Detection rules › By event
Microsoft-Windows-Sysmon Event ID 3
Sigma (61)
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To Ngrok Tunneling Service Initiated
- Communication To Uncommon Destination Ports
- Dfsvc.EXE Initiated Network Connection Over Uncommon Port
- Dfsvc.EXE Network Connection To Non-Local IPs
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address
- HH.EXE Initiated HTTP Network Connection
- Local Network Connection Initiated By Script Interpreter
- Microsoft Sync Center Suspicious Network Connections
- Msiexec.EXE Initiated Network Connection Over HTTP
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Network Communication Initiated To Portmap.IO Domain
- Network Communication With Crypto Mining Pool
- Network Connection Initiated By AddinUtil.EXE
- Network Connection Initiated By Eqnedt32.EXE
- Network Connection Initiated By IMEWDBLD.EXE
- Network Connection Initiated By PowerShell Process
- Network Connection Initiated By Regsvr32.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Network Connection Initiated From Users\Public Folder
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Network Connection Initiated To BTunnels Domains
- Network Connection Initiated To Cloudflared Tunnels Domains
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Network Connection Initiated via Finger.EXE
- Network Connection Initiated Via Notepad.EXE
- New Connection Initiated To Potential Dead Drop Resolver Domain
- Office Application Initiated Network Connection Over Uncommon Ports
- Office Application Initiated Network Connection To Non-Local IP
- Outbound Network Connection Initiated By Cmstp.EXE
- Outbound Network Connection Initiated By Microsoft Dialer
- Outbound Network Connection Initiated By Script Interpreter
- Outbound Network Connection To Public IP Via Winlogon
- Outbound RDP Connections Over Non-Standard Tools
- Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
- Potential Pikabot C2 Activity
- Potential Remote PowerShell Session Initiated
- Potentially Suspicious Azure Front Door Connection
- Potentially Suspicious Malware Callback Communication
- Potentially Suspicious Network Connection To Notion API
- Potentially Suspicious Wuauclt Network Connection
- Process Initiated Network Connection To Ngrok Domain
- Python Initiated Connection
- RDP Over Reverse SSH Tunnel
- RDP to HTTP or HTTPS Target Ports
- RegAsm.EXE Initiating Network Connection To Public IP
- Remote Access Tool - AnyDesk Incoming Connection
- Rundll32 Internet Connection
- Silenttrinity Stager Msbuild Activity
- Suspicious Dropbox API Usage
- Suspicious Network Connection Binary No CommandLine
- Suspicious Network Connection to IP Lookup Service APIs
- Suspicious Non-Browser Network Communication With Google API
- Suspicious Non-Browser Network Communication With Telegram API
- Suspicious Outbound SMTP Connections
- Suspicious Wordpad Outbound Connections
- Uncommon Connection to Active Directory Web Services
- Uncommon Network Connection Initiated By Certutil.EXE
- Uncommon Outbound Kerberos Connection
Elastic (49)
- Connection to Common Large Language Model Endpoints
- Connection to Commonly Abused Free SSL Certificate Providers
- Connection to Commonly Abused Web Services
- Deprecated - SUNBURST Command and Control Activity
- Execution from a Removable Media with Network Connection
- Execution via Microsoft DotNet ClickOnce Host
- GenAI Process Connection to Suspicious Top Level Domain
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell
- InstallUtil Process Making Network Connections
- Kerberos Traffic from Unusual Process
- Mshta Making Network Connections
- MsiExec Service Child Process With Network Connection
- Network Activity to a Suspicious Top Level Domain
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Registration Utility
- Network Connection via Signed Binary
- Outbound Scheduled Task Activity via PowerShell
- Potential Command and Control via Internet Explorer
- Potential Enumeration via Active Directory Web Service
- Potential Evasion via Windows Filtering Platform
- Potential Kerberos SPN Spoofing via Suspicious DNS Query
- Potential Lateral Tool Transfer via SMB Share
- Potential Outgoing RDP Connection by Unusual Process
- Potential Ransomware Note File Dropped via SMB
- Potential Remote File Execution via MSIEXEC
- Potential SharpRDP Behavior
- Potential Windows Error Manager Masquerading
- PsExec Network Connection
- Remote File Download via PowerShell
- Remote File Download via Script Interpreter
- Remote Scheduled Task Creation
- Remotely Started Services via RPC
- Service Command Lateral Movement
- SMB Connections via LOLBin or Untrusted Process
- Suspicious Command Prompt Network Connection
- Suspicious File Renamed via SMB
- Suspicious Instance Metadata Service (IMDS) API Request
- System Public IP Discovery via DNS Query
- Unusual Network Activity from a Windows System Binary
- Unusual Network Connection via DllHost
- Unusual Network Connection via RunDLL32
- Unusual Process Network Connection
- WMI Incoming Lateral Movement
Splunk (31)
- Detect Regasm with Network Connection
- Detect Regsvcs with Network Connection
- DLLHost with no Command Line Arguments with Network
- GPUpdate with no Command Line Arguments with Network
- LOLBAS With Network Traffic
- Network Connection with Suspicious Folder (Sysmon)
- Network Traffic to Active Directory Web Services Protocol
- Outbound Network Connection from Java Using Default Ports
- Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon)
- Potential network connection with CVE-2023-21554 (Sysmon)
- Process Connection to Mega - Windows (Sysmon)
- PuTTY Secure Copy Client Execution (Sysmon)
- RDP Connection (Sysmon)
- Rundll32 with no Command Line Arguments with Network
- Script Connected to External Destination - Windows (Sysmon)
- SearchProtocolHost with no Command Line with Network
- Unexpected Network Connection from System Process (Sysmon)
- Unknown Process Using The Kerberos Protocol
- Unusual HTTP Download (Sysmon)
- Windows Detect Network Scanner Behavior
- Windows File Transfer Protocol In Non-Common Process Path
- Windows HTTP Network Communication From MSIExec
- Windows InstallUtil Remote Network Connection
- Windows Mail Protocol In Non-Common Process Path
- Windows Network Connection From Program In Suspect Location
- Windows Potential Cloudflared Network Connection
- Windows Remote Desktop Network Bruteforce Attempt
- Windows Rundll32 WebDav With Network Connection
- Windows Suspect Process With Authentication Traffic
- Windows WinLogon with Public Network Connection
- wuauclt.exe Network Connection (Sysmon)
Kusto (34)
- AD FS Remote HTTP Network Connection
- ADWS Connection from Process Injection Target
- ADWS Connection from Unexpected Binary
- Anomaly in SMB Traffic(ASIM Network Session schema)
- DCOM Lateral Movement
- Detect CVE exploits on network for which a device is vulnerable
- Detect Msiexec executing DLL network connections
- Detect process drops via Azure Custom Script Extension performing lateral movement
- Detect Unknown process using SMB or WinRM
- Excessive number of failed connections from a single source (ASIM Network Session schema)
- Google Threat Intelligence - Threat Hunting IP
- Hunt for ADWS requests from unknown devices
- Hunt for Defender for Identity NNR issues
- Hunt for devices doing first RDP session
- Hunt for public facing devices via DeviceNetworkEvents
- Hunt for RDP sessions to unmanaged and non TPM devices
- Hunt MDE with GSA events
- Log4j vulnerability exploit aka Log4Shell IP IOC
- Network Port Sweep from External Network (ASIM Network Session schema)
- NTLM Relay Attack
- Port scan detected (ASIM Network Session schema)
- Potential beaconing activity (ASIM Network Session schema)
- RecordedFuture Threat Hunting IP All Actors
- Remote Desktop Network Brute force (ASIM Network Session schema)
- Rouge RDP: Suspicious File Creation
- Server Network Connection Anomalies
- Spearphishing Attachment: ISO Images (Microsoft Sentinel)
- SUNBURST network beacons
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D)
- Suspicious Network Beacons - Sysmon
- Suspicious Network Connections - Supply Chain Attack
- Suspicious office child process created
- Zinc Actor IOCs files - October 2022
YARA-L (14)
- GCTI Benign Binaries Contacts Tor Exit Node
- GCTI Tor Exit Nodes
- Google Safebrowsing File Contacts Tor Exit Node
- High Risk User Download Executable From Macro
- IOC IP Target
- IP Target Prevalence
- Network Connection First Seen In Past Day
- Network Traffic To Specific Country
- Potential Remote PowerShell Session Initiated
- Suspicious ASN
- Suspicious ASN Watchlist
- VT Relationships File Contacts IP
- VT Relationships File Contacts Tor IP
- WHOIS Recently Created Domain Access