line
- User Discovery With Env Vars PowerShell
- User_Domain Enumeration Tool - Windows (Sysmon)
- USN Journal Deletion
- Vbscript Execution Using Wscript App
- Verclsid CLSID Execution
- Visio.exe File Download (Sysmon)
- Visual Studio Code Tunnel Execution (Sysmon)
- WBAdmin Delete System Backups
- WDigest Forced Credential Caching (Sysmon)
- Web or Application Server Spawning a Shell
- Web Servers Executing Suspicious Processes
- WebDAV LNK Execution (Sysmon)
- WebLogic CVE-2017-10271 (Sysmon)
- Wermgr Process Spawned CMD Or Powershell Process
- Windows Account Access Removal via Logoff Exec
- Windows AdFind Exe
- Windows Admin$ Share Access (Sysmon)
- Windows Advanced Installer MSIX with AI_STUBS Execution
- Windows Alternate DataStream - Process Execution
- Windows Apache Benchmark Binary
- Windows AppCertDLL Modification Via Command Line
- Windows Application Whitelisting Bypass Attempt via Rundll32
- Windows Archive Collected Data via Rar
- Windows Attempt To Stop Security Service
- Windows Audit Policy Auditing Option Disabled via Auditpol
- Windows Audit Policy Cleared via Auditpol
- Windows Audit Policy Disabled via Auditpol
- Windows Audit Policy Disabled via Legacy Auditpol
- Windows Audit Policy Excluded Category via Auditpol
- Windows Audit Policy Restored via Auditpol
- Windows Audit Policy Security Descriptor Tampering via Auditpol
- Windows AutoIt3 Execution
- Windows Azure Storage Utility Execution Via CLI
- Windows Binary Execution from an Archive
- Windows Binary Proxy Execution Mavinject DLL Injection
- Windows BitLocker Suspicious Command Usage
- Windows BitLockerToGo Process Execution
- Windows Browser Process Launched with Unusual Flags
- Windows Bypass UAC via Pkgmgr Tool
- Windows C$ Share Access (EDR)
- Windows C$ Share Access (Sysmon)
- Windows Cabinet File Extraction Via Expand
- Windows Cached Domain Credentials Reg Query
- Windows Certutil Root Certificate Addition
- Windows Change File Association Command To Notepad
- Windows Chrome Enable Extension Loading via Command-Line
- Windows Chromium Browser Launched with Small Window Size
- Windows Chromium Browser No Security Sandbox Process
- Windows Chromium Browser with Custom User Data Directory
- Windows Chromium process Launched with Disable Popup Blocking
- Windows Chromium Process Launched with Logging Disabled
- Windows Chromium Process Loaded Extension via Command-Line
- Windows Chromium Process with Disabled Extensions
- Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
- Windows Cisco Secure Endpoint Unblock File Via Sfc
- Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
- Windows Cmdline Tool Execution From Non-Shell Process
- Windows COM Hijacking InprocServer32 Modification
- Windows Command and Scripting Interpreter Hunting Path Traversal
- Windows Command and Scripting Interpreter Path Traversal Exec
- Windows Command Obfuscation with Environment Variable Substrings
- Windows Command Shell DCRat ForkBomb Payload
- Windows Compatibility Telemetry Suspicious Child Process
- Windows ComputerDefaults Spawning a Process
- Windows ConHost with Headless Argument
- Windows Copy Files (Sysmon)
- Windows Create Local Administrator Account Via Net
- Windows Credential Dumping LSASS Memory Createdump
- Windows Credential Target Information Structure in Commandline
- Windows Credentials from Password Stores Creation
- Windows Credentials from Password Stores Deletion
- Windows Credentials from Password Stores Query
- Windows Credentials in Registry Reg Query
- Windows Crowdstrike RTR Script Execution
- Windows Curl Download to Suspicious Path
- Windows Curl Upload to Remote Destination
- Windows Debugger Tool Execution
- Windows Defacement Modify Transcodedwallpaper File
- Windows Default Group Policy Object Modified with GPME
- Windows Default RDP File Creation By Non MSTSC Process
- Windows Default Rdp File Unhidden
- Windows Defender ASR or Threat Configuration Tamper
- Windows Defender Disabled Detection (EDR)
- Windows Delete or Modify System Firewall
- Windows Deleted Registry By A Non Critical Process File Path
- Windows Devtunnels Execution
- Windows Disable Internet Explorer Addons
- Windows Disable or Modify Tools Via Taskkill
- Windows Disable or Stop Browser Process
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows DiskCryptor Usage
- Windows Diskshadow Proxy Execution
- Windows DISM Install PowerShell Web Access
- Windows DISM Remove Defender
- Windows DLL Search Order Hijacking with iscsicpl
- Windows DLL Side-Loading Process Child Of Calc
- Windows DNS Gather Network Info
- Windows DotNet Binary in Non Standard Path
- Windows EDRSilencer Execution
- Windows EFI Volume Mount Attempt Via Mountvol
- Windows Entra User Management Via Azure CLI
- Windows ESX Admins Group Creation via Net
- Windows Eventlog Cleared Via Wevtutil
- Windows EventLog Recon Activity Using Log Query Utilities
- Windows Excel Spawning Microsoft Project Application
- Windows Excessive Service Stop Attempt
- Windows Excessive Usage Of Net App
- Windows Execute Arbitrary Commands with MSDT
- Windows Execution of Microsoft MSC File In Suspicious Path
- Windows Explorer LNK Exploit Process Launch With Padding
- Windows Explorer.exe Spawning PowerShell or Cmd
- Windows File and Directory Enable ReadOnly Permissions
- Windows File and Directory Permissions Enable Inheritance
- Windows File and Directory Permissions Remove Inheritance
- Windows File Association Modification via Ftype
- Windows File Collection Via Copy Utilities
- Windows File Download Via CertUtil
- Windows File Download Via PowerShell
- Windows Files and Dirs Access Rights Modification Via Icacls
- Windows Findstr GPP Discovery
- Windows Firewall Disabled (Sysmon)
- Windows FTP Exfiltration (Sysmon)
- Windows Gdrive Binary Activity
- Windows Get-Variable.EXE Execution from WindowsApps Folder
- Windows Global Object Access Audit List Cleared Via Auditpol
- Windows Group Discovery Via Net
- Windows Guest Account Enabled Via Net.EXE
- Windows HTTP Network Communication From MSIExec
- Windows Identify Protocol Handlers
- Windows IIS Components Add New Module
- Windows Impair Defense Add Xml Applocker Rules
- Windows Indicator Removal Via Rmdir
- Windows Indirect Command Execution Via forfiles
- Windows Indirect Command Execution Via pcalua
- Windows Indirect Command Execution Via Series Of Forfiles
- Windows Information Discovery Fsutil
- Windows Ingress Tool Transfer Using Explorer
- Windows InstallUtil in Non Standard Path
- Windows InstallUtil Remote Network Connection
- Windows InstallUtil Uninstall Option
- Windows InstallUtil URL in Command Line
- Windows IOBit Unlocker Extension DLL Registration via Regsvr32
- Windows IPC$ Share Access (Sysmon)
- Windows Ldifde Directory Object Behavior
- Windows List ENV Variables Via SET Command From Uncommon Parent
- Windows Local LLM Framework Execution
- Windows LOLBAS Executed As Renamed File
- Windows LOLBAS Executed Outside Expected Path
- Windows Masquerading Explorer As Child Process
- Windows Masquerading Msdtc Process
- Windows Metasploit Confluence Plugin Execution
- Windows Mimikatz Binary Execution
- Windows Modify Registry Qakbot Binary Data Registry
- Windows Modify Registry Regedit Silent Reg Import
- Windows Modify System Firewall with Notable Process Path
- Windows MOF Event Triggered Execution via WMI
- Windows MpCmdRun RemoveDefinitions Execution
- Windows MSC EvilTwin Directory Path Manipulation
- Windows MSIExec DLLRegisterServer
- Windows MsiExec HideWindow Rundll32 Execution
- Windows MSIExec Remote Download
- Windows MSIExec Spawn Discovery Command
- Windows MSIExec Spawn WinDBG
- Windows MSIExec Unregister DLLRegisterServer
- Windows MSTSC RDP Commandline
- Windows Mustang Panda USB Tool Execution
- Windows Net System Service Discovery
- Windows Netspy Network Scanner Execution
- Windows Network Connection Discovery Via Net
- Windows Network Share Interaction Via Net
- Windows New Deny Permission Set On Service SD Via Sc.EXE
- Windows New Service Security Descriptor Set Via Sc.EXE
- Windows Ngrok Reverse Proxy Usage
- Windows NirSoft AdvancedRun
- Windows NirSoft Utilities
- Windows NorthStar C2 Agent Execution
- Windows Odbcconf Hunting
- Windows Odbcconf Load DLL
- Windows Odbcconf Load Response File
- Windows Office Product Dropped Cab or Inf File
- Windows Office Product Dropped Uncommon File
- Windows Office Product Spawned Child Process For Download
- Windows Office Product Spawned Control
- Windows Office Product Spawned MSDT
- Windows Office Product Spawned Rundll32 With No DLL
- Windows Office Product Spawned Uncommon Process
- Windows OneDrive Share Mounted via Net
- Windows PaperCut NG Spawn Shell
- Windows Parent PID Spoofing with Explorer
- Windows Password Managers Discovery
- Windows Password Policy Discovery with Net
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Phishing PDF File Executes URL Link
- Windows Potato Privilege Escalation Tool Execution
- Windows Potential Cloudflared Tunnel Execution
- Windows PowerShell FakeCAPTCHA Clipboard Execution
- Windows PowerShell Process Implementing Manual Base64 Decoder
- Windows PowerShell Process With Malicious String
- Windows Powershell RemoteSigned File
- Windows PowerShell Script From WindowsApps Directory
- Windows PowGoop Beacon Decoding
- Windows Private Keys Discovery
- Windows Privilege Escalation Attempt Via MSI Rollback
- Windows Privilege Escalation Suspicious Process Elevation
- Windows Privilege Escalation System Process Without System Parent
- Windows Privilege Escalation User Process Spawn System Process
- Windows Process Commandline Discovery
- Windows Process Copied from System Folder (Sysmon)
- Windows Process Executed From Removable Media
- Windows Process Execution From ProgramData
- Windows Process Execution From RDP Share
- Windows Process Execution in Temp Dir
- Windows Process Injection In Non-Service SearchIndexer
- Windows Process Injection Wermgr Child Process
- Windows Process Outside of System Folder (Sysmon)
- Windows Process With NamedPipe CommandLine
- Windows Process With NetExec Command Line Parameters
- Windows Protocol Tunneling with Plink
- Windows Proxy Execution of .NET Utilities via Scripts
- Windows Proxy Via Netsh
- Windows PsTools Recon Usage
- Windows PuTTY Suite Utility Execution
- Windows Raccine Scheduled Task Deletion
- Windows Rasautou DLL Execution
- Windows RDP Client Launched with Admin Session
- Windows RDP File Execution
- Windows Registry Entries Exported Via Reg
- Windows Registry Entries Restored Via Reg
- Windows Regsvr32 Renamed Binary
- Windows Remote Assistance Spawning Process
- Windows Remote Create Service
- Windows Remote Host Computer Management Access
- Windows Remote Management Execute Shell
- Windows Remote Service Rdpwinst Tool Execution
- Windows Remote Services Allow Rdp In Firewall
- Windows Renamed Powershell Execution
- Windows RMM Tool Execution
- Windows Rundll32 Apply User Settings Changes
- Windows Rundll32 Execution With Log.DLL
- Windows Rundll32 Load DLL in Temp Dir
- Windows Rundll32 WebDAV Request
- Windows Rundll32 WebDav With Network Connection
- Windows Rundll32 with Non-Standard File Extension
- Windows Scheduled Task Created Via XML
- Windows Scheduled Task Service Spawned Shell
- Windows Scheduled Task with Highest Privileges
- Windows Schtasks Create Run As System
- Windows ScManager Security Descriptor Tampering Via Sc.EXE
- Windows Security Account Manager Stopped
- Windows Security Support Provider Reg Query
- Windows Sensitive Group Discovery With Net
- Windows Sensitive Registry Hive Dump Via CommandLine
- Windows Server Software Component GACUtil Install to GAC
- Windows Service Create Kernel Mode Driver
- Windows Service Create with Tscon
- Windows Service Created (Sysmon)
- Windows Service Creation on Remote Endpoint
- Windows Service Execution RemCom
- Windows Service Initiation on Remote Endpoint
- Windows Service Started (Sysmon)
- Windows Service Stop Attempt
- Windows Service Stop By Deletion
- Windows Set Account Password Policy To Unlimited Via Net
- Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
- Windows Shell or Script Execution From IIS Directory
- Windows Shell Process from CrushFTP
- Windows SOAPHound Binary Execution
- Windows SoftEther VPN Masquerading as Legitimate Binary
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Windows SpeechRuntime Suspicious Child Process
- Windows SQL Spawning CertUtil
- Windows SQLCMD Execution
- Windows Sqlservr Spawning Shell
- Windows SSH Proxy Command
- Windows Steal Authentication Certificates CertUtil Backup
- Windows Steal Authentication Certificates Export Certificate
- Windows Steal Authentication Certificates Export PfxCertificate
- Windows Steal or Forge Kerberos Tickets Klist
- Windows SubInAcl Execution
- Windows Suspicious Child Process Spawned From WebServer
- Windows Suspicious Process File Path
- Windows Suspicious QEMU Execution
- Windows Suspicious React or Next.js Child Process
- Windows Suspicious VMWare Tools Child Process
- Windows Svchost.exe Parent Process Anomaly
- Windows SymbolicLink-Testing-Tools Utility Execution
- Windows Symlink Evaluation Change via Fsutil
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- Windows System Discovery Using ldap Nslookup
- Windows System Discovery Using Qwinsta
- Windows System LogOff Commandline
- Windows System Network Config Discovery Display DNS
- Windows System Network Connections Discovery Netsh
- Windows System Reboot CommandLine
- Windows System Remote Discovery With Query
- Windows System Script Proxy Execution Syncappvpublishingserver
- Windows System Shutdown CommandLine
- Windows System Time Discovery W32tm Delay
- Windows System User Discovery Via Quser
- Windows System User Privilege Discovery
- Windows TeamCity Payload Execution from Temp Directory
- Windows Time Based Evasion
- Windows Time Based Evasion via Choice Exec
- Windows TinyCC Shellcode Execution
- Windows TOR Client Execution
- Windows UAC Bypass Suspicious Child Process
- Windows UAC Bypass Suspicious Escalation Behavior
- Windows Unusual SysWOW64 Process Run System32 Executable
- Windows User Deletion Via Net
- Windows User Disabled Via Net
- Windows User Discovery Via Net
- Windows Vulnerable 3CX Software
- Windows WBAdmin File Recovery From Backup
- Windows WinDBG Spawning AutoIt3
- Windows WinLogon with Public Network Connection
- Windows WinRAR Launched Outside Default Installation Directory
- Windows WMI Process And Service List
- Windows WMI Process Call Create
- Windows WMI Reconnaissance Class Query
- Windows Wmic CPU Discovery
- Windows Wmic DiskDrive Discovery
- Windows Wmic Memory Chip Discovery
- Windows Wmic Network Discovery
- Windows WMIC Shadowcopy Delete
- Windows Wmic Systeminfo Discovery
- Windows WSUS Spawning Shell
- Winhlp32 Spawning a Process
- WinRAR Spawning Shell Application
- WinRM Spawning a Process
- WinRM Tools (Sysmon)
- WMI subscription execution (Sysmon)
- WMIC Explicit Credentials (Sysmon)
- Wmic Group Discovery
- WMIC Host Reconniassance (Sysmon)
- Wmic NonInteractive App Uninstallation
- WMIC XSL Execution via URL
- Wmiprvse LOLBAS Execution Process Spawn
- WmiPrvSE Suspicious Child Process (Sysmon)
- Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Wscript Or Cscript Suspicious Child Process
- Wscript_Cscript Execution (Sysmon)
- Wsmprovhost LOLBAS Execution Process Spawn
- XSL Script Execution With WMIC
Kusto (73)
- Access Token Manipulation - Create Process with Token
- Account Creation
- Audit policy manipulation using auditpol utility
- Base64 encoded Windows process command-lines (Normalized Process Events)
- Bitsadmin Activity
- Clearing of forensic evidence from event logs using wevtutil
- COM Event System Loading New DLL
- Deletion of data on multiple drives using cipher exe
- Detect Malicious Usage of Recovery Tools to Delete Backup Files
- Detect Rare scheduled task created
- Detect Suspicious Commands Initiated by Webserver Processes
- Detect Unknown process launched via WinRM
- Detect Unsigned executable launch from scheduled task
- Detecting Macro Invoking ShellBrowserWindow COM Objects
- Detecting UAC bypass - ChangePK and SLUI registry tampering
- Detecting UAC bypass - elevated COM interface
- Detecting UAC bypass - modify Windows Store settings
- Dev-0228 File Path Hashes November 2021
- Dev-0228 File Path Hashes November 2021 (ASIM Version)
- Disable or Modify Windows Defender
- Disabling Security Services via Registry
- Doppelpaymer Stop Services
- DopplePaymer Procdump
- Email access via active sync
- Exchange Worker Process Making Remote Call
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
- Gain Code Execution on ADFS Server via Remote WMI Execution
- Imminent Ransomware
- Ingress Tool Transfer - Certutil
- Java Executing cmd to run Powershell
- Lateral Movement via DCOM
- LaZagne Credential Theft
- LSASS Credential Dumping with Procdump
- Malware in the recycle bin (Normalized Process Events)
- Masquerading Renamed executables of interest
- Match Legitimate Name or Location - 2
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Modification of Accessibility Features
- New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Office Apps Launching Wscipt
- Oracle suspicious command execution
- Persistence Via Scheduled Tasks
- Potential Build Process Compromise - MDE
- Potential Kerberos Relaying Activity - MDE
- Potential Lateral Movement via MSI ODBC Driver Install over DCOM
- Potential re-named sdelete usage (ASIM Version)
- Probable AdFind Recon Tool Usage
- Probable AdFind Recon Tool Usage (Normalized Process Events)
- Process Creation with Suspicious CommandLine Arguments
- Process Tree Analysis
- PRT Credential Stealing
- Qakbot Campaign Self Deletion
- Qakbot Discovery Activies
- Rare Process as a Service
- Regsvr32 Rundll32 with Anomalous Parent Process
- Remote Desktop Protocol - SharpRDP
- Rename System Utilities
- Scheduled Task - Suspicious Network Connection
- Sdelete deployed via GPO and run recursively (ASIM Version)
- Shadow Copy Deletions
- Spearphishing Attachment: ISO Images (Microsoft Sentinel)
- SQL Server spawning suspicious child process
- Stopping multiple processes using taskkill
- SUNBURST suspicious SolarWinds child processes
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Suspicious MSC File Launched
- Suspicious office child process created
- Suspicious parentprocess relationship - Office child processes.
- T1566.002 Spearphishing Link - Rare URL Clicks
- Trusted Developer Utilities Proxy Execution
- Unsigned Windows System Binary
- Windows Binaries Lolbins Renamed
- Zinc Actor IOCs files - October 2022
YARA-L (69)
- Base64 Encoded PowerShell Command Detected
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Copy From Or To Admin Share Or Sysvol Folder
- CreateDump Process Dump
- Direct Autorun Keys Modification
- File Download Using Notepad++ GUP Utility
- File Download Via Windows Defender MpCmpRun.EXE
- Finger.EXE Execution
- GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage
- GCTI Remote Access Tools
- Google Safebrowsing File Process Creation
- Google Safebrowsing With Prevalence
- HackTool - Dumpert Process Dumper Execution
- Hacktool - IronSharpPack Execution
- HackTool - Mimikatz Execution
- Hacktool - SharpSuccessor Execution
- Hacktool - WinPEAS Execution Patterns
- Hash Prevalence
- Impacket WMIExec CISA Report
- IOC Hash Prevalence
- IOC SHA256 Hash
- IOC SHA256 Hash VT
- Local Accounts Discovery
- Low Prevalence Hash On Process Launch Low Prevalence Domain Accessed
- LSASS Dump Keyword In CommandLine
- MITRE ATT&CK T1003 RW Mimikatz
- MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
- MITRE ATT&CK T1021.002 Windows Admin Share Basic
- MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity
- MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment
- MITRE ATT&CK T1021.002 Windows Admin Share With User Entity
- MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report
- MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report
- MITRE ATT&CK T1140 Encoded Powershell Command
- MITRE ATT&CK T1570 Suspicious Command PSExec
- New User Created Via Net.EXE
- potential lsass process dump via procdump
- Potential Suspicious Activity Using SeCEdit
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Potential Webshell Process Execution
- PowerShell DownloadFile
- PowerShell Web Download
- PrintBrm ZIP Creation of Extraction
- Process Launch VT Enrichment
- Process Memory Dump Via Comsvcs.DLL
- Process Memory Dump via RdrLeakDiag.exe
- PUA - Nimgrab Execution
- Purple Knight Tool Execution Detected
- Recon Credential Theft CISA Report
- Recon Environment Enumeration Active Directory CISA Report
- Recon Environment Enumeration Network CISA Report
- Recon Environment Enumeration System CISA Report
- Recon Suspicious Commands CISA Report
- Reg Add Suspicious Paths
- Renamed CreateDump Utility Execution
- Safebrowsing Process Creation Hashes Seen More Than 7 Days
- ShimCache Flush
- Suspicious Certreq Command to Download
- Suspicious Curl.EXE Download
- Suspicious Download Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Suspicious Invoke-WebRequest Execution
- Uncommon or Suspicious RMM Tool Execution Detected
- VT Relationships File Executes File
- W3WP Launching Encoded Powershell
- Whoami Execution
- Windows Event Log Cleared