Detection rules › By event
Microsoft-Windows-Sysmon Event ID 22
Sigma (27)
- AppX Package Installation Attempts Via AppInstaller.EXE
- Cloudflared Tunnels Related DNS Requests
- Diamond Sleet APT DNS Communication Indicators
- DNS HybridConnectionManager Service Bus
- DNS Query by Finger Utility
- DNS Query for Anonfiles.com Domain - Sysmon
- DNS Query Request By QuickAssist.EXE
- DNS Query Request By Regsvr32.EXE
- DNS Query Request To OneLaunch Update Service
- DNS Query To AzureWebsites.NET By Non-Browser Process
- DNS Query To Common Malware Hosting and Shortener Services
- DNS Query To Devtunnels Domain
- DNS Query To Katz Stealer Domains
- DNS Query To MEGA Hosting Website
- DNS Query To Remote Access Software Domain From Non-Browser App
- DNS Query To Ufile.io
- DNS Query To Visual Studio Code Tunnels Domain
- DNS Query Tor .Onion Address - Sysmon
- DNS Server Discovery Via LDAP Query
- DPRK Threat Actor - C2 Communication DNS Indicators
- Notepad++ Updater DNS Query to Uncommon Domains
- Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
- Potential SocGholish Second Stage C2 DNS Query
- Suspicious Cobalt Strike DNS Beaconing - Sysmon
- Suspicious DNS Query for IP Lookup Service APIs
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- TeamViewer Domain Query By Non-TeamViewer Application
Elastic (3)
Splunk (23)
- 3CX Supply Chain Attack Network Indicators
- AteraAgent Installation - Windows (Sysmon)
- Detect DNS Query to Decommissioned S3 Bucket
- Detect hosts connecting to dynamic domain providers
- Detect Remote Access Software Usage DNS
- DNS Kerberos Coercion
- DNS Query Length With High Standard Deviation
- Local LLM Framework DNS Query
- Ngrok Reverse Proxy on Network
- Rundll32 DNSQuery
- Sunburst Correlation DLL and Network Event
- Suspicious Process DNS Query Known Abuse Web Services
- Suspicious Process With Discord DNS Query
- Wermgr Process Connecting To IP Check Web Services
- Windows Abused Web Services
- Windows AI Platform DNS Query
- Windows BitLockerToGo with Network Activity
- Windows DNS Query Request by Telegram Bot API
- Windows DNS Query Request To TinyUrl
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows Multi hop Proxy TOR Website Query
- Windows Spearphishing Attachment Connect To None MS Office Domain
- Windows Visual Basic Commandline Compiler DNSQuery
Kusto (11)
- Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)
- Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
- DNS events related to mining pools (ASIM DNS Schema)
- DNS events related to ToR proxies (ASIM DNS Schema)
- Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- Google Threat Intelligence - Threat Hunting Domain
- Ngrok Reverse Proxy on Network (ASIM DNS Solution)
- Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution)
- Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution)
- Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)
- RecordedFuture Threat Hunting Domain All Actors