Detection rules › By event
Microsoft-Windows-Sysmon Event ID 14
Sigma (55)
- Atbroker Registry Change
- CMSTP Execution Registry Event
- Creation of a Local Hidden User Account by Registry
- Delete Defender Scan ShellEx Context Menu Registry Key
- Diamond Sleet APT Scheduled Task Creation - Registry
- Disable Security Events Logging Adding Reg Key MiniNt
- DLL Load via LSASS
- Esentutl Volume Shadow Copy Service Keys
- FlowCloud Registry Markers
- Folder Removed From Exploit Guard ProtectedFolders List - Registry
- HybridConnectionManager Service Installation - Registry
- Impacket SMBexec service creation (registry)
- Leviathan Registry Key Activity
- Mimikatz driver registration (Reg via Sysmon)
- Narrator's Feedback-Hub Persistence
- NetNTLM Downgrade Attack - Registry
- Netsh helper DLL abuse (Reg via Sysmon)
- New DLL Added to AppCertDlls Registry Key
- New DLL Added to AppInit_DLLs Registry Key
- New PortProxy Registry Entry Added
- OceanLotus Registry Activity
- Office Application Startup - Office Test
- OilRig APT Registry Persistence
- Pandemic Registry Key
- Path To Screensaver Binary Modified
- Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Potential Qakbot Registry Activity
- PrinterNightmare Mimikatz Driver Name
- RDP shadow session configuration enabled (registry)
- RedMimicry Winnti Playbook Registry Manipulation
- Registry Persistence Mechanisms in Recycle Bin
- Registry Tampering by Potentially Suspicious Processes
- Removal Of AMSI Provider Registry Keys
- Removal Of Index Value to Hide Schedule Task - Registry
- Removal of Potential COM Hijacking Registry Keys
- Removal Of SD Value to Hide Schedule Task - Registry
- Run Once Task Configuration in Registry
- RunMRU Registry Key Deletion - Registry
- Scheduled Task Created - Registry
- Security Support Provider (SSP) Added to LSA Configuration
- Shell Open Registry Keys Manipulation
- SNAKE Malware Covert Store Registry Key
- Sticky Key Like Backdoor Usage - Registry
- Suspicious Camera and Microphone Access
- Suspicious Run Key from Download
- System crash behavior manipulation - WMImplant (registry)
- Terminal Server Client Connection History Cleared - Registry
- UAC Bypass Via Wsreset
- Wdigest CredGuard Registry Modification
- Windows Credential Editor Registry
- Windows Credential Guard Related Registry Value Deleted - Registry
- Windows Defender Threat Severity Default Action Modified
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Windows Registry Trust Record Modification
- WINEKEY Registry Modification
Elastic (60)
- Code Signing Policy Modification Through Registry
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Creation or Modification of Root Certificate
- Deprecated - Encoded Executable Stored in the Registry
- Disabling Lsa Protection via Registry Modification
- Disabling User Account Control via Registry Modification
- DNS Global Query Block List Modified or Disabled
- DNS-over-HTTPS Enabled via Registry
- First Time Seen Removable Device
- Full User-Mode Dumps Enabled System-Wide
- Image File Execution Options Injection
- Installation of Custom Shim Databases
- Installation of Security Support Provider
- Local Account TokenFilter Policy Disabled
- Microsoft Windows Defender Tampering
- Modification of AmsiEnable Registry Key
- Modification of WDigest Security Provider
- MS Office Macro Security Registry Modifications
- Netsh Helper DLL
- Network Logon Provider Registry Modification
- Network-Level Authentication (NLA) Disabled
- NullSessionPipe Registry Modification
- Office Test Registry Persistence
- Outlook Home Page Registry Modification
- Persistence via a Windows Installer
- Persistence via Hidden Run Key Detected
- Persistence via WMI Standard Registry Provider
- Port Forwarding Rule Addition
- Potential LSA Authentication Package Abuse
- Potential NetNTLMv1 Downgrade Attack
- Potential Persistence via Time Provider Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential Privilege Escalation via Service ImagePath Modification
- Potential REMCOS Trojan Execution
- Potential Remote Desktop Shadowing Activity
- Potential RemoteMonologue Attack
- Potential SharpRDP Behavior
- PowerShell Script Block Logging Disabled
- Privilege Escalation via Windir Environment Variable
- RDP Enabled via Registry
- Registry Persistence via AppCert DLL
- Registry Persistence via AppInit DLL
- Remote Scheduled Task Creation
- Scheduled Task Created by a Windows Script
- Scheduled Tasks AT Command Enabled
- Service Disabled via Registry Modification
- Service Path Modification
- SIP Provider Modification
- SolarWinds Process Disabling Services via Registry
- Startup or Run Key Registry Modification
- Suspicious ImagePath Service Creation
- Suspicious Print Spooler Point and Print DLL
- Suspicious Startup Shell Folder Modification
- Uncommon Registry Persistence Change
- Unusual Persistence via Services Registry
- Werfault ReflectDebugger Persistence
- Windows Defender Disabled via Registry Modification
- Windows Installer with Suspicious Properties
- Windows Subsystem for Linux Distribution Installed