Kusto rule coverage
132 events across 17 providers with Microsoft Sentinel and Defender XDR Kusto detection rules, 757 rule mappings total. Each rule links to its own page (predicates, exclusions, shared indicators). For the rule-centric ATT&CK browse across every vendor, see all detection rules; non-Windows Kusto rules are grouped by platform and technique at Kusto non-Windows coverage.
Microsoft-Windows-Security-Auditing
Event ID 412 AD FS authentication failure. 1 rule
- AD FS Remote Auth Sync Connection available (source)
Event ID 501 AD FS proxy authentication request. 1 rule
- AD FS Remote Auth Sync Connection available (source)
Event ID 4624 An account was successfully logged on. 24 rules
- Brute force attack against user credentials (Uses Authentication Normalization) (source)
- Detect service account login on new device (source)
- EatonForeseer - Unauthorized Logins available (source)
- Failed AzureAD logons but success logon to host (source)
- Gain Code Execution on ADFS Server via Remote WMI Execution (source)
- Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task available (source)
- Multiple RDP connections from Single System (source)
- Non Domain Controller Active Directory Replication available (source)
- NTLM Relay Attack (source)
- Password Spray (source)
- Password Spraying available (source)
- Potential NTLM Relay Attack to Domain Controller (source)
- Potential Password Spray Attack (Uses Authentication Normalization) (source)
- Potential Remote Desktop Tunneling available (source)
- Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint (source)
- Potentially Relayed NTLM Authentication - Microsoft Sentinel (source)
- Potentially Relayed NTLM Authentication - Microsoft Sentinel (source)
- Rare RDP Connections (source)
- RDP Nesting (source)
- SecurityEvent - Multiple authentication failures followed by a success available (source)
- Service Accounts Performing Remote PS available (source)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)
- Starting or Stopping HealthService to Avoid Detection available (source)
- User login from different countries within 3 hours (Uses Authentication Normalization) (source)
Event ID 4625 An account failed to log on. 13 rules
- Brute force attack against user credentials (Uses Authentication Normalization) (source)
- EatonForeseer - Unauthorized Logins available (source)
- Excessive Windows Logon Failures available (source)
- Failed host logons but success logon to AzureAD (source)
- Failed logon attempts by valid accounts within 10 mins (source)
- Password Spray (source)
- Password Spraying available (source)
- Potential NTLM Relay Attack to Domain Controller (source)
- Potential Password Spray Attack (Uses Authentication Normalization) (source)
- Potential Remote Desktop Tunneling available (source)
- SecurityEvent - Multiple authentication failures followed by a success available (source)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)
- User login from different countries within 3 hours (Uses Authentication Normalization) (source)
Event ID 4634 An account was logged off. 5 rules
- Brute force attack against user credentials (Uses Authentication Normalization) (source)
- EatonForeseer - Unauthorized Logins available (source)
- Potential Password Spray Attack (Uses Authentication Normalization) (source)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) (source)
- User login from different countries within 3 hours (Uses Authentication Normalization) (source)
Event ID 4648 A logon was attempted using explicit credentials. 1 rule
- EatonForeseer - Unauthorized Logins available (source)
Event ID 4656 A handle to an object was requested. 4 rules
- Microsoft Entra ID Health Monitoring Agent Registry Keys Access (source)
- Microsoft Entra ID Health Service Agents Registry Keys Access (source)
- Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access available (source)
- Starting or Stopping HealthService to Avoid Detection available (source)
Event ID 4657 A registry value was modified. 12 rules
- COM Registry Key Modified to Point to File in Color Profile Folder (source)
- Component Object Model Hijacking - Vault7 trick available (source)
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- MosaicLoader available (source)
- Potential Fodhelper UAC Bypass available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
- Registry Run Keys - Suspicious Registry Run Keys (source)
- Scheduled Task Hide available (source)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) (source)
Event ID 4660 An object was deleted. 5 rules
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
Event ID 4663 An attempt was made to access an object. 26 rules
- Detect executable drops via Azure custom script extension (source)
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Dev-0530 File Extension Rename (source)
- Files Copied to USB Drives available (source)
- Google Threat Intelligence - Threat Hunting Hash (source)
- Identify SysAid Server web shell creation (source)
- Microsoft Entra ID Health Monitoring Agent Registry Keys Access (source)
- Microsoft Entra ID Health Service Agents Registry Keys Access (source)
- Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access available (source)
- Microsoft Recommended Driver Block List (source)
- PE file dropped in Color Profile Folder (source)
- Potential Build Process Compromise (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
- RecordedFuture Threat Hunting Hash All Actors (source)
- Remote File Creation with PsExec available (source)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) (source)
- SUNBURST and SUPERNOVA backdoor hashes available (source)
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)
- Suspicious access of BEC related documents (source)
- Suspicious MSC File Launched (source)
- Suspicious office child process created (source)
- VTI - High Severity SHA1 Collision Detection (source)
- WinRM Plugin Lateral Movement (source)
Event ID 4675 SIDs were filtered. 1 rule
- EatonForeseer - Unauthorized Logins available (source)
Event ID 4688 A new process has been created. 93 rules
- Access Token Manipulation - Create Process with Token available (source)
- Account Creation available (source)
- Base64 encoded Windows process command-lines available (source)
- Base64 encoded Windows process command-lines (Normalized Process Events) (source)
- Bitsadmin Activity available (source)
- Caramel Tsunami Actor IOC - July 2021 available (source)
- Chia_Crypto_Mining IOC - June 2021 available (source)
- Clearing of forensic evidence from event logs using wevtutil available (source)
- Deletion of data on multiple drives using cipher exe available (source)
- Detect Malicious Usage of Recovery Tools to Delete Backup Files available (source)
- Detect Rare scheduled task created (source)
- Detect Suspicious Commands Initiated by Webserver Processes available (source)
- Detect Unknown process launched via WinRM (source)
- Detect Unsigned executable launch from scheduled task (source)
- Detecting UAC bypass - ChangePK and SLUI registry tampering available (source)
- Detecting UAC bypass - elevated COM interface available (source)
- Detecting UAC bypass - modify Windows Store settings available (source)
- Dev-0228 File Path Hashes November 2021 (source)
- Dev-0228 File Path Hashes November 2021 (ASIM Version) (source)
- Dev-0270 Malicious Powershell usage available (source)
- DEV-0270 New User Creation available (source)
- Dev-0270 Registry IOC - September 2022 available (source)
- Dev-0270 WMIC Discovery available (source)
- Disable or Modify Windows Defender available (source)
- Disabling Security Services via Registry available (source)
- Doppelpaymer Stop Services available (source)
- DopplePaymer Procdump available (source)
- Email access via active sync (source)
- Exchange Worker Process Making Remote Call (source)
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 available (source)
- Gain Code Execution on ADFS Server via Remote WMI Execution (source)
- Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task available (source)
- Identify Mango Sandstorm powershell commands (source)
- Identify SysAid Server web shell creation (source)
- Imminent Ransomware available (source)
- Ingress Tool Transfer - Certutil available (source)
- Java Executing cmd to run Powershell available (source)
- LaZagne Credential Theft available (source)
- LSASS Credential Dumping with Procdump available (source)
- Malware in the recycle bin available (source)
- Malware in the recycle bin (Normalized Process Events) (source)
- Masquerading Renamed executables of interest (source)
- Match Legitimate Name or Location - 2 available (source)
- Midnight Blizzard - Script payload stored in Registry (source)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (source)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) (source)
- Network endpoint to host executable correlation available (source)
- New EXE deployed via Default Domain or Default Domain Controller Policies available (source)
- New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) (source)
- NRT Base64 Encoded Windows Process Command-lines available (source)
- NRT Process executed from binary hidden in Base64 encoded file available (source)
- Office Apps Launching Wscipt available (source)
- Oracle suspicious command execution available (source)
- Persistence Via Scheduled Tasks (source)
- Potential Build Process Compromise (source)
- Potential Build Process Compromise - MDE available (source)
- Potential Fodhelper UAC Bypass available (source)
- Potential Kerberos Relaying Activity - MDE (source)
- Potential Lateral Movement via MSI ODBC Driver Install over DCOM (source)
- Potential re-named sdelete usage available (source)
- Potential re-named sdelete usage (ASIM Version) (source)
- Powershell Empire Cmdlets Executed in Command Line available (source)
- Probable AdFind Recon Tool Usage available (source)
- Probable AdFind Recon Tool Usage (Normalized Process Events) (source)
- Process Creation with Suspicious CommandLine Arguments available (source)
- Process executed from binary hidden in Base64 encoded file available (source)
- Process Execution Frequency Anomaly available (source)
- Process Tree Analysis (source)
- PRT Credential Stealing (source)
- Qakbot Campaign Self Deletion available (source)
- Qakbot Discovery Activies available (source)
- Rare Process as a Service available (source)
- Regsvr32 Rundll32 with Anomalous Parent Process available (source)
- Remote Desktop Protocol - SharpRDP available (source)
- Rename System Utilities available (source)
- Scheduled Task - Suspicious Network Connection (source)
- Sdelete deployed via GPO and run recursively available (source)
- Sdelete deployed via GPO and run recursively (ASIM Version) (source)
- Security Service Registry ACL Modification (source)
- Shadow Copy Deletions available (source)
- Silk Typhoon New UM Service Child Process (source)
- SQL Server spawning suspicious child process (source)
- Stopping multiple processes using taskkill available (source)
- SUNBURST suspicious SolarWinds child processes (source)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)
- Suspicious MSC File Launched (source)
- Suspicious office child process created (source)
- Suspicious parentprocess relationship - Office child processes. available (source)
- Trusted Developer Utilities Proxy Execution available (source)
- Unsigned Windows System Binary (source)
- Unusual identity creation using exchange powershell (source)
- Windows Binaries Executed from Non-Default Directory available (source)
- Zinc Actor IOCs files - October 2022 available (source)
Event ID 4689 A process has exited. 12 rules
- Base64 encoded Windows process command-lines (Normalized Process Events) (source)
- Detect Malicious Usage of Recovery Tools to Delete Backup Files available (source)
- Dev-0228 File Path Hashes November 2021 (ASIM Version) (source)
- Imminent Ransomware available (source)
- Malware in the recycle bin (Normalized Process Events) (source)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) (source)
- New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) (source)
- Potential re-named sdelete usage (ASIM Version) (source)
- Probable AdFind Recon Tool Usage (Normalized Process Events) (source)
- Process Creation with Suspicious CommandLine Arguments available (source)
- Sdelete deployed via GPO and run recursively (ASIM Version) (source)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)
Event ID 4732 A member was added to a security-enabled local group. 5 rules
- Account added and removed from privileged groups (source)
- Group created then added to built in domain local or global group (source)
- Local Admin Group Changes available (source)
- New user created and added to the built-in administrators group (source)
- User account added to built in domain local or global group (source)
Event ID 5143 A network share object was modified. 1 rule
- Excessive share permissions available (source)
Event ID 5152 The Windows Filtering Platform blocked a packet. 8 rules
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
Event ID 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. 8 rules
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
Event ID 5155 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. 8 rules
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
Event ID 5156 The Windows Filtering Platform has permitted a connection. 35 rules
- AD FS Remote Auth Sync Connection available (source)
- ADWS Connection from Process Injection Target (source)
- ADWS Connection from Unexpected Binary (source)
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- DCOM Lateral Movement available (source)
- Detect CVE exploits on network for which a device is vulnerable (source)
- Detect Msiexec executing DLL network connections (source)
- Detect process drops via Azure Custom Script Extension performing lateral movement (source)
- Detect Unknown process using SMB or WinRM (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Hunt for ADWS requests from unknown devices (source)
- Hunt for Defender for Identity NNR issues (source)
- Hunt for devices doing first RDP session (source)
- Hunt for public facing devices via DeviceNetworkEvents (source)
- Hunt for RDP sessions to unmanaged and non TPM devices (source)
- Hunt MDE with GSA events (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- NTLM Relay Attack (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- Potential Kerberos Relaying Activity - MDE (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
- RITA Beacon Analyzer for Windows Firewall Events (source)
- Rouge RDP: Suspicious File Creation (source)
- Server Network Connection Anomalies (source)
- SMB/Windows Admin Shares available (source)
- SUNBURST network beacons available (source)
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports (source)
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D) (source)
- Suspicious Network Connections - Supply Chain Attack (source)
- Suspicious office child process created (source)
- Zinc Actor IOCs files - October 2022 available (source)
Event ID 5157 The Windows Filtering Platform has blocked a connection. 11 rules
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- Detect process drops via Azure Custom Script Extension performing lateral movement (source)
- Detect Unknown process using SMB or WinRM (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Hunt for Defender for Identity NNR issues (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
Event ID 5158 The Windows Filtering Platform has permitted a bind to a local port. 8 rules
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
Event ID 5159 The Windows Filtering Platform has blocked a bind to a local port. 8 rules
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
Microsoft-Windows-Sysmon
Event ID 1 Process creation 73 rules
- Access Token Manipulation - Create Process with Token available (source)
- Account Creation available (source)
- Audit policy manipulation using auditpol utility (source)
- Base64 encoded Windows process command-lines (Normalized Process Events) (source)
- Bitsadmin Activity available (source)
- Clearing of forensic evidence from event logs using wevtutil available (source)
- COM Event System Loading New DLL (source)
- Deletion of data on multiple drives using cipher exe available (source)
- Detect Malicious Usage of Recovery Tools to Delete Backup Files available (source)
- Detect Rare scheduled task created (source)
- Detect Suspicious Commands Initiated by Webserver Processes available (source)
- Detect Unknown process launched via WinRM (source)
- Detect Unsigned executable launch from scheduled task (source)
- Detecting Macro Invoking ShellBrowserWindow COM Objects available (source)
- Detecting UAC bypass - ChangePK and SLUI registry tampering available (source)
- Detecting UAC bypass - elevated COM interface available (source)
- Detecting UAC bypass - modify Windows Store settings available (source)
- Dev-0228 File Path Hashes November 2021 (source)
- Dev-0228 File Path Hashes November 2021 (ASIM Version) (source)
- Disable or Modify Windows Defender available (source)
- Disabling Security Services via Registry available (source)
- Doppelpaymer Stop Services available (source)
- DopplePaymer Procdump available (source)
- Email access via active sync (source)
- Exchange Worker Process Making Remote Call (source)
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 available (source)
- Gain Code Execution on ADFS Server via Remote WMI Execution (source)
- Imminent Ransomware available (source)
- Ingress Tool Transfer - Certutil available (source)
- Java Executing cmd to run Powershell available (source)
- Lateral Movement via DCOM available (source)
- LaZagne Credential Theft available (source)
- LSASS Credential Dumping with Procdump available (source)
- Malware in the recycle bin (Normalized Process Events) (source)
- Masquerading Renamed executables of interest (source)
- Match Legitimate Name or Location - 2 available (source)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) (source)
- Modification of Accessibility Features (source)
- New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) (source)
- Office Apps Launching Wscipt available (source)
- Oracle suspicious command execution available (source)
- Persistence Via Scheduled Tasks (source)
- Potential Build Process Compromise - MDE available (source)
- Potential Kerberos Relaying Activity - MDE (source)
- Potential Lateral Movement via MSI ODBC Driver Install over DCOM (source)
- Potential re-named sdelete usage (ASIM Version) (source)
- Probable AdFind Recon Tool Usage available (source)
- Probable AdFind Recon Tool Usage (Normalized Process Events) (source)
- Process Creation with Suspicious CommandLine Arguments available (source)
- Process Tree Analysis (source)
- PRT Credential Stealing (source)
- Qakbot Campaign Self Deletion available (source)
- Qakbot Discovery Activies available (source)
- Rare Process as a Service available (source)
- Regsvr32 Rundll32 with Anomalous Parent Process available (source)
- Remote Desktop Protocol - SharpRDP available (source)
- Rename System Utilities available (source)
- Scheduled Task - Suspicious Network Connection (source)
- Sdelete deployed via GPO and run recursively (ASIM Version) (source)
- Shadow Copy Deletions available (source)
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) (source)
- SQL Server spawning suspicious child process (source)
- Stopping multiple processes using taskkill available (source)
- SUNBURST suspicious SolarWinds child processes (source)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)
- Suspicious MSC File Launched (source)
- Suspicious office child process created (source)
- Suspicious parentprocess relationship - Office child processes. available (source)
- T1566.002 Spearphishing Link - Rare URL Clicks (source)
- Trusted Developer Utilities Proxy Execution available (source)
- Unsigned Windows System Binary (source)
- Windows Binaries Lolbins Renamed available (source)
- Zinc Actor IOCs files - October 2022 available (source)
Event ID 3 Network connection 34 rules
- AD FS Remote HTTP Network Connection available (source)
- ADWS Connection from Process Injection Target (source)
- ADWS Connection from Unexpected Binary (source)
- Anomaly in SMB Traffic(ASIM Network Session schema) available (source)
- DCOM Lateral Movement available (source)
- Detect CVE exploits on network for which a device is vulnerable (source)
- Detect Msiexec executing DLL network connections (source)
- Detect process drops via Azure Custom Script Extension performing lateral movement (source)
- Detect Unknown process using SMB or WinRM (source)
- Excessive number of failed connections from a single source (ASIM Network Session schema) available (source)
- Google Threat Intelligence - Threat Hunting IP (source)
- Hunt for ADWS requests from unknown devices (source)
- Hunt for Defender for Identity NNR issues (source)
- Hunt for devices doing first RDP session (source)
- Hunt for public facing devices via DeviceNetworkEvents (source)
- Hunt for RDP sessions to unmanaged and non TPM devices (source)
- Hunt MDE with GSA events (source)
- Log4j vulnerability exploit aka Log4Shell IP IOC available (source)
- Network Port Sweep from External Network (ASIM Network Session schema) available (source)
- NTLM Relay Attack (source)
- Port scan detected (ASIM Network Session schema) available (source)
- Potential beaconing activity (ASIM Network Session schema) available (source)
- RecordedFuture Threat Hunting IP All Actors (source)
- Remote Desktop Network Brute force (ASIM Network Session schema) available (source)
- Rouge RDP: Suspicious File Creation (source)
- Server Network Connection Anomalies (source)
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) (source)
- SUNBURST network beacons available (source)
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports (source)
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D) (source)
- Suspicious Network Beacons - Sysmon (source)
- Suspicious Network Connections - Supply Chain Attack (source)
- Suspicious office child process created (source)
- Zinc Actor IOCs files - October 2022 available (source)
Event ID 5 Process terminated 13 rules
- Base64 encoded Windows process command-lines (Normalized Process Events) (source)
- Detect Malicious Usage of Recovery Tools to Delete Backup Files available (source)
- Dev-0228 File Path Hashes November 2021 (ASIM Version) (source)
- Imminent Ransomware available (source)
- Malware in the recycle bin (Normalized Process Events) (source)
- Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events) (source)
- New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version) (source)
- Potential re-named sdelete usage (ASIM Version) (source)
- Probable AdFind Recon Tool Usage (Normalized Process Events) (source)
- Process Creation with Suspicious CommandLine Arguments available (source)
- Sdelete deployed via GPO and run recursively (ASIM Version) (source)
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events) (source)
- Suspicious Process Injection from Office application available (source)
Event ID 6 Driver loaded 2 rules
Event ID 7 Image loaded 8 rules
- COM Event System Loading New DLL (source)
- Detect .NET runtime being loaded in JScript for code execution available (source)
- DLL Hijacking: Loading from an Unusual Directory (source)
- Hijack Execution Flow - DLL Side-Loading available (source)
- PowerShell without powershell.exe (source)
- Regsvr32 Rundll32 Image Loads Abnormal Extension available (source)
- Suspicious use of CPL file (source)
- WinRM Plugin Lateral Movement (source)
Event ID 8 CreateRemoteThread 4 rules
Event ID 10 ProcessAccess 2 rules
Event ID 11 FileCreate 17 rules
- Credential Dumping Tools - File Artifacts available (source)
- Detect executable drops via Azure custom script extension (source)
- Dev-0530 File Extension Rename (source)
- Files Copied to USB Drives available (source)
- Google Threat Intelligence - Threat Hunting Hash (source)
- PE file dropped in Color Profile Folder (source)
- RecordedFuture Threat Hunting Hash All Actors (source)
- Remote File Creation with PsExec available (source)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) (source)
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) (source)
- SUNBURST and SUPERNOVA backdoor hashes available (source)
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events) (source)
- Suspicious access of BEC related documents (source)
- Suspicious MSC File Launched (source)
- Suspicious office child process created (source)
- VTI - High Severity SHA1 Collision Detection (source)
- WinRM Plugin Lateral Movement (source)
Event ID 12 RegistryEvent (Object create and delete) 5 rules
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
Event ID 13 RegistryEvent (Value Set) 15 rules
- COM Registry Key Modified to Point to File in Color Profile Folder (source)
- Component Object Model Hijacking - Vault7 trick available (source)
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- DSRM Account Abuse (source)
- MosaicLoader available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
- Registry Persistence via AppCert DLL Modification available (source)
- Registry Persistence via AppInit DLLs Modification available (source)
- Registry Run Keys - Suspicious Registry Run Keys (source)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) (source)
- Spearphishing Attachment: ISO Images (Microsoft Sentinel) (source)
- WDigest downgrade attack available (source)
Event ID 14 RegistryEvent (Key and Value Rename) 5 rules
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
Event ID 17 PipeEvent (Pipe Created) 3 rules
- C2-NamedPipe available (source)
- Solorigate Named Pipe (source)
- Suspicious named pipes available (source)
Event ID 18 PipeEvent (Pipe Connected) 5 rules
- AD FS Remote HTTP Network Connection available (source)
- ADFS Database Named Pipe Connection available (source)
- C2-NamedPipe available (source)
- Solorigate Named Pipe (source)
- Suspicious named pipes available (source)
Event ID 22 DNSEvent (DNS query) 11 rules
- Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available (source)
- Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) available (source)
- DNS events related to mining pools (ASIM DNS Schema) (source)
- DNS events related to ToR proxies (ASIM DNS Schema) (source)
- Excessive NXDOMAIN DNS Queries (ASIM DNS Schema) (source)
- Google Threat Intelligence - Threat Hunting Domain (source)
- Ngrok Reverse Proxy on Network (ASIM DNS Solution) available (source)
- Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) available (source)
- Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) available (source)
- Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) available (source)
- RecordedFuture Threat Hunting Domain All Actors (source)
Defender-DeviceEvents
any Defender event (any) 10 rules
- Detect device token stealing with WDAC (source)
- Detect LolDriver drop or load from unknown or unsigned process (source)
- Detect Suspicious ncrypt.dll usage by CLI tool or unknown process (source)
- Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce (source)
- Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device (source)
- Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device (source)
- Office ASR rule triggered from browser spawned office process. available (source)
- SUNSPOT malware hashes available (source)
- TEARDROP memory-only dropper available (source)
- Windows host username encoded in base64 web request (source)
NamedPipeEvent Named pipe event 2 rules
- C2-NamedPipe available (source)
- Suspicious named pipes available (source)
UserAccountAddedToLocalGroup User account added to local group 1 rule
- Local Admin Group Changes available (source)
DriverLoad Driver loaded 2 rules
NtAllocateVirtualMemoryRemoteApiCall Remote virtual memory allocation (NtAllocateVirtualMemory) 3 rules
Microsoft-Windows-Threat-Intelligence
Event ID 3 Remote Section Map 3 rules
Event ID 4 Remote APC Queue 3 rules
Defender-DeviceNetworkEvents
any Network activity (any) 9 rules
- DCOM Lateral Movement available (source)
- Detect CVE exploits on network for which a device is vulnerable (source)
- Detect Msiexec executing DLL network connections (source)
- Hunt for ADWS requests from unknown devices (source)
- Hunt for public facing devices via DeviceNetworkEvents (source)
- Hunt MDE with GSA events (source)
- Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports (source)
- Suspicious Network Connections - Supply Chain Attack (source)
- Zinc Actor IOCs files - October 2022 available (source)
ConnectionSuccess Connection succeeded 13 rules
- ADWS Connection from Process Injection Target (source)
- ADWS Connection from Unexpected Binary (source)
- Detect process drops via Azure Custom Script Extension performing lateral movement (source)
- Detect Unknown process using SMB or WinRM (source)
- Hunt for Defender for Identity NNR issues (source)
- Hunt for devices doing first RDP session (source)
- Hunt for RDP sessions to unmanaged and non TPM devices (source)
- NTLM Relay Attack (source)
- Rouge RDP: Suspicious File Creation (source)
- Server Network Connection Anomalies (source)
- SUNBURST network beacons available (source)
- Suspicious Network Beacons - Microsoft Defender(MDE/M365D) (source)
- Suspicious office child process created (source)
Defender-DeviceFileEvents
any File activity (any) 4 rules
FileCreated File created 7 rules
- Detect executable drops via Azure custom script extension (source)
- Dev-0530 File Extension Rename (source)
- Files Copied to USB Drives available (source)
- PE file dropped in Color Profile Folder (source)
- Suspicious MSC File Launched (source)
- Suspicious office child process created (source)
- WinRM Plugin Lateral Movement (source)
Defender-DeviceRegistryEvents
RegistryKeyDeleted Registry key deleted 5 rules
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
RegistryValueSet Registry value set 10 rules
- COM Registry Key Modified to Point to File in Color Profile Folder (source)
- Component Object Model Hijacking - Vault7 trick available (source)
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- MosaicLoader available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
- Registry Run Keys - Suspicious Registry Run Keys (source)
- Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint) (source)
RegistryValueDeleted Registry value deleted 5 rules
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
RegistryKeyRenamed Registry key renamed 5 rules
- Detect Print Processors Registry Driver Key Creation/Modification available (source)
- Detect Registry Run Key Creation/Modification available (source)
- Detect Windows Allow Firewall Rule Addition/Modification available (source)
- Detect Windows Update Disabled from Registry available (source)
- Potential Fodhelper UAC Bypass (ASIM Version) (source)
Microsoft-Windows-Windows-Defender
Defender-DeviceLogonEvents
any Logon activity (any) 2 rules
LogonSuccess Logon succeeded 5 rules
LogonFailed Logon failed 1 rule
- Password Spraying available (source)
Defender-DeviceImageLoadEvents
any Image load (any) 6 rules
- Detect .NET runtime being loaded in JScript for code execution available (source)
- DLL Hijacking: Loading from an Unusual Directory (source)
- Hijack Execution Flow - DLL Side-Loading available (source)
- PowerShell without powershell.exe (source)
- Regsvr32 Rundll32 Image Loads Abnormal Extension available (source)
- WinRM Plugin Lateral Movement (source)
Defender-DeviceProcessEvents
any Process activity (any) 42 rules
- Access Token Manipulation - Create Process with Token available (source)
- Account Creation available (source)
- Bitsadmin Activity available (source)
- Clearing of forensic evidence from event logs using wevtutil available (source)
- Deletion of data on multiple drives using cipher exe available (source)
- Detect Rare scheduled task created (source)
- Detect Suspicious Commands Initiated by Webserver Processes available (source)
- Detect Unknown process launched via WinRM (source)
- Detect Unsigned executable launch from scheduled task (source)
- Detecting UAC bypass - ChangePK and SLUI registry tampering available (source)
- Detecting UAC bypass - elevated COM interface available (source)
- Detecting UAC bypass - modify Windows Store settings available (source)
- Dev-0228 File Path Hashes November 2021 (source)
- Disable or Modify Windows Defender available (source)
- Disabling Security Services via Registry available (source)
- Doppelpaymer Stop Services available (source)
- DopplePaymer Procdump available (source)
- Exchange Worker Process Making Remote Call (source)
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 available (source)
- Ingress Tool Transfer - Certutil available (source)
- Java Executing cmd to run Powershell available (source)
- LaZagne Credential Theft available (source)
- LSASS Credential Dumping with Procdump available (source)
- Match Legitimate Name or Location - 2 available (source)
- Office Apps Launching Wscipt available (source)
- Oracle suspicious command execution available (source)
- Potential Build Process Compromise - MDE available (source)
- Potential Lateral Movement via MSI ODBC Driver Install over DCOM (source)
- Probable AdFind Recon Tool Usage available (source)
- Process Tree Analysis (source)
- Qakbot Campaign Self Deletion available (source)
- Qakbot Discovery Activies available (source)
- Rare Process as a Service available (source)
- Regsvr32 Rundll32 with Anomalous Parent Process available (source)
- Remote Desktop Protocol - SharpRDP available (source)
- Rename System Utilities available (source)
- Scheduled Task - Suspicious Network Connection (source)
- Shadow Copy Deletions available (source)
- Stopping multiple processes using taskkill available (source)
- SUNBURST suspicious SolarWinds child processes (source)
- Suspicious parentprocess relationship - Office child processes. available (source)
- Trusted Developer Utilities Proxy Execution available (source)
ProcessCreated Process created 8 rules
- Masquerading Renamed executables of interest (source)
- Persistence Via Scheduled Tasks (source)
- Potential Kerberos Relaying Activity - MDE (source)
- PRT Credential Stealing (source)
- SQL Server spawning suspicious child process (source)
- Suspicious MSC File Launched (source)
- Suspicious office child process created (source)
- Unsigned Windows System Binary (source)
Microsoft-Windows-DotNETRuntime
Microsoft-Windows-Eventlog
Event ID 1102 The audit log was cleared. 2 rules
- NRT Security Event log cleared available (source)
- Security Event log cleared available (source)