Detection rules › By event
Microsoft-Windows-Sysmon Event ID 11
Sigma (222)
- .RDP File Created By Uncommon Application
- ADExplorer Writing Complete AD Snapshot Into .dat File
- ADSI-Cache File Creation By Uncommon Tool
- Advanced IP Scanner - File Event
- Adwind RAT / JRAT File Artifact
- Anydesk Temporary Artefact
- APT29 2018 Phishing Campaign File Indicators
- Assembly DLL Creation Via AspNetCompiler
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Axios NPM Compromise File Creation Indicators - Windows
- BloodHound Collection Files
- Created Files by Microsoft Sync Center
- Creation Exe for Service with Unquoted Path
- Creation of a Diagcab
- Creation of an Executable by an Executable
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- Cred Dump Tools Dropped Files
- CSExec Service File Creation
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- CVE-2021-26858 Exchange Exploitation
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- CVE-2021-44077 POC Default Dropped File
- CVE-2022-24527 Microsoft Connected Cache LPE
- CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
- CVE-2023-40477 Potential Exploitation - .REV File Creation
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- Desktop.INI Created by Uncommon Process
- Diamond Sleet APT File Creation Indicators
- DLL Search Order Hijackig Via Additional Space in Path
- DMP/HDMP File Creation
- DPAPI Backup Keys And Certificate Export Activity IOC
- Drop Binaries Into Spool Drivers Color Folder
- Dynamic CSharp Compile Artefact
- EVTX Created In Uncommon Location
- Exchange transport agent injection via configuration file
- File Creation In Suspicious Directory By Msdt.EXE
- File Creation Related To RAT Clients
- File With Uncommon Extension Created By An Office Application
- Files With System DLL Name In Unsuspected Locations
- Files With System Process Name In Unsuspected Locations
- Forest Blizzard APT - File Creation Activity
- Forest Blizzard APT - JavaScript Constrained File Creation
- FunkLocker Ransomware File Creation
- GatherNetworkInfo.VBS Reconnaissance Script Output
- Goofy Guineapig Backdoor IOC
- GoToAssist Temporary Installation Artefact
- HackTool - CrackMapExec File Indicators
- HackTool - Dumpert Process Dumper Default File
- HackTool - Impacket File Indicators
- HackTool - Inveigh Execution Artefacts
- HackTool - Mimikatz Kirbi File Creation
- HackTool - NetExec File Indicators
- HackTool - NPPSpy Hacktool Usage
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- HackTool - Powerup Write Hijack DLL
- HackTool - QuarksPwDump Dump File
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- HackTool - SafetyKatz Dump Indicator
- HackTool - Typical HiveNightmare SAM File Export
- Hijack Legit RDP Session to Move Laterally
- Installation of TeamViewer Desktop
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- ISO File Created Within Temp Folders
- ISO or Image Mount Indicator in Recent Files
- Lace Tempest File Indicators
- Legitimate Application Dropped Archive
- Legitimate Application Dropped Executable
- Legitimate Application Dropped Script
- Legitimate Application Writing Files In Uncommon Location
- LiveKD Driver Creation
- LiveKD Driver Creation By Uncommon Process
- LiveKD Kernel Memory Dump File Created
- LSASS Process Dump Artefact In CrashDumps Folder
- LSASS Process Memory Dump Creation Via Taskmgr.EXE
- LSASS Process Memory Dump Files
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Malicious PowerShell Scripts - FileCreation
- Mimikatz malicious Security package (SSP) exfiltrates cleartext passwords in file
- Moriya Rootkit File Created
- New Custom Shim Database Created
- New Outlook Macro Created
- NTDS Exfiltration Filename Patterns
- NTDS.DIT Created
- NTDS.DIT Creation By Uncommon Parent Process
- NTDS.DIT Creation By Uncommon Process
- Octopus Scanner Malware
- Office Macro File Creation
- Office Macro File Creation From Suspicious Process
- Office Macro File Download
- OneNote Attachment File Dropped In Suspicious Location
- Onyx Sleet APT File Creation Indicators
- PCRE.NET Package Temp Files
- PDF File Created By RegEdit.EXE
- PFX File Creation
- Pingback Backdoor File Indicators
- Potential APT FIN7 Related PowerShell Script Created
- Potential Binary Or Script Dropper Via PowerShell
- Potential COLDSTEEL Persistence Service DLL Creation
- Potential COLDSTEEL RAT File Indicators
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
- Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
- Potential CVE-2023-36884 Exploitation Dropped File
- Potential DCOM InternetExplorer.Application DLL Hijack
- Potential Devil Bait Related Indicator
- Potential File Extension Spoofing Using Right-to-Left Override
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Potential Homoglyph Attack Using Lookalike Characters in Filename
- Potential Initial Access via DLL Search Order Hijacking
- Potential Kapeka Decrypted Backdoor Indicator
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
- Potential Persistence Attempt Via ErrorHandler.Cmd
- Potential Persistence Via Microsoft Office Add-In
- Potential Persistence Via Microsoft Office Startup Folder
- Potential Persistence Via Notepad++ Plugins
- Potential Persistence Via Outlook Form
- Potential Privilege Escalation Attempt Via .Exe.Local Technique
- Potential RipZip Attack on Startup Folder
- Potential SAM Database Dump
- Potential SAP NetWeaver Webshell Creation
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Potential Suspicious PowerShell Module File Created
- Potential Webshell Creation On Static Website
- Potential Winnti Dropper Activity
- Potentially Suspicious DMP/HDMP File Creation
- Potentially Suspicious File Creation by OpenEDR's ITSMService
- Potentially Suspicious WDAC Policy File Creation
- PowerShell Module File Created
- PowerShell Module File Created By Non-PowerShell Process
- PowerShell Profile Modification
- PowerShell Script Dropped Via PowerShell.EXE
- Process Explorer Driver Creation By Non-Sysinternals Binary
- Process Monitor Driver Creation By Non-Sysinternals Binary
- PSEXEC Remote Execution File Artefact
- PsExec Service File Creation
- PSScriptPolicyTest Creation By Uncommon Process
- Publisher Attachment File Dropped In Suspicious Location
- Python Path Configuration File Creation - Windows
- Rclone Config File Creation
- RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
- RemCom Service File Creation
- Remote Access Tool - ScreenConnect Temporary File
- Renamed VsCode Code Tunnel Execution - File Indicator
- Scheduled Task Created - FileCreation
- SCR File Write Event
- ScreenConnect - SlashAndGrab Exploitation Indicators
- ScreenConnect Temporary Installation Artefact
- ScreenConnect User Database Modification
- Self Extraction Directive File Created In Potentially Suspicious Location
- Small Sieve Malware File Indicator Creation
- SNAKE Malware Installer Name Indicators
- SNAKE Malware Kernel Driver File Indicator
- SNAKE Malware WerFault Persistence File Creation
- Startup Folder File Write
- Sticky key file created from CMD copy
- Suspicious ASPX File Drop by Exchange
- Suspicious Binaries and Scripts in Public Folder
- Suspicious Binary Writes Via AnyDesk
- Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
- Suspicious Creation TXT File in User Desktop
- Suspicious Creation with Colorcpl
- Suspicious Deno File Written from Remote Source
- Suspicious Desktopimgdownldr Target File
- Suspicious DotNET CLR Usage Log Artifact
- Suspicious Double Extension Files
- Suspicious Executable File Creation
- Suspicious File Created by ArcSOC.exe
- Suspicious File Created in Outlook Temporary Directory
- Suspicious File Created In PerfLogs
- Suspicious File Created Via OneNote Application
- Suspicious File Creation Activity From Fake Recycle.Bin Folder
- Suspicious File Creation In Uncommon AppData Folder
- Suspicious File Drop by Exchange
- Suspicious File Write to SharePoint Layouts Directory
- Suspicious File Write to Webapps Root Directory
- Suspicious Files in Default GPO Folder
- Suspicious Get-Variable.exe Creation
- Suspicious Interactive PowerShell as SYSTEM
- Suspicious LNK Double Extension File Created
- Suspicious MSExchangeMailboxReplication ASPX Write
- Suspicious Outlook Macro Created
- Suspicious PROCEXP152.sys File Created In TMP
- Suspicious Scheduled Task Write to System32 Tasks
- Suspicious Screensaver Binary File Creation
- Suspicious Startup Folder Persistence
- Suspicious Word Cab File Write CVE-2021-40444
- TeamViewer Remote Session
- UAC Bypass Abusing Winsat Path Parsing - File
- UAC Bypass Using .NET Code Profiler on MMC
- UAC Bypass Using Consent and Comctl32 - File
- UAC Bypass Using EventVwr
- UAC Bypass Using IDiagnostic Profile - File
- UAC Bypass Using IEInstal - File
- UAC Bypass Using MSConfig Token Modification - File
- UAC Bypass Using NTFS Reparse Point - File
- UAC Bypass Using Windows Media Player - File
- UEFI Persistence Via Wpbbin - FileCreation
- Uncommon File Created by Notepad++ Updater Gup.EXE
- Uncommon File Created In Office Startup Folder
- Uncommon File Creation By Mysql Daemon Process
- VHD Image Download Via Browser
- Visual Studio Code Tunnel Remote File Creation
- VsCode Code Tunnel Execution File Indicator
- VsCode Powershell Profile Modification
- WDAC Policy File Creation In CodeIntegrity Folder
- WebDAV Temporary Local File Creation
- Webserver IIS configuration edited (SYSMON)
- WerFault LSASS Process Memory Dump
- Windows Binaries Write Suspicious Extensions
- Windows Shell/Scripting Application File Write to Suspicious Folder
- Windows Terminal Profile Settings Modification By Uncommon Process
- WinRAR Creating Files in Startup Locations
- WinSxS Executable File Creation By Non-System Process
- WMI Persistence - Script Event Consumer File Write
- Wmiexec Default Output File
- Wmiprvse Wbemcomn DLL Hijack - File
- Writing Local Admin Share
- WScript or CScript Dropper - File
Elastic (34)
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Browser Extension Install
- Creation of SettingContent-ms Files
- Deprecated - Adobe Hijack Persistence
- Deprecated - Suspicious PrintSpooler Service Executable File Creation
- Downloaded Shortcut Files
- Downloaded URL Files
- Executable File Creation with Multiple Extensions
- Execution of a Downloaded Windows Script
- File Compressed or Archived into Common Format by Unsigned Process
- File Staged in Root Folder of Recycle Bin
- File with Right-to-Left Override Character (RTLO) Created/Executed
- File with Suspicious Extension Downloaded
- GenAI Process Accessing Sensitive Files
- Kirbi File Creation
- Lateral Movement via Startup Folder
- Memory Dump File with Unusual Extension
- Microsoft Exchange Server UM Writing Suspicious Files
- Persistence via a Windows Installer
- Potential Credential Access via Memory Dump File Creation
- Potential Lateral Tool Transfer via SMB Share
- Potential Persistence via Mandatory User Profile
- Potential Ransomware Behavior - Note Files by System
- Potential Ransomware Note File Dropped via SMB
- Potential Remote Credential Access via Registry
- Potential SAP NetWeaver WebShell Creation
- Remote Execution via File Shares
- Remote File Copy via TeamViewer
- Remote File Download via PowerShell
- Remote File Download via Script Interpreter
- Suspicious HTML File Creation
- Unusual File Creation - Alternate Data Stream
- Unusual File Operation by dns.exe
- Windows Registry File Creation in SMB Share
Splunk (94)
- Additional dll added to Spool Driver (Sysmon)
- Batch File Write to System32
- Common Ransomware Extensions
- Common Ransomware Notes
- ConnectWise ScreenConnect Path Traversal
- Creation of lsass Dump with Taskmgr
- Detect AzureHound File Modifications
- Detect Certipy File Modifications
- Detect Exchange Web Shell
- Detect Outlook exe writing a zip file
- Detect Remote Access Software Usage File
- Detect RTLO In File Name
- Detect SharpHound File Modifications
- Drop IcedID License dat
- Email files written outside of the Outlook directory
- Executable File Written to Disk (Sysmon)
- Executables Or Script Creation In Suspicious Path
- Executables Or Script Creation In Temp Path
- File with Samsam Extension
- File Written to Startup Folder - Windows (Sysmon)
- GitHub Workflow File Creation or Modification
- IcedID Exfiltrated Archived File Creation
- Impacket atexec.py Temp File Creation (Sysmon)
- iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
- LLM Model File Creation
- MS Exchange Mailbox Replication service writing Active Server Pages
- Msmpeng Application DLL Side Loading
- Overwriting Accessibility Binaries
- Process Creating LNK file in Suspicious Location
- Process Writing DynamicWrapperX
- Ransomware Notes bulk creation
- RDP File Written by Outlook (Sysmon)
- Remcos RAT File Creation in Remcos Folder
- Rundll32 Process Creating Exe Dll Files
- Ryuk Test Files Detected
- Samsam Test File Write
- SchCache Change By App Connect And Create ADSI Object
- Shai-Hulud 2 Exfiltration Artifact Files
- Shai-Hulud Workflow File Creation or Modification
- Shim Database File Creation
- Spike in File Writes
- Spoolsv Writing a DLL
- Spoolsv Writing a DLL - Sysmon
- Sqlite Module In Temp Folder
- Suspicious .sys Created - Windows (Sysmon)
- Suspicious File Created in Public Folder (Sysmon)
- Suspicious Image Creation In Appdata Folder
- Suspicious WAV file in Appdata Folder
- Suspicious writes to windows Recycle Bin
- Wermgr Process Create Executable File
- Windows .Key File Creation in Root Directory
- Windows Admin Permission Discovery
- Windows Admin$ Share Access (Sysmon)
- Windows Archived Collected Data In TEMP Folder
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows C$ Share Access (Sysmon)
- Windows CAB File on Disk
- Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Windows Credentials from Web Browsers Saved in TEMP Folder
- Windows Defacement Modify Transcodedwallpaper File
- Windows Default RDP File Creation By Non MSTSC Process
- Windows EFI Bootloader File Modification
- Windows File Without Extension In Critical Folder
- Windows IPC$ Share Access (Sysmon)
- Windows ISO LNK File Creation
- Windows Known Abused DLL Created
- Windows Mimikatz Crypto Export File Extensions
- Windows Mock Trusted Directory MSC File Creation
- Windows MOVEit Transfer Writing ASPX
- Windows MSHTA Writing to World Writable Path
- Windows NirSoft Tool Bundle File Created
- Windows Obfuscated Files or Information via RAR SFX
- Windows Office Product Dropped Cab or Inf File
- Windows Office Product Dropped Uncommon File
- Windows Outlook Macro Created by Suspicious Process
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Potential AppDomainManager Hijack Artifacts Creation
- Windows Potential Web Shell Creation For VMware Workspace ONE
- Windows PowerShell Module File Created
- Windows Process Writing File to World Writable Path
- Windows RDP Bitmap Cache File Creation
- Windows Replication Through Removable Media
- Windows Screen Capture in TEMP folder
- Windows SharePoint Spinstall0 Webshell File Creation
- Windows Snake Malware File Modification Crmlog
- Windows Snake Malware Kernel Driver Comadmin
- Windows Suspicious File in EFI Volume
- Windows System File on Disk
- Windows TeamCity Plugin Installed
- Windows Theme File Creation in Unusual Location
- Windows Universal Data Link File Creation
- Windows Unusual File Creation in Confluence Directory
- Windows User Execution Malicious URL Shortcut File
- Windows XLL File Creation Outside of Typical Location
Kusto (17)
- Credential Dumping Tools - File Artifacts
- Detect executable drops via Azure custom script extension
- Dev-0530 File Extension Rename
- Files Copied to USB Drives
- Google Threat Intelligence - Threat Hunting Hash
- PE file dropped in Color Profile Folder
- RecordedFuture Threat Hunting Hash All Actors
- Remote File Creation with PsExec
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint)
- Spearphishing Attachment: ISO Images (Microsoft Sentinel)
- SUNBURST and SUPERNOVA backdoor hashes
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Suspicious access of BEC related documents
- Suspicious MSC File Launched
- Suspicious office child process created
- VTI - High Severity SHA1 Collision Detection
- WinRM Plugin Lateral Movement
YARA-L (20)
- Attempted SharePoint Webshell Creation CVE-2025-53770
- Cred Dump Tools Dropped Files
- GCTI Remote Access Tools
- Google Safebrowsing File Process Creation
- HackTool - Dumpert Process Dumper Default File
- Impacket WMIExec CISA Report
- IOC Hash Prevalence
- IOC SHA256 Hash
- IOC SHA256 Hash VT
- LSASS Process Memory Dump Creation Via Taskmgr.exe
- LSASS Process Memory Dump Files
- MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
- Process Launch VT Enrichment
- Safebrowsing Process Creation Hashes Seen More Than 7 Days
- Successful SharePoint Webshell Creation CVE-2025-53770
- Suspicious Filewrites To Sharepoint Layouts
- Suspicious Unusual Location LNK File
- VT Relationships File Downloaded From IP
- VT Relationships File Downloaded From URL
- WHOIS Expired Domain Executable Downloaded