Sigma rule coverage
281 events across 54 providers with Sigma detection rules, 4217 rule mappings total. Each rule links to its own page (predicates, exclusions, shared indicators). For the rule-centric ATT&CK browse across every vendor, see all detection rules; non-Windows Sigma rules are grouped by platform and technique at Sigma non-Windows coverage.
Microsoft-Windows-Security-Auditing
Event ID 675 Pre-authentication failed (legacy Windows 2003 Kerberos event; superseded by 4771). 1 rule
Event ID 4616 The system time was changed. 2 rules
- System time changed experimental (source)
- Unauthorized System Time Modification test (source)
Event ID 4622 A security package has been loaded by the Local Security Authority. 1 rule
- Security package (SSP) loaded into LSA (native) experimental (source)
Event ID 4624 An account was successfully logged on. 29 rules
- Active Directory honeypot used for lateral movement experimental (source)
- Admin User Remote Logon test (source)
- Administrator login impersonation with forged Golden ticket stable (source)
- Anonymous access performed to multiple targets experimental (source)
- Anonymous login (RottenPotatoNG) experimental (source)
- Azure Windows virtual machine login via serial console experimental (source)
- Detection of default a Windows host name in login attempts experimental (source)
- DiagTrackEoP Default Login Username test (source)
- Exchange server impersonation via PrivExchange relay attack experimental (source)
- External Remote RDP Logon from Public IP test (source)
- External Remote SMB Logon from Public IP test (source)
- Hacktool Ruler test (source)
- Metasploit SMB Authentication test (source)
- Mimikatz Pass-the-hash login experimental (source)
- NetSYnc attack experimental (source)
- Network login performed to multiple targets experimental (source)
- Outgoing Logon with New Credentials test (source)
- Pass the Hash Activity 2 stable (source)
- Potential Access Token Abuse test (source)
- Potential Privilege Escalation via Local Kerberos Relay over LDAP test (source)
- Potential Remote WMI ActiveScriptEventConsumers Activity test (source)
- Privilege escalation via runas (command) experimental (source)
- RDP Login from Localhost test (source)
- RottenPotato Like Attack Pattern test (source)
- Success login attempt on a Windows OpenSSH server experimental (source)
- Successful Account Login Via WMI stable (source)
- Successful Overpass the Hash Attempt test (source)
- Suspicious anonymous login (domain specified) experimental (source)
- User password change without previous password known - SetNTLM (Mimikatz) experimental (source)
Event ID 4625 An account failed to log on. 11 rules
- Account Tampering - Suspicious Failed Logon Reasons test (source)
- Active Directory honeypot used for lateral movement experimental (source)
- Brutforce enumeration on Windows OpenSSH server with non existing user experimental (source)
- Brutforce enumeration with non existing users (login) experimental (source)
- Brutforce on Windows OpenSSH server with valid users experimental (source)
- Brutforce with denied access due to account restrictions policies experimental (source)
- Detection of default a Windows host name in login attempts experimental (source)
- Failed Logon From Public IP test (source)
- Hacktool Ruler test (source)
- Metasploit SMB Authentication test (source)
- Scanner PoC for CVE-2019-0708 RDP RCE Vuln test (source)
Event ID 4656 A handle to an object was requested. 18 rules
- Azure AD Health Monitoring Agent Registry Keys Access test (source)
- Azure AD Health Service Agents Registry Keys Access test (source)
- BlueSky Ransomware Artefacts test (source)
- CVE-2023-23397 Exploitation Attempt test (source)
- LSASS Access From Non System Account test (source)
- LSASS credential dump with LSASSY (kernel access) experimental (source)
- LSASS process dump by a non system account experimental (source)
- Password Dumper Activity on LSASS test (source)
- Potential Secure Deletion with SDelete test (source)
- Potentially Suspicious AccessMask Requested From LSASS test (source)
- Processes Accessing the Microphone and Webcam test (source)
- SAM Registry Hive Handle Request test (source)
- SCM Database Handle Failure test (source)
- Sticky key sethc file failed replacement experimental (source)
- SysKey Registry Keys Access test (source)
- WCE wceaux.dll Access test (source)
- Windows Defender Exclusion Registry Key - Write Access Requested test (source)
- WinRM listening service reconnaissance (WS-Management) experimental (source)
Event ID 4661 A handle to an object was requested. 9 rules
- AD Privileged Users or Groups Reconnaissance test (source)
- Domain password policy enumeration experimental (source)
- Local domain group enumeration experimental (source)
- Massive SAM users/groups enumeration (native) experimental (source)
- Password Policy Enumerated test (source)
- Potential SAM database user credentials dumped with DCshadow experimental (source)
- Reconnaissance Activity test (source)
- SAM database user credentials dump with Mimikatz experimental (source)
- Sensitive SAM domain user & groups discovery (native) experimental (source)
Event ID 4662 An operation was performed on an object. 13 rules
- Account accessed to attributes related to DCshadow experimental (source)
- Active Directory honeypot enumerated by a suspicious host (Bloodhound) experimental (source)
- Active Directory Replication from Non Machine Account test (source)
- AD Object WriteDAC Access test (source)
- Domain group enumeration experimental (source)
- DPAPI Domain Backup Key Extraction test (source)
- Group Managed Service Accounts password dump - GoldenGMSA experimental (source)
- Mimikatz DC Sync test (source)
- Potential AD User Enumeration From Non-Machine Account test (source)
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental (source)
- Replication privileges accessed to perform DCSync attack experimental (source)
- Suspicious Active Directory DPAPI attributes accessed (Mimikatz, DCSync, RiskySPN) experimental (source)
- WMI Persistence - Security test (source)
Event ID 4663 An attempt was made to access an object. 22 rules
- Access To Browser Credential Files By Uncommon Applications - Security test (source)
- Azure AD Health Monitoring Agent Registry Keys Access test (source)
- Azure AD Health Service Agents Registry Keys Access test (source)
- BlueSky Ransomware Artefacts test (source)
- CVE-2023-23397 Exploitation Attempt test (source)
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security test (source)
- File Access Of Signal Desktop Sensitive Data experimental (source)
- ISO Image Mounted test (source)
- LSASS Access From Non System Account test (source)
- LSASS credential dump with LSASSY (kernel access) experimental (source)
- LSASS process dump by a non system account experimental (source)
- Potential Secure Deletion with SDelete test (source)
- Potentially Suspicious AccessMask Requested From LSASS test (source)
- Processes Accessing the Microphone and Webcam test (source)
- ScreenConnect User Database Modification - Security test (source)
- Service Registry Key Read Access Request test (source)
- Suspicious Teams Application Related ObjectAcess Event test (source)
- SysKey Registry Keys Access test (source)
- Sysmon Channel Reference Deletion test (source)
- Task Manager used for LSASS dump (kernel) experimental (source)
- WCE wceaux.dll Access test (source)
- Windows Defender Exclusion Registry Key - Write Access Requested test (source)
Event ID 4664 An attempt was made to create a hard link. 1 rule
- NTFS hard link creation experimental (source)
Event ID 4688 A new process has been created. 735 rules
- Abusing Print Executable test (source)
- Adwind RAT / JRAT test (source)
- Anonymous login (RottenPotatoNG) experimental (source)
- APT27 - Emissary Panda Activity test (source)
- APT29 2018 Phishing Campaign CommandLine Indicators stable (source)
- APT31 Judgement Panda Activity test (source)
- Arbitrary Binary Execution Using GUP Utility test (source)
- Arbitrary File Download Via GfxDownloadWrapper.EXE test (source)
- Arbitrary File Download Via Squirrel.EXE test (source)
- Arbitrary MSI Download Via Devinit.EXE test (source)
- Arbitrary Shell Command Execution Via Settingcontent-Ms test (source)
- AspNetCompiler Execution test (source)
- Assembly Loading Via CL_LoadAssembly.ps1 test (source)
- Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental (source)
- Audio Capture via PowerShell test (source)
- Audio Capture via SoundRecorder test (source)
- Audit policy disabled by command line experimental (source)
- Audit policy enumerated experimental (source)
- Audit Policy Tampering Via NT Resource Kit Auditpol test (source)
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl test (source)
- Base64 Encoded PowerShell Command Detected test (source)
- Base64 MZ Header In CommandLine test (source)
- BitLocker feature configuration (Reg via command) experimental (source)
- BitLockerTogo.EXE Execution test (source)
- BITS payload downloaded via commandline experimental (source)
- Blue Mockingbird test (source)
- Browser Execution In Headless Mode test (source)
- Browser Started with Remote Debugging test (source)
- Bypass UAC via Fodhelper.exe test (source)
- Cab File Extraction Via Wusa.EXE test (source)
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths test (source)
- Certificate Exported Via PowerShell test (source)
- Certutil payload download (command) experimental (source)
- Certutil payload obfuscation (command) experimental (source)
- Certutil payload obfuscation - Tchopper (command) experimental (source)
- Certutil root certificate installation experimental (source)
- Changing Existing Service ImagePath Value Via Reg.EXE test (source)
- Chopper Webshell Process Pattern test (source)
- Chromium Browser Headless Execution To Mockbin Like Site test (source)
- Chromium Browser Instance Executed With Custom Extension test (source)
- ClickOnce Deployment Execution - Dfsvc.EXE Child Process test (source)
- Cloudflared Portable Execution test (source)
- Cloudflared Tunnel Connections Cleanup test (source)
- Cloudflared Tunnel Execution test (source)
- Cmd.EXE Missing Space Characters Execution Anomaly test (source)
- CMSTP Execution Process Creation stable (source)
- COLDSTEEL RAT Anonymous User Process Execution test (source)
- COLDSTEEL RAT Service Persistence Execution test (source)
- COM Object Execution via Xwizard.EXE test (source)
- Command Line Execution with Suspicious URL and AppData Strings test (source)
- Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) experimental (source)
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental (source)
- Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) experimental (source)
- Compress Data and Lock With Password for Exfiltration With WINZIP test (source)
- Conti NTDS Exfiltration Command test (source)
- Conti Volume Shadow Listing test (source)
- Copy From VolumeShadowCopy Via Cmd.EXE test (source)
- Cscript/Wscript Potentially Suspicious Child Process test (source)
- Curl Download And Execute Combination test (source)
- DarkGate - User Created Via Net.EXE test (source)
- Defrag Deactivation test (source)
- Delete All Scheduled Tasks test (source)
- Deletion of Volume Shadow Copies via WMI with PowerShell test (source)
- Detected Windows Software Discovery test (source)
- DeviceCredentialDeployment Execution test (source)
- Devtoolslauncher.exe Executes Specified Binary test (source)
- Diamond Sleet APT Process Activity Indicators test (source)
- Disabled guest or builtin account activated (command) (source)
- Disabled IE Security Features test (source)
- Disabled Volume Snapshots test (source)
- Discovery of a System Time test (source)
- Diskshadow Child Process Spawned test (source)
- Diskshadow command abuse to expose VSS backup experimental (source)
- DLL Execution Via Register-cimprovider.exe test (source)
- DLL ServerLevelPluginDll command installation experimental (source)
- DLL Sideloading by VMware Xfer Utility test (source)
- Dllhost.EXE Execution Anomaly test (source)
- DNS Exfiltration and Tunneling Tools Execution test (source)
- DNS RCE CVE-2020-1350 test (source)
- DoT (DNS over TLS) activation (command) stable (source)
- Droppers Exploiting CVE-2017-11882 stable (source)
- Dropping Of Password Filter DLL test (source)
- DSInternals Suspicious PowerShell Cmdlets test (source)
- DSRM password changed (Reg via command) experimental (source)
- Dumping Process via Sqldumper.exe test (source)
- DumpStack.log Defender Evasion test (source)
- Dynamic .NET Compilation Via Csc.EXE - Hunting test (source)
- EAP service activation by Liontail framework for DLL sideloading (via command) stable (source)
- Edge abuse for payload download via console experimental (source)
- Edge/Chrome headless feature abuse for payload download experimental (source)
- Elise Backdoor Activity test (source)
- Email Exifiltration Via Powershell test (source)
- Emotet Loader Execution Via .LNK File test (source)
- Enable LM Hash Storage - ProcCreation test (source)
- Encoded PowerShell payload deployed via process execution experimental (source)
- Enumeration for 3rd Party Creds From CLI test (source)
- Enumeration for Credentials in Registry test (source)
- Equation Group DLL_U Export Function Load stable (source)
- Esentutl Gather Credentials test (source)
- ETW Logging Tamper In .NET Processes Via CommandLine test (source)
- ETW Trace Evasion Activity test (source)
- Event log clear attempt (command) experimental (source)
- Event log clear attempt (wmi) experimental (source)
- Event log deactivation or size reduction (command) experimental (source)
- EvilNum APT Golden Chickens Deployment Via OCX Files test (source)
- Execute Code with Pester.bat test (source)
- Execute Files with Msdeploy.exe test (source)
- Execute From Alternate Data Streams test (source)
- Execute Pcwrun.EXE To Leverage Follina test (source)
- Execution From Webserver Root Folder test (source)
- Execution Of Non-Existing File test (source)
- Execution of Powershell Script in Public Folder test (source)
- Execution of Suspicious File Type Extension test (source)
- Execution via stordiag.exe test (source)
- Execution via WorkFolders.exe test (source)
- Exploit for CVE-2015-1641 stable (source)
- Exploit for CVE-2017-0261 test (source)
- Exploit for CVE-2017-8759 test (source)
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC test (source)
- Exploited CVE-2020-10189 Zoho ManageEngine test (source)
- Exploiting CVE-2019-1388 stable (source)
- Explorer Process Tree Break test (source)
- File Download From Browser Process Via Inline URL test (source)
- File Download with Headless Browser test (source)
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell test (source)
- File or Folder Permissions Modifications test (source)
- Files Added To An Archive Using Rar.EXE test (source)
- Fireball Archer Install test (source)
- Firewall configuration enumerated (command) experimental (source)
- Firewall deactivation (deprecated command) experimental (source)
- Firewall deactivation (modern command) experimental (source)
- Firewall rule creation (command) experimental (source)
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet test (source)
- Gpresult Display Group Policy Information test (source)
- Greenbug Espionage Group Indicators test (source)
- Griffon Malware Attack Pattern test (source)
- Grixba Malware Reconnaissance Activity experimental (source)
- Group discovery (command) (source)
- Gzip Archive Decode Via PowerShell test (source)
- HackTool - ADCSPwn Execution test (source)
- HackTool - Covenant PowerShell Launcher test (source)
- HackTool - CrackMapExec Execution test (source)
- HackTool - CrackMapExec Execution Patterns stable (source)
- HackTool - CrackMapExec Process Patterns test (source)
- HackTool - Default PowerSploit/Empire Scheduled Task Creation test (source)
- HackTool - DInjector PowerShell Cradle Execution test (source)
- HackTool - Empire PowerShell Launch Parameters test (source)
- HackTool - Empire PowerShell UAC Bypass stable (source)
- HackTool - F-Secure C3 Load by Rundll32 test (source)
- HackTool - Hashcat Password Cracker Execution test (source)
- HackTool - HollowReaper Execution experimental (source)
- HackTool - Htran/NATBypass Execution test (source)
- HackTool - Hydra Password Bruteforce Execution test (source)
- HackTool - Impacket Tools Execution test (source)
- HackTool - LaZagne Execution experimental (source)
- HackTool - Mimikatz Execution test (source)
- HackTool - NetExec Execution experimental (source)
- HackTool - Pypykatz Credentials Dumping Activity test (source)
- HackTool - Quarks PwDump Execution test (source)
- HackTool - RedMimicry Winnti Playbook Execution test (source)
- HackTool - SharpWSUS/WSUSpendu Execution test (source)
- HackTool - Sliver C2 Implant Activity Pattern test (source)
- HackTool - SOAPHound Execution test (source)
- HackTool - WinPwn Execution test (source)
- HackTool - WinRM Access Via Evil-WinRM test (source)
- HackTool - Wmiexec Default Powershell Command test (source)
- HackTool - XORDump Execution test (source)
- HAFNIUM Exchange Exploitation Activity test (source)
- Hermetic Wiper TG Process Patterns test (source)
- Hidden Powershell in Link File Pattern test (source)
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine test (source)
- HTML File Opened From Download Folder experimental (source)
- HTML Help HH.EXE Suspicious Child Process test (source)
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 test (source)
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI test (source)
- IFM creation detected from commandline (installation from media) experimental (source)
- ImagingDevices Unusual Parent/Child Processes test (source)
- Impacket DCOMexec process abuse via MMC experimental (source)
- Import PowerShell Modules From Suspicious Directories - ProcCreation test (source)
- Indirect Command Execution By Program Compatibility Wizard test (source)
- Indirect Command Execution via SFTP ProxyCommand experimental (source)
- InfDefaultInstall.exe .inf Execution test (source)
- Injected Browser Process Spawning Rundll32 - GuLoader Activity test (source)
- Interactive AT Job test (source)
- Interactive privileged shell triggered by schedule task (deprecated) experimental (source)
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) test (source)
- Invoke-Obfuscation CLIP+ Launcher test (source)
- Invoke-Obfuscation COMPRESS OBFUSCATION test (source)
- Invoke-Obfuscation Obfuscated IEX Invocation test (source)
- Invoke-Obfuscation STDIN+ Launcher test (source)
- Invoke-Obfuscation VAR+ Launcher test (source)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test (source)
- Invoke-Obfuscation Via Stdin test (source)
- Invoke-Obfuscation Via Use Clip test (source)
- Invoke-Obfuscation Via Use MSHTA test (source)
- Java Running with Remote Debugging test (source)
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental (source)
- Kavremover Dropped Binary LOLBIN Usage test (source)
- Lace Tempest Cobalt Strike Download test (source)
- Lateral movement by mounting a network share - net use (command) experimental (source)
- Launch-VsDevShell.PS1 Proxy Execution test (source)
- Lazarus Group Activity test (source)
- Lazarus System Binary Masquerading test (source)
- LockerGoga Ransomware Activity stable (source)
- Lolbin Runexehelper Use As Proxy test (source)
- LSASS Dump Keyword In CommandLine test (source)
- Malicious PE Execution by Microsoft Visual Studio Debugger test (source)
- Malicious PowerShell Commandlets - ProcessCreation test (source)
- Manual Execution of Script Inside of a Compressed File test (source)
- Massive processes termination burst experimental (source)
- Massive services deletion burst experimental (source)
- Massive services termination burst experimental (source)
- Mavinject Inject DLL Into Running Process test (source)
- MERCURY APT Activity test (source)
- Metasploit reverse shell injection in SQL Server experimental (source)
- Microsoft Defender critical security components disabled (command) experimental (source)
- Microsoft Defender default action changed to allow any threat (command) experimental (source)
- Microsoft Defender security components disabled (command) experimental (source)
- Microsoft Defender service deactivation attempt (command) experimental (source)
- Mint Sandstorm - AsperaFaspex Suspicious Process Execution test (source)
- Mint Sandstorm - Log4J Wstomcat Process Execution test (source)
- Mint Sandstorm - ManageEngine Suspicious Process Execution test (source)
- MMC Spawning Windows Shell test (source)
- MMC20 Lateral Movement test (source)
- MSDT Execution Via Answer File test (source)
- MSExchange Transport Agent Installation test (source)
- Mshtml.DLL RunHTMLApplication Suspicious Usage test (source)
- MsiExec Web Install test (source)
- Msxsl.EXE Execution test (source)
- Mustang Panda Dropper test (source)
- Netsh helper DLL abuse (process) experimental (source)
- Network Reconnaissance Activity test (source)
- Network share discovery and/or connection via commandline (source)
- Network share manipulation via commandline (source)
- New ActiveScriptEventConsumer Created Via Wmic.EXE test (source)
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test (source)
- New Kernel Driver Via SC.EXE test (source)
- New Process Created Via Taskmgr.EXE test (source)
- New Service Creation Using PowerShell test (source)
- New Service Creation Using Sc.EXE test (source)
- Node Process Executions test (source)
- Non-privileged Usage of Reg or Powershell test (source)
- Notepad Password Files Discovery experimental (source)
- NotPetya Ransomware Activity test (source)
- NtdllPipe Like Activity Execution test (source)
- NTFS symbolic link configuration change experimental (source)
- NTFS symbolic link creation experimental (source)
- Number of oustanding SMB requests increased experimental (source)
- Obfuscated IP Download Activity test (source)
- Obfuscated IP Via CLI test (source)
- Obfuscated payload transfered via service name - Tchopper (command) experimental (source)
- Obfuscated PowerShell OneLiner Execution test (source)
- OilRig APT Activity test (source)
- OneNote.EXE Execution of Malicious Embedded Scripts test (source)
- OpenEDR Spawning Command Shell experimental (source)
- OpenSSH server firewall configuration on Windows (command) experimental (source)
- OpenWith.exe Executes Specified Binary test (source)
- Operation Wocao Activity test (source)
- Outlook EnableUnsafeClientMailRules Setting Enabled test (source)
- PaperCut MF/NG Exploitation Related Indicators test (source)
- PaperCut MF/NG Potential Exploitation test (source)
- Password policy discovery via commandline (source)
- Peach Sandstorm APT Process Activity Indicators test (source)
- Persistence Via Sticky Key Backdoor test (source)
- Persistence Via TypedPaths - CommandLine test (source)
- Phishing Pattern ISO in Archive test (source)
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE test (source)
- Ping Hex IP test (source)
- Pingback Backdoor Activity test (source)
- Port Forwarding Activity Via SSH.EXE test (source)
- Possible Privilege Escalation via Weak Service Permissions test (source)
- Potential ACTINIUM Persistence Activity test (source)
- Potential Amazon SSM Agent Hijacking test (source)
- Potential AMSI Bypass Using NULL Bits test (source)
- Potential AMSI Bypass Via .NET Reflection test (source)
- Potential Application Whitelisting Bypass via Dnx.EXE test (source)
- Potential APT FIN7 Exploitation Activity test (source)
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity test (source)
- Potential APT Mustang Panda Activity Against Australian Gov test (source)
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 test (source)
- Potential APT10 Cloud Hopper Activity test (source)
- Potential Arbitrary Code Execution Via Node.EXE test (source)
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt test (source)
- Potential Baby Shark Malware Activity test (source)
- Potential BlackByte Ransomware Activity test (source)
- Potential COM Objects Download Cradles Usage - Process Creation test (source)
- Potential Command Line Path Traversal Evasion Attempt test (source)
- Potential Commandline Obfuscation Using Escape Characters test (source)
- Potential CommandLine Obfuscation Using Unicode Characters test (source)
- Potential Compromised 3CXDesktopApp Update Activity test (source)
- Potential Conti Ransomware Activity test (source)
- Potential Conti Ransomware Database Dumping Activity Via SQLCmd test (source)
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI test (source)
- Potential Credential Dumping Via LSASS Process Clone test (source)
- Potential Crypto Mining Activity stable (source)
- Potential CVE-2021-26857 Exploitation Attempt stable (source)
- Potential CVE-2021-40444 Exploitation Attempt test (source)
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon test (source)
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test (source)
- Potential CVE-2023-21554 QueueJumper Exploitation test (source)
- Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI test (source)
- Potential Data Exfiltration Activity Via CommandLine Tools test (source)
- Potential Data Stealing Via Chromium Headless Debugging test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 test (source)
- Potential Defense Evasion Via Right-to-Left Override test (source)
- Potential Devil Bait Malware Reconnaissance test (source)
- Potential Discovery Activity Via Dnscmd.EXE test (source)
- Potential DLL File Download Via PowerShell Invoke-WebRequest test (source)
- Potential Dosfuscation Activity test (source)
- Potential Download/Upload Activity Using Type Command test (source)
- Potential Dridex Activity stable (source)
- Potential Dropper Script Execution Via WScript/CScript/MSHTA test (source)
- Potential Dtrack RAT Activity stable (source)
- Potential Emotet Activity stable (source)
- Potential EmpireMonkey Activity test (source)
- Potential Execution of Sysinternals Tools test (source)
- Potential Exploitation Attempt From Office Application test (source)
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental (source)
- Potential Exploitation of GoAnywhere MFT Vulnerability experimental (source)
- Potential Fake Instance Of Hxtsr.EXE Executed test (source)
- Potential File Download Via MS-AppInstaller Protocol Handler test (source)
- Potential Goofy Guineapig Backdoor Activity test (source)
- Potential Goofy Guineapig GoolgeUpdate Process Anomaly test (source)
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI test (source)
- Potential Homoglyph Attack Using Lookalike Characters test (source)
- Potential KamiKakaBot Activity - Lure Document Execution test (source)
- Potential KamiKakaBot Activity - Shutdown Schedule Task Creation test (source)
- Potential Ke3chang/TidePool Malware Activity test (source)
- Potential Lateral Movement via Windows Remote Shell experimental (source)
- Potential LethalHTA Technique Execution test (source)
- Potential LSASS Process Dump Via Procdump stable (source)
- Potential Maze Ransomware Activity test (source)
- Potential Meterpreter/CobaltStrike Activity test (source)
- Potential Mftrace.EXE Abuse test (source)
- Potential Mpclient.DLL Sideloading Via Defender Binaries test (source)
- Potential MSTSC Shadowing Activity test (source)
- Potential MuddyWater APT Activity test (source)
- Potential Network Sniffing Activity Using Network Tools test (source)
- Potential Notepad++ CVE-2025-49144 Exploitation experimental (source)
- Potential Persistence Attempt Via Existing Service Tampering test (source)
- Potential Persistence Attempt Via Run Keys Using Reg.EXE test (source)
- Potential Persistence Via Logon Scripts - CommandLine test (source)
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test (source)
- Potential PlugX Activity test (source)
- Potential PowerShell Console History Access Attempt via History File experimental (source)
- Potential PowerShell Downgrade Attack test (source)
- Potential PowerShell Execution Policy Tampering - ProcCreation test (source)
- Potential PowerShell Obfuscation Via WCHAR/CHAR test (source)
- Potential Privilege Escalation To LOCAL SYSTEM test (source)
- Potential Privilege Escalation via Service Permissions Weakness test (source)
- Potential Process Execution Proxy Via CL_Invocation.ps1 test (source)
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution test (source)
- Potential Provlaunch.EXE Binary Proxy Execution Abuse test (source)
- Potential Proxy Execution Via Explorer.EXE From Shell Process test (source)
- Potential PsExec Remote Execution test (source)
- Potential Qakbot Rundll32 Execution test (source)
- Potential QBot Activity stable (source)
- Potential Raspberry Robin Dot Ending File test (source)
- Potential RDP Tunneling Via Plink test (source)
- Potential RDP Tunneling Via SSH test (source)
- Potential Regsvr32 Commandline Flag Anomaly test (source)
- Potential Remote Desktop Tunneling test (source)
- Potential Renamed Rundll32 Execution test (source)
- Potential Russian APT Credential Theft Activity stable (source)
- Potential Ryuk Ransomware Activity stable (source)
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 test (source)
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators experimental (source)
- Potential SMB Relay Attack Tool Execution test (source)
- Potential SNAKE Malware Installation Binary Indicator test (source)
- Potential SNAKE Malware Installation CLI Arguments Indicator test (source)
- Potential SNAKE Malware Persistence Service Execution test (source)
- Potential Snatch Ransomware Activity stable (source)
- Potential Suspicious Browser Launch From Document Reader Process test (source)
- Potential Suspicious Child Process Of 3CXDesktopApp test (source)
- Potential Suspicious Execution From GUID Like Folder Names test (source)
- Potential Suspicious Windows Feature Enabled - ProcCreation test (source)
- Potential SysInternals ProcDump Evasion test (source)
- Potential SystemNightmare Exploitation Attempt test (source)
- Potential Tampering With Security Products Via WMIC test (source)
- Potential UAC Bypass Via Sdclt.EXE test (source)
- Potential WinAPI Calls Via CommandLine test (source)
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler test (source)
- Potentially Suspicious Cabinet File Expansion test (source)
- Potentially Suspicious Call To Win32_NTEventlogFile Class test (source)
- Potentially Suspicious Child Process Of ClickOnce Application test (source)
- Potentially Suspicious Child Process Of DiskShadow.EXE test (source)
- Potentially Suspicious Child Process Of Regsvr32 test (source)
- Potentially Suspicious Child Process Of VsCode test (source)
- Potentially Suspicious Command Targeting Teams Sensitive Files test (source)
- Potentially Suspicious Event Viewer Child Process test (source)
- Potentially Suspicious Execution From Parent Process In Public Folder test (source)
- Potentially Suspicious Execution Of PDQDeployRunner test (source)
- Potentially Suspicious GoogleUpdate Child Process test (source)
- Potentially Suspicious JWT Token Search Via CLI test (source)
- Potentially Suspicious Powershell Script Execution From Temp Folder test (source)
- Potentially Suspicious Usage Of Qemu test (source)
- Potentially Suspicious WebDAV LNK Execution test (source)
- Potentially Suspicious Windows App Activity test (source)
- PowerShell Base64 Encoded FromBase64String Cmdlet test (source)
- PowerShell Base64 Encoded IEX Cmdlet test (source)
- Powershell Base64 Encoded MpPreference Cmdlet test (source)
- PowerShell Base64 Encoded Reflective Assembly Load test (source)
- Powershell Defender Disable Scan Feature test (source)
- Powershell Defender Exclusion test (source)
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' experimental (source)
- PowerShell Download and Execution Cradles test (source)
- PowerShell Get-Clipboard Cmdlet Via CLI test (source)
- PowerShell Get-Process LSASS test (source)
- Powershell Inline Execution From A File test (source)
- PowerShell SAM Copy test (source)
- PowerShell Script Run in AppData test (source)
- Powershell Token Obfuscation - Process Creation test (source)
- PrintBrm ZIP Creation of Extraction test (source)
- Privilege escalation via runas (command) experimental (source)
- Privilege escalation via RunasCS experimental (source)
- Procdump Execution test (source)
- Process Creation Using Sysnative Folder test (source)
- Process Execution From A Potentially Suspicious Folder test (source)
- Process Execution From WebDAV Share experimental (source)
- Process Launched Without Image Name test (source)
- Process Proxy Execution Via Squirrel.EXE test (source)
- Ps.exe Renamed SysInternals Tool test (source)
- PsExec Service Child Process Execution as LOCAL SYSTEM test (source)
- PsExec/PAExec Escalation to LOCAL SYSTEM test (source)
- PUA - AdFind Suspicious Execution test (source)
- PUA - Adidnsdump Execution test (source)
- PUA - AdvancedRun Suspicious Execution test (source)
- PUA - Chisel Tunneling Tool Execution test (source)
- PUA - CleanWipe Execution test (source)
- PUA - DIT Snapshot Viewer test (source)
- PUA - Netcat Suspicious Execution test (source)
- PUA - Ngrok Execution test (source)
- PUA - NirCmd Execution As LOCAL SYSTEM test (source)
- PUA - Restic Backup Tool Execution experimental (source)
- PUA - RunXCmd Execution test (source)
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE test (source)
- PUA - TruffleHog Execution experimental (source)
- Pubprn.vbs Proxy Execution test (source)
- Python Function Execution Security Warning Disabled In Excel test (source)
- Python Spawning Pretty TTY on Windows test (source)
- Qakbot Regsvr32 Calc Pattern test (source)
- Qakbot Rundll32 Exports Execution test (source)
- Qakbot Rundll32 Fake DLL Extension Execution test (source)
- Query Usage To Exfil Data test (source)
- QuickAssist Execution experimental (source)
- Raccine Uninstall test (source)
- Rar Usage with Password and Compression Level test (source)
- Raspberry Robin Subsequent Execution of Commands test (source)
- RDP session hijack via TSCON abuse command experimental (source)
- RDP shadow session started (command) experimental (source)
- RDP tunneling configuration enabled for port forwarding experimental (source)
- Recon Command Output Piped To Findstr.EXE test (source)
- Regedit as Trusted Installer test (source)
- REGISTER_APP.VBS Proxy Execution test (source)
- Registry Modification Attempt Via VBScript experimental (source)
- Remote Access Tool - Ammy Admin Agent Execution test (source)
- Remote Access Tool - AnyDesk Piped Password Via CLI test (source)
- Remote Access Tool - AnyDesk Silent Installation test (source)
- Remote Access Tool - MeshAgent Command Execution via MeshCentral test (source)
- Remote Access Tool - Potential MeshAgent Execution - Windows experimental (source)
- Remote Access Tool - ScreenConnect Installation Execution test (source)
- Remote Access Tool - ScreenConnect Remote Command Execution - Hunting test (source)
- Remote Access Tool - ScreenConnect Server Web Shell Execution test (source)
- Remote Access Tool - Simple Help Execution test (source)
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server experimental (source)
- Remote Access Tool - Team Viewer Session Started On Windows Host test (source)
- Remote File Download Via Desktopimgdownldr Utility test (source)
- Remote PowerShell Session Host Process (WinRM) test (source)
- Remote XSL Execution Via Msxsl.EXE test (source)
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses test (source)
- Replace.exe Usage test (source)
- RestrictedAdminMode Registry Value Tampering - ProcCreation test (source)
- REvil Kaseya Incident Malware Patterns test (source)
- Root Certificate Installed From Susp Locations test (source)
- Rorschach Ransomware Execution Activity test (source)
- Run PowerShell Script from ADS test (source)
- Run PowerShell Script from Redirected Input Stream test (source)
- Rundll32 Execution Without CommandLine Parameters test (source)
- Rundll32 Execution Without Parameters test (source)
- Scheduled persistent task with SYSTEM privileges creation experimental (source)
- Scheduled Task Creation From Potential Suspicious Parent Location test (source)
- Scheduled Task Creation Via Schtasks.EXE test (source)
- Scheduled task creation with command line experimental (source)
- Scheduled Task Creation with Curl and PowerShell Execution Combo experimental (source)
- Scheduled task enumerated experimental (source)
- Schtasks Creation Or Modification With SYSTEM Privileges test (source)
- Screen Capture Activity Via Psr.EXE test (source)
- Script Event Consumer Spawning Process test (source)
- Script Interpreter Spawning Credential Scanner - Windows experimental (source)
- Scripting/CommandLine Process Spawned Regsvr32 test (source)
- Sdclt Child Processes test (source)
- Sdiagnhost Calling Suspicious Child Process test (source)
- SearchIndexer suspicious process activity experimental (source)
- Security package (SSP) added (Reg via command) experimental (source)
- Security Service Disabled Via Reg.EXE test (source)
- Sensitive File Access Via Volume Shadow Copy Backup test (source)
- Serial console process spawning CMD shell (via command) experimental (source)
- Serpent Backdoor Payload Execution Via Scheduled Task test (source)
- Serv-U Exploitation CVE-2021-35211 by DEV-0322 test (source)
- Service abuse with backdoored "command failure" (Reg via command) experimental (source)
- Service abuse with backdoored "command failure" (service) experimental (source)
- Service abuse with malicious ImagePath (Reg via command) experimental (source)
- Service abuse with malicious ImagePath (service) experimental (source)
- Service creation (command) experimental (source)
- Service deactivation (command) experimental (source)
- Service permissions hijacked for privileges abuse (reg via command) experimental (source)
- Service permissions hijacked for privileges abuse (service) experimental (source)
- Shai-Hulud 2.0 Malicious NPM Package Installation experimental (source)
- Shai-Hulud Malicious Bun Execution experimental (source)
- Shai-Hulud Malware Indicators - Windows experimental (source)
- Shell Process Spawned by Java.EXE test (source)
- ShimCache Flush stable (source)
- Small Sieve Malware CommandLine Indicator test (source)
- Sofacy Trojan Loader Activity test (source)
- SOURGUM Actor Behaviours test (source)
- SPN added to an account by command line experimental (source)
- Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental (source)
- SQL Server database's table enumeration experimental (source)
- SQL server sqlcmd utility abuse for privilege escalation experimental (source)
- SQL Server started in single mode (command) experimental (source)
- Start of NT Virtual DOS Machine test (source)
- Stickey key called CMD via command execution experimental (source)
- Stickey key IFEO (Reg via command) experimental (source)
- Sticky Key Like Backdoor Execution test (source)
- Sticky key sethc command for replacement by CMD experimental (source)
- Suspect Svchost Activity test (source)
- Suspicious ArcSOC.exe Child Process experimental (source)
- Suspicious Binary In User Directory Spawned From Office Application test (source)
- Suspicious BitLocker Access Agent Update Utility Execution experimental (source)
- Suspicious Calculator Usage test (source)
- Suspicious Child Process of AspNetCompiler test (source)
- Suspicious Child Process Of BgInfo.EXE test (source)
- Suspicious Child Process Of Manage Engine ServiceDesk test (source)
- Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental (source)
- Suspicious Child Process Of SQL Server test (source)
- Suspicious Child Process Of Wermgr.EXE test (source)
- Suspicious Chromium Browser Instance Executed With Custom Extension test (source)
- Suspicious ClickFix/FileFix Execution Pattern experimental (source)
- Suspicious CodePage Switch Via CHCP test (source)
- Suspicious Command Patterns In Scheduled Task Creation test (source)
- Suspicious CrushFTP Child Process experimental (source)
- Suspicious CustomShellHost Execution test (source)
- Suspicious Debugger Registration Cmdline test (source)
- Suspicious Desktopimgdownldr Command test (source)
- Suspicious Diantz Alternate Data Stream Execution test (source)
- Suspicious Diantz Download and Compress Into a CAB File test (source)
- Suspicious Double Extension File Execution stable (source)
- Suspicious Download from Office Domain test (source)
- Suspicious Driver Install by pnputil.exe test (source)
- Suspicious Electron Application Child Processes test (source)
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test (source)
- Suspicious Execution From Outlook Temporary Folder test (source)
- Suspicious Execution Location Of Wermgr.EXE test (source)
- Suspicious Execution of Hostname test (source)
- Suspicious Execution of InstallUtil Without Log test (source)
- Suspicious Execution of Powershell with Base64 test (source)
- Suspicious Execution of Shutdown test (source)
- Suspicious Execution of Shutdown to Log Out test (source)
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental (source)
- Suspicious Extrac32 Alternate Data Stream Execution test (source)
- Suspicious FileFix Execution Pattern experimental (source)
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation test (source)
- Suspicious GrpConv Execution test (source)
- Suspicious GUP Usage test (source)
- Suspicious High IntegrityLevel Conhost Legacy Option test (source)
- Suspicious HWP Sub Processes test (source)
- Suspicious IIS Module Registration test (source)
- Suspicious Kernel Dump Using Dtrace test (source)
- Suspicious Modification Of Scheduled Tasks test (source)
- Suspicious Msiexec Execute Arbitrary DLL test (source)
- Suspicious Network Command test (source)
- Suspicious New Instance Of An Office COM Object test (source)
- Suspicious New Service Creation test (source)
- Suspicious Obfuscated PowerShell Code test (source)
- Suspicious Outlook Child Process test (source)
- Suspicious Ping/Del Command Combination test (source)
- Suspicious PowerShell Download and Execute Pattern test (source)
- Suspicious PowerShell IEX Execution Patterns test (source)
- Suspicious PowerShell Invocations - Specific - ProcessCreation test (source)
- Suspicious PowerShell Mailbox Export to Share test (source)
- Suspicious PowerShell Parameter Substring test (source)
- Suspicious PrinterPorts Creation (CVE-2020-1048) test (source)
- Suspicious Process Created Via Wmic.EXE test (source)
- Suspicious Process Execution From Fake Recycle.Bin Folder test (source)
- Suspicious Process Parents test (source)
- Suspicious Process Patterns NTDS.DIT Exfil test (source)
- Suspicious Process Start Locations test (source)
- Suspicious Processes Spawned by Java.EXE test (source)
- Suspicious Processes Spawned by WinRM test (source)
- Suspicious Program Names test (source)
- Suspicious Provlaunch.EXE Child Process test (source)
- Suspicious Query of MachineGUID test (source)
- Suspicious RASdial Activity test (source)
- Suspicious RazerInstaller Explorer Subprocess test (source)
- Suspicious RDP Redirect Using TSCON test (source)
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet test (source)
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test (source)
- Suspicious Recursive Takeown test (source)
- Suspicious Redirection to Local Admin Share test (source)
- Suspicious Reg Add BitLocker test (source)
- Suspicious Remote Child Process From Outlook test (source)
- Suspicious RunAs-Like Flag Combination test (source)
- Suspicious Rundll32 Activity Invoking Sys File test (source)
- Suspicious Rundll32 Invoking Inline VBScript test (source)
- Suspicious Runscripthelper.exe test (source)
- Suspicious Scan Loop Network test (source)
- Suspicious Scheduled Task Creation Involving Temp Folder test (source)
- Suspicious Scheduled Task Name As GUID test (source)
- Suspicious Schtasks Execution AppData Folder test (source)
- Suspicious ScreenSave Change by Reg.exe test (source)
- Suspicious Serv-U Process Pattern test (source)
- Suspicious Service Binary Directory test (source)
- Suspicious Service Path Modification test (source)
- Suspicious Shells Spawn by Java Utility Keytool test (source)
- Suspicious Speech Runtime Binary Child Process experimental (source)
- Suspicious Splwow64 Without Params test (source)
- Suspicious SPN enumeration previous to Kerberoasting attack (native commands) experimental (source)
- Suspicious Sysmon as Execution Parent test (source)
- Suspicious SYSVOL Domain Group Policy Access test (source)
- Suspicious TSCON Start as SYSTEM test (source)
- Suspicious UltraVNC Execution test (source)
- Suspicious Usage Of ShellExec_RunDLL test (source)
- Suspicious VBoxDrvInst.exe Parameters test (source)
- Suspicious VBScript UN2452 Pattern test (source)
- Suspicious Velociraptor Child Process experimental (source)
- Suspicious Vsls-Agent Command With AgentExtensionPath Load test (source)
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE test (source)
- Suspicious WindowsTerminal Child Processes test (source)
- Suspicious WmiPrvSE Child Process test (source)
- Suspicious X509Enrollment - Process Creation test (source)
- Suspicious ZipExec Execution test (source)
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code test (source)
- Sysprep on AppData Folder test (source)
- System File Execution Location Anomaly test (source)
- System Information Discovery via Registry Queries experimental (source)
- SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental (source)
- TAIDOOR RAT DLL Load test (source)
- Tamper Windows Defender Remove-MpPreference test (source)
- Tap Installer Execution test (source)
- Task Manager access indicator for potential LSASS dump experimental (source)
- Taskkill Symantec Endpoint Protection test (source)
- Taskmgr as LOCAL_SYSTEM test (source)
- Tasks Folder Evasion test (source)
- Time Travel Debugging Utility Usage test (source)
- TropicTrooper Campaign November 2018 stable (source)
- TrustedPath UAC Bypass Pattern test (source)
- Tunneling Tool Execution test (source)
- Turla Group Commands May 2020 test (source)
- Turla Group Lateral Movement test (source)
- UAC Bypass Tools Using ComputerDefaults test (source)
- UAC Bypass Using ChangePK and SLUI test (source)
- UAC Bypass Using Consent and Comctl32 - Process test (source)
- UAC Bypass Using DismHost test (source)
- UAC Bypass Using Event Viewer RecentViews test (source)
- UAC Bypass Using IEInstal - Process test (source)
- UAC Bypass Using MSConfig Token Modification - Process test (source)
- UAC Bypass Using PkgMgr and DISM test (source)
- UAC Bypass WSReset test (source)
- UEFI Persistence Via Wpbbin - ProcessCreation test (source)
- UNC2452 PowerShell Pattern test (source)
- Uncommon Child Process Of AddinUtil.EXE test (source)
- Uncommon Child Process Of Appvlp.EXE test (source)
- Uncommon Child Process Of BgInfo.EXE test (source)
- Uncommon Child Process Of Conhost.EXE test (source)
- Uncommon Child Process Of Defaultpack.EXE test (source)
- Uncommon Child Process Of Setres.EXE test (source)
- Uncommon Child Process Spawned By Odbcconf.EXE test (source)
- Uncommon Child Processes Of SndVol.exe test (source)
- Uncommon FileSystem Load Attempt By Format.com test (source)
- Uncommon Link.EXE Parent Process test (source)
- Uncommon Sigverif.EXE Child Process test (source)
- Uncommon Svchost Command Line Parameter experimental (source)
- Uncommon Svchost Parent Process test (source)
- Uncommon Userinit Child Process test (source)
- Uninstall Crowdstrike Falcon Sensor test (source)
- Unusual Child Process of dns.exe test (source)
- Unusual Parent Process For Cmd.EXE test (source)
- Ursnif Redirection Of Discovery Commands test (source)
- Usage Of Web Request Commands And Cmdlets test (source)
- Use NTFS Short Name in Command Line test (source)
- Use NTFS Short Name in Image test (source)
- Use of Pcalua For Execution test (source)
- Use Of The SFTP.EXE Binary As A LOLBIN test (source)
- Use Short Name Path in Command Line test (source)
- User added to a group via commandline (source)
- User Added To Highly Privileged Group test (source)
- User Added to Local Administrators Group test (source)
- User Added to Remote Desktop Users Group test (source)
- User creation via commandline (source)
- User enumeration and creation related to Manic Menagerie 2.0 (via cmdline) (source)
- User properties enumeration via commandline (source)
- UtilityFunctions.ps1 Proxy Dll test (source)
- Veeam Backup Database Suspicious Query test (source)
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE test (source)
- Virtualbox Driver Installation or Starting of VMs test (source)
- Visual Basic Command Line Compiler Usage test (source)
- Visual Studio Code Tunnel Service Installation test (source)
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution test (source)
- VolumeShadowCopy Symlink Creation Via Mklink stable (source)
- VSS backup deletion (WMI) experimental (source)
- VSS backup deletion or resize experimental (source)
- Wab Execution From Non Default Location test (source)
- Wab/Wabmig Unusual Parent Or Child Processes test (source)
- WannaCry Ransomware Activity test (source)
- Wdigest authentication enabled (Reg via command) experimental (source)
- Weak or Abused Passwords In CLI test (source)
- Webserver IIS module installed (command) experimental (source)
- Webserver IIS module installed (command) experimental (source)
- Webshell Hacking Activity Patterns test (source)
- Webshell Tool Reconnaissance Activity test (source)
- WhoAmI as Parameter test (source)
- Windows native backup deletion experimental (source)
- Windows native backup size re-configuration experimental (source)
- Windows native Pktmon sniffer abuse experimental (source)
- Windows Processes Suspicious Parent Directory test (source)
- Windows Subsystem for Linux (WSL) installation (command) experimental (source)
- Windows traffic capture abuse experimental (source)
- Winnti Malware HK University Campaign test (source)
- Winnti Pipemon Characteristics stable (source)
- WinRM listening service reconnaissance (process) experimental (source)
- WinRS usage for remote execution (source)
- WMI Backdoor Exchange Transport Agent test (source)
- WMI Persistence - Script Event Consumer test (source)
- WMI spwaning PowerShell process - WMImplant experimental (source)
- WmiPrvSE Spawned A Process stable (source)
- Write Protect For Storage Disabled test (source)
- Writing Of Malicious Files To The Fonts Folder test (source)
- Wscript Shell Run In CommandLine test (source)
- WSL Child Process Anomaly test (source)
- WSL Kali-Linux Usage experimental (source)
- Wusa.EXE Executed By Parent Process Located In Suspicious Location test (source)
- ZxShell Malware test (source)
Event ID 4697 A service was installed in the system. 27 rules
- CobaltStrike Service Installations - Security test (source)
- CosmicDuke Service Installation test (source)
- Credential Dumping Tools Service Execution - Security test (source)
- Encoded PowerShell payload deployed via service experimental (source)
- HybridConnectionManager Service Installation test (source)
- Impacket SMBexec service registration (native) experimental (source)
- Invoke-Obfuscation CLIP+ Launcher - Security test (source)
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security test (source)
- Invoke-Obfuscation Obfuscated IEX Invocation - Security test (source)
- Invoke-Obfuscation RUNDLL LAUNCHER - Security test (source)
- Invoke-Obfuscation STDIN+ Launcher - Security test (source)
- Invoke-Obfuscation VAR+ Launcher - Security test (source)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test (source)
- Invoke-Obfuscation Via Stdin - Security test (source)
- Invoke-Obfuscation Via Use Clip - Security test (source)
- Invoke-Obfuscation Via Use MSHTA - Security test (source)
- Invoke-Obfuscation Via Use Rundll32 - Security test (source)
- Metasploit Or Impacket Service Installation Via SMB PsExec test (source)
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security test (source)
- Mimikatz driver deployed via service experimental (source)
- PowerShell Scripts Installed as Services - Security test (source)
- PSexec service installation experimental (source)
- RDP session hijack via service creation abuse experimental (source)
- Remote Access Tool Services Have Been Installed - Security test (source)
- Service Installed By Unusual Client - Security test (source)
- Tap Driver Installation - Security test (source)
- Windows Pcap Drivers test (source)
Event ID 4698 A scheduled task was created. 7 rules
- Diamond Sleet APT Scheduled Task Creation test (source)
- Fortinet APT group abuse on Windows (task) experimental (source)
- Kapeka Backdoor Scheduled Task Creation test (source)
- OilRig APT Schedule Task Persistence - Security test (source)
- Scheduled task created and deleted fastly (ATexec.py) experimental (source)
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor test (source)
- Suspicious Scheduled Task Creation test (source)
Event ID 4720 A user account was created. 8 rules
- Fortinet APT group abuse on Windows (user) experimental (source)
- Hidden account creation (with fast deletion) experimental (source)
- Hidden Local User Creation test (source)
- Local User Creation test (source)
- New or Renamed User Account with '$' Character test (source)
- Suspicious Windows ANONYMOUS LOGON Local Account Created test (source)
- User account created by a computer account experimental (source)
- User account creation disguised in a computer account experimental (source)
Event ID 4722 A user account was enabled. 1 rule
- Disabled guest or builtin account activated experimental (source)
Event ID 4724 An attempt was made to reset an account's password. 4 rules
- Bruteforce via password reset experimental (source)
- Remote domain controller password reset (Zerologon) experimental (source)
- Suspicious Kerberos password account reset to issue potential Golden ticket experimental (source)
- User password change without previous password known - SetNTLM (Mimikatz) experimental (source)
Event ID 4726 A user account was deleted. 1 rule
- Hidden account creation (with fast deletion) experimental (source)
Event ID 4728 A member was added to a security-enabled global group. 12 rules
- A Member Was Added to a Security-Enabled Global Group stable (source)
- Exchange group membership change to perform DCsync attack experimental (source)
- High risk Active Directory group membership change experimental (source)
- Massive group membership changes detected experimental (source)
- Medium risk Active Directory group membership change experimental (source)
- Member added to DNSadmin group experimental (source)
- New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental (source)
- New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental (source)
- New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental (source)
- New member added to an Exchange administration group (high risk) experimental (source)
- New member added to an Exchange administration group (medium risk) experimental (source)
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity test (source)
Event ID 4732 A member was added to a security-enabled local group. 11 rules
- Exchange group membership change to perform DCsync attack experimental (source)
- High risk local/domain local group membership change experimental (source)
- Massive group membership changes detected experimental (source)
- Medium risk local/domain local group membership change experimental (source)
- Member added to DNSadmin group experimental (source)
- New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental (source)
- New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental (source)
- New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental (source)
- New member added to an Exchange administration group (high risk) experimental (source)
- New member added to an Exchange administration group (medium risk) experimental (source)
- User Added to Local Administrator Group stable (source)
Event ID 4738 A user account was changed. 9 rules
- Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) experimental (source)
- Account password set to never expire. experimental (source)
- Account set with Kerberos DES encryption activated (weakness introduction) experimental (source)
- Account set with Kerberos pre-authentication not required (AS-REP Roasting) experimental (source)
- Account set with password not required (weakness introduction) experimental (source)
- Account set with reversible encryption (weakness introduction) experimental (source)
- Active Directory User Backdoors test (source)
- Addition of SID History to Active Directory Object stable (source)
- Weak Encryption Enabled and Kerberoast test (source)
Event ID 4742 A computer account was changed. 9 rules
- Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol experimental (source)
- Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only experimental (source)
- Host set with constrained delegation experimental (source)
- Host set with unconstrained delegation experimental (source)
- Host unconstrained delegation settings changed for potential abuse (Rubeus) experimental (source)
- Possible DC Shadow Attack test (source)
- Remote domain controller password reset (Zerologon) experimental (source)
- Suspicious modification of a computer account SPN experimental (source)
- Suspicious modification of a fake domain controller SPN (DCshadow) experimental (source)
Event ID 4756 A member was added to a security-enabled universal group. 11 rules
- Exchange group membership change to perform DCsync attack experimental (source)
- High risk Active Directory group membership change experimental (source)
- Massive group membership changes detected experimental (source)
- Medium risk Active Directory group membership change experimental (source)
- Member added to DNSadmin group experimental (source)
- New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental (source)
- New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental (source)
- New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental (source)
- New member added to an Exchange administration group (high risk) experimental (source)
- New member added to an Exchange administration group (medium risk) experimental (source)
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity test (source)
Event ID 4768 A Kerberos authentication ticket (TGT) was requested. 10 rules
- Active Directory honeypot used for lateral movement experimental (source)
- Brutforce enumeration with unexisting users (Kerberos) experimental (source)
- Kerberos AS-REP Roasting ticket request detected experimental (source)
- Kerberos enumeration with existing/unexisting users (Kerbrute) experimental (source)
- Kerberos Manipulation test (source)
- Kerberos TGS ticket request related to a potential Golden ticket experimental (source)
- Kerberos ticket without a trailing $ (CVE-2021-42278/42287) experimental (source)
- PetitPotam Suspicious Kerberos TGT Request test (source)
- Potential AS-REP Roasting via Kerberos TGT Requests experimental (source)
- Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) experimental (source)
Event ID 4769 A Kerberos service ticket was requested. 10 rules
- Active Directory honeypot used for lateral movement experimental (source)
- Kerberoast ticket request detected experimental (source)
- Kerberoasting Activity - Initial Query test (source)
- Kerberos key list attack for credential dumping experimental (source)
- Kerberos Manipulation test (source)
- Kerberos ticket without a trailing $ (CVE-2021-42278/42287) experimental (source)
- Rubeus Kerberos constrained delegation abuse (S4U2Proxy) experimental (source)
- Rubeus Kerberos unconstrained delegation abuse experimental (source)
- SharpHound host enumeration over Kerberos experimental (source)
- Suspicious Kerberos RC4 Ticket Encryption test (source)
Event ID 4781 The name of an account was changed. 5 rules
- Account renamed to admin (or likely) account to evade defense experimental (source)
- Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental (source)
- New or Renamed User Account with '$' Character test (source)
- Suspicious Computer Account Name Change CVE-2021-42287 test (source)
- User account creation disguised in a computer account experimental (source)
Event ID 4794 An attempt was made to set the Directory Services Restore Mode administrator password. 2 rules
Event ID 4950 A Windows Firewall setting has changed. 1 rule
- Firewall deactivation (firewall) experimental (source)
Event ID 5124 A security setting was updated on OCSP Responder Service. 1 rule
- OCSP responder security settings changed experimental (source)
Event ID 5136 A directory service object was modified. 20 rules
- Active Directory User Backdoors test (source)
- AdminSDHolder permissions changed for persistence experimental (source)
- Computer account manipulation for delegation (RBCD) experimental (source)
- Computer account modifying Active Directory permissions experimental (source)
- Computer account modifying Active Directory permissions (PrivExchange) experimental (source)
- Extended rights backdoor obfuscation (via localizationDisplayId attribute) experimental (source)
- Group Policy Abuse for Privilege Addition test (source)
- Permissions changed on a Group Policy (GPO) experimental (source)
- Persistence and Execution at Scale via GPO Scheduled Task test (source)
- Possible DC Shadow Attack test (source)
- Possible Shadow Credentials Added test (source)
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental (source)
- Powerview Add-DomainObjectAcl DCSync AD Extend Right test (source)
- Replication privileges granted to perform DCSync attack experimental (source)
- Startup/Logon Script Added to Group Policy Object test (source)
- Suspicious LDAP-Attributes Used test (source)
- Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) experimental (source)
- Suspicious modification of a sensitive Group Policy (GPO) experimental (source)
- Suspicious modification of a user account SPN to enable Kerberoast attack experimental (source)
- Windows Default Domain GPO Modification experimental (source)
Event ID 5145 A network share object was checked to see whether client can be granted desired access. 43 rules
- Active Directory honeypot used for lateral movement experimental (source)
- Azure Active Directory Connect credentials dump via network share experimental (source)
- BlueSky Ransomware Artefacts test (source)
- CrackMaxpExec share permission enumeration experimental (source)
- Credentials (protected by DPAPI) dump via network share experimental (source)
- CVE-2021-1675 Print Spooler Exploitation IPC Access test (source)
- DCERPC SMB Spoolss Named Pipe test (source)
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test (source)
- Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental (source)
- DNS hosts file accessed via network share experimental (source)
- First Time Seen Remote Named Pipe test (source)
- Impacket PsExec Execution test (source)
- Impacket WMIexec execution via SMB admin share experimental (source)
- LSASS credential dump with LSASSY (admin share) experimental (source)
- Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental (source)
- Massive remote service creation via named pipes (TChopper, CME) experimental (source)
- Massive remote service creation via named pipes - Tchopper experimental (source)
- NetSYnc attack experimental (source)
- Persistence and Execution at Scale via GPO Scheduled Task test (source)
- Possible Impacket SecretDump Remote Activity test (source)
- Possible PetitPotam Coerce Authentication Attempt test (source)
- Protected Storage Service Access test (source)
- PSexec execution over SMB share experimental (source)
- Remote schedule task creation via named pipes (ATexec) experimental (source)
- Remote Service Activity via SVCCTL Named Pipe test (source)
- Remote service creation via named pipes experimental (source)
- Remote shell execution via SMB admin share experimental (source)
- Remote Task Creation via ATSVC Named Pipe test (source)
- Secretdump password dumping via SMB admin share experimental (source)
- Shared folder access with forged Golden ticket stable (source)
- SharpHound enumeration via SMB named pipes experimental (source)
- SMB admin share accessed experimental (source)
- SMB Create Remote File Admin Share test (source)
- Startup/Logon Script Added to Group Policy Object test (source)
- Suspicious Access to Sensitive File Extensions test (source)
- Suspicious PsExec Execution test (source)
- T1047 Wmiprvse Wbemcomn DLL Hijack test (source)
- Transferring Files with Credential Data via Network Shares test (source)
- User application credentials dump via network share (DonPapi, Lazagne) experimental (source)
- User browser credentials dump via network share (DonPapi, Lazagne) experimental (source)
- User files dump via network share (DonPapi, Lazagne) experimental (source)
- User password change without previous password known - SetNTLM (Mimikatz) experimental (source)
- Windows Network Access Suspicious desktop.ini Action test (source)
Event ID 5382 Vault credentials were read. 1 rule
- Vault credentials manager accessed experimental (source)
Microsoft-Windows-Sysmon
Event ID 1 Process creation 1476 rules
- 7Zip Compressing Dump Files test (source)
- AADInternals PowerShell Cmdlets Execution - ProccessCreation test (source)
- Abuse of Service Permissions to Hide Services Via Set-Service test (source)
- Abused Debug Privilege by Arbitrary Parent Processes test (source)
- Abusing Print Executable test (source)
- Active Directory Database Snapshot Via ADExplorer test (source)
- Active Directory Structure Export Via Csvde.EXE test (source)
- Active Directory Structure Export Via Ldifde.EXE test (source)
- Add Insecure Download Source To Winget test (source)
- Add New Download Source To Winget test (source)
- Add Potential Suspicious New Download Source To Winget test (source)
- Add SafeBoot Keys Via Reg Utility test (source)
- Add Windows Capability Via PowerShell Cmdlet test (source)
- AddinUtil.EXE Execution From Uncommon Directory test (source)
- Adwind RAT / JRAT test (source)
- AgentExecutor PowerShell Execution test (source)
- All Backups Deleted Via Wbadmin.EXE test (source)
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test (source)
- Always Install Elevated MSI Spawned Cmd And Powershell test (source)
- Always Install Elevated Windows Installer test (source)
- Application Removed Via Wmic.EXE test (source)
- Application Terminated Via Wmic.EXE test (source)
- APT27 - Emissary Panda Activity test (source)
- APT29 2018 Phishing Campaign CommandLine Indicators stable (source)
- APT31 Judgement Panda Activity test (source)
- Arbitrary Binary Execution Using GUP Utility test (source)
- Arbitrary Command Execution Using WSL test (source)
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE test (source)
- Arbitrary File Download Via ConfigSecurityPolicy.EXE test (source)
- Arbitrary File Download Via GfxDownloadWrapper.EXE test (source)
- Arbitrary File Download Via IMEWDBLD.EXE test (source)
- Arbitrary File Download Via MSEDGE_PROXY.EXE test (source)
- Arbitrary File Download Via MSOHTMED.EXE test (source)
- Arbitrary File Download Via MSPUB.EXE test (source)
- Arbitrary File Download Via PresentationHost.EXE test (source)
- Arbitrary File Download Via Squirrel.EXE test (source)
- Arbitrary MSI Download Via Devinit.EXE test (source)
- Arbitrary Shell Command Execution Via Settingcontent-Ms test (source)
- AspNetCompiler Execution test (source)
- Assembly Loading Via CL_LoadAssembly.ps1 test (source)
- Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental (source)
- Audio Capture via PowerShell test (source)
- Audio Capture via SoundRecorder test (source)
- Audit policy disabled by command line experimental (source)
- Audit policy enumerated experimental (source)
- Audit Policy Tampering Via Auditpol test (source)
- Audit Policy Tampering Via NT Resource Kit Auditpol test (source)
- Automated Collection Command Prompt test (source)
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl test (source)
- Axios NPM Compromise Indicators - Windows experimental (source)
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments test (source)
- Base64 Encoded PowerShell Command Detected test (source)
- Base64 MZ Header In CommandLine test (source)
- Binary Proxy Execution Via Dotnet-Trace.EXE test (source)
- BitLocker feature configuration (Reg via command) experimental (source)
- BitLockerTogo.EXE Execution test (source)
- BITS payload downloaded via commandline experimental (source)
- Blue Mockingbird test (source)
- Boot Configuration Tampering Via Bcdedit.EXE stable (source)
- Browser Execution In Headless Mode test (source)
- Browser Started with Remote Debugging test (source)
- Bypass UAC via CMSTP test (source)
- Bypass UAC via Fodhelper.exe test (source)
- Bypass UAC via WSReset.exe test (source)
- C# IL Code Compilation Via Ilasm.EXE test (source)
- Cab File Extraction Via Wusa.EXE test (source)
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths test (source)
- Capture Credentials with Rpcping.exe test (source)
- Certificate Exported Via Certutil.EXE test (source)
- Certificate Exported Via PowerShell test (source)
- Certutil payload download (command) experimental (source)
- Certutil payload obfuscation (command) experimental (source)
- Certutil root certificate installation experimental (source)
- Change Default File Association To Executable Via Assoc test (source)
- Change Default File Association Via Assoc test (source)
- Change PowerShell Policies to an Insecure Level test (source)
- Changing Existing Service ImagePath Value Via Reg.EXE test (source)
- Chopper Webshell Process Pattern test (source)
- ChromeLoader Malware Execution test (source)
- Chromium Browser Headless Execution To Mockbin Like Site test (source)
- Chromium Browser Instance Executed With Custom Extension test (source)
- ClickOnce Deployment Execution - Dfsvc.EXE Child Process test (source)
- Cloudflared Portable Execution test (source)
- Cloudflared Quick Tunnel Execution test (source)
- Cloudflared Tunnel Connections Cleanup test (source)
- Cloudflared Tunnel Execution test (source)
- Cmd Launched with Hidden Start Flags to Suspicious Targets experimental (source)
- CMD Shell Output Redirect test (source)
- Cmd.EXE Missing Space Characters Execution Anomaly test (source)
- CMSTP Execution Process Creation stable (source)
- CMSTP UAC Bypass via COM Object Access stable (source)
- CobaltStrike Load by Rundll32 test (source)
- Code Execution via Pcwutl.dll test (source)
- CodePage Modification Via MODE.COM test (source)
- CodePage Modification Via MODE.COM To Russian Language test (source)
- COLDSTEEL RAT Anonymous User Process Execution test (source)
- COLDSTEEL RAT Cleanup Command Execution test (source)
- COLDSTEEL RAT Service Persistence Execution test (source)
- COM Object Execution via Xwizard.EXE test (source)
- Command Line Execution with Suspicious URL and AppData Strings test (source)
- Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) experimental (source)
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental (source)
- Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) experimental (source)
- Compress Data and Lock With Password for Exfiltration With 7-ZIP test (source)
- Compress Data and Lock With Password for Exfiltration With WINZIP test (source)
- Compressed File Creation Via Tar.EXE test (source)
- Compressed File Extraction Via Tar.EXE test (source)
- Computer Discovery And Export Via Get-ADComputer Cmdlet test (source)
- Computer Password Change Via Ksetup.EXE test (source)
- Computer System Reconnaissance Via Wmic.EXE test (source)
- Conhost Spawned By Uncommon Parent Process test (source)
- Conhost.exe CommandLine Path Traversal test (source)
- Console CodePage Lookup Via CHCP test (source)
- Conti NTDS Exfiltration Command test (source)
- Conti Volume Shadow Listing test (source)
- Control Panel Items test (source)
- ConvertTo-SecureString Cmdlet Usage Via CommandLine test (source)
- Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE test (source)
- Copy From Or To Admin Share Or Sysvol Folder test (source)
- Copy From VolumeShadowCopy Via Cmd.EXE test (source)
- Copying Sensitive Files with Credential Data test (source)
- CreateDump Process Dump test (source)
- Csc.EXE Execution Form Potentially Suspicious Parent test (source)
- Cscript/Wscript Potentially Suspicious Child Process test (source)
- Cscript/Wscript Uncommon Script Extension Execution test (source)
- Curl Download And Execute Combination test (source)
- Curl Web Request With Potential Custom User-Agent test (source)
- Curl.EXE Execution test (source)
- Curl.EXE Execution With Custom UserAgent test (source)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) test (source)
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process test (source)
- CVE-2024-50623 Exploitation Attempt - Cleo experimental (source)
- DarkGate - Autoit3.EXE Execution Parameters test (source)
- DarkGate - User Created Via Net.EXE test (source)
- DarkSide Ransomware Pattern test (source)
- Data Copied To Clipboard Via Clip.EXE test (source)
- Data Export From MSSQL Table Via BCP.EXE test (source)
- Defrag Deactivation test (source)
- Delete All Scheduled Tasks test (source)
- Delete Important Scheduled Task test (source)
- Deleted Data Overwritten Via Cipher.EXE test (source)
- Deletion of Volume Shadow Copies via WMI with PowerShell test (source)
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test (source)
- Detected Windows Software Discovery test (source)
- Detection of PowerShell Execution via Sqlps.exe test (source)
- Devcon Execution Disabling VMware VMCI Device experimental (source)
- DeviceCredentialDeployment Execution test (source)
- Devtoolslauncher.exe Executes Specified Binary test (source)
- Diamond Sleet APT Process Activity Indicators test (source)
- Direct Autorun Keys Modification test (source)
- Directory Removal Via Rmdir test (source)
- DirLister Execution test (source)
- Disable Important Scheduled Task test (source)
- Disable Windows Defender AV Security Monitoring test (source)
- Disable Windows IIS HTTP Logging test (source)
- Disabled IE Security Features test (source)
- Disabled Volume Snapshots test (source)
- Disabling Windows Defender WMI Autologger Session via Reg.exe experimental (source)
- Discovery of a System Time test (source)
- Diskshadow Child Process Spawned test (source)
- Diskshadow Script Mode - Execution From Potential Suspicious Location test (source)
- Diskshadow Script Mode - Uncommon Script Extension Execution test (source)
- Diskshadow Script Mode Execution test (source)
- Dism Remove Online Package test (source)
- DLL Call by Ordinal Via Rundll32.EXE stable (source)
- DLL Execution via Rasautou.exe test (source)
- DLL Execution Via Register-cimprovider.exe test (source)
- DLL Loaded via CertOC.EXE test (source)
- DLL ServerLevelPluginDll command installation experimental (source)
- DLL Sideloading by VMware Xfer Utility test (source)
- Dllhost.EXE Execution Anomaly test (source)
- DllUnregisterServer Function Call Via Msiexec.EXE test (source)
- DNS Exfiltration and Tunneling Tools Execution test (source)
- DNS RCE CVE-2020-1350 test (source)
- Domain Trust Discovery Via Dsquery test (source)
- Driver/DLL Installation Via Odbcconf.EXE test (source)
- DriverQuery.EXE Execution test (source)
- Droppers Exploiting CVE-2017-11882 stable (source)
- Dropping Of Password Filter DLL test (source)
- DSInternals Suspicious PowerShell Cmdlets test (source)
- Dumping of Sensitive Hives Via Reg.EXE test (source)
- Dumping Process via Sqldumper.exe test (source)
- DumpMinitool Execution test (source)
- DumpStack.log Defender Evasion test (source)
- Dynamic .NET Compilation Via Csc.EXE test (source)
- Dynamic .NET Compilation Via Csc.EXE - Hunting test (source)
- EAP service activation by Liontail framework for DLL sideloading (via command) stable (source)
- Elevated System Shell Spawned test (source)
- Elevated System Shell Spawned From Uncommon Parent Location test (source)
- Elise Backdoor Activity test (source)
- Email Exifiltration Via Powershell test (source)
- Emotet Loader Execution Via .LNK File test (source)
- Enable LM Hash Storage - ProcCreation test (source)
- Encoded PowerShell payload deployed via process execution experimental (source)
- Enumerate All Information With Whoami.EXE test (source)
- Enumeration for 3rd Party Creds From CLI test (source)
- Enumeration for Credentials in Registry test (source)
- Equation Group DLL_U Export Function Load stable (source)
- Esentutl Gather Credentials test (source)
- Esentutl Steals Browser Information test (source)
- ETW Logging Tamper In .NET Processes Via CommandLine test (source)
- ETW Trace Evasion Activity test (source)
- Event log clear attempt (command) experimental (source)
- Event log clear attempt (wmi) experimental (source)
- Event log deactivation or size reduction (command) experimental (source)
- EventLog Query Requests By Builtin Utilities test (source)
- EvilNum APT Golden Chickens Deployment Via OCX Files test (source)
- Exchange PowerShell Snap-Ins Usage test (source)
- Execute Code with Pester.bat test (source)
- Execute Code with Pester.bat as Parent test (source)
- Execute Files with Msdeploy.exe test (source)
- Execute From Alternate Data Streams test (source)
- Execute Pcwrun.EXE To Leverage Follina test (source)
- Execution From Webserver Root Folder test (source)
- Execution Of Non-Existing File test (source)
- Execution of Powershell Script in Public Folder test (source)
- Execution of Suspicious File Type Extension test (source)
- Execution via stordiag.exe test (source)
- Execution via WorkFolders.exe test (source)
- Exploit for CVE-2015-1641 stable (source)
- Exploit for CVE-2017-0261 test (source)
- Exploit for CVE-2017-8759 test (source)
- Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process experimental (source)
- Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC test (source)
- Exploited CVE-2020-10189 Zoho ManageEngine test (source)
- Exploiting CVE-2019-1388 stable (source)
- Exploiting SetupComplete.cmd CVE-2019-1378 test (source)
- Explorer NOUACCHECK Flag test (source)
- Explorer Process Tree Break test (source)
- Exports Critical Registry Keys To a File test (source)
- Exports Registry Key To a File test (source)
- FakeUpdates/SocGholish Activity test (source)
- File And SubFolder Enumeration Via Dir Command test (source)
- File Decoded From Base64/Hex Via Certutil.EXE test (source)
- File Decryption Using Gpg4win test (source)
- File Deletion Via Del test (source)
- File Download And Execution Via IEExec.EXE test (source)
- File Download From Browser Process Via Inline URL test (source)
- File Download From IP Based URL Via CertOC.EXE test (source)
- File Download From IP URL Via Curl.EXE test (source)
- File Download Using Notepad++ GUP Utility test (source)
- File Download Using ProtocolHandler.exe test (source)
- File Download Via Bitsadmin test (source)
- File Download Via Bitsadmin To A Suspicious Target Folder test (source)
- File Download via CertOC.EXE test (source)
- File Download Via Curl.EXE test (source)
- File Download Via InstallUtil.EXE test (source)
- File Download Via Windows Defender MpCmpRun.EXE test (source)
- File Download with Headless Browser test (source)
- File Encoded To Base64 Via Certutil.EXE test (source)
- File Encryption Using Gpg4win test (source)
- File Encryption/Decryption Via Gpg4win From Suspicious Locations test (source)
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell test (source)
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE test (source)
- File or Folder Permissions Modifications test (source)
- File Recovery From Backup Via Wbadmin.EXE test (source)
- File With Suspicious Extension Downloaded Via Bitsadmin test (source)
- Files Added To An Archive Using Rar.EXE test (source)
- Filter Driver Unloaded Via Fltmc.EXE test (source)
- Findstr GPP Passwords test (source)
- Findstr Launching .lnk File test (source)
- Finger.EXE Execution test (source)
- Fireball Archer Install test (source)
- Firewall Configuration Discovery Via Netsh.EXE test (source)
- Firewall Disabled via Netsh.EXE test (source)
- Firewall Rule Deleted Via Netsh.EXE test (source)
- Firewall Rule Update Via Netsh.EXE test (source)
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet test (source)
- Forest Blizzard APT - Process Creation Activity experimental (source)
- Forfiles Command Execution test (source)
- Forfiles.EXE Child Process Masquerading test (source)
- Formbook Process Creation test (source)
- Fsutil Drive Enumeration test (source)
- Fsutil Suspicious Invocation stable (source)
- FTP Connection Open Attempt Via Winscp CLI experimental (source)
- GALLIUM IOCs test (source)
- Github Self-Hosted Runner Execution test (source)
- Gpresult Display Group Policy Information test (source)
- Gpscript Execution test (source)
- Greedy File Deletion Using Del test (source)
- Greenbug Espionage Group Indicators test (source)
- Griffon Malware Attack Pattern test (source)
- Grixba Malware Reconnaissance Activity experimental (source)
- Group discovery (command) (source)
- Group Membership Reconnaissance Via Whoami.EXE test (source)
- Gzip Archive Decode Via PowerShell test (source)
- HackTool - ADCSPwn Execution test (source)
- HackTool - Bloodhound/Sharphound Execution test (source)
- HackTool - Certify Execution test (source)
- HackTool - Certipy Execution test (source)
- HackTool - CoercedPotato Execution test (source)
- HackTool - Covenant PowerShell Launcher test (source)
- HackTool - CrackMapExec Execution test (source)
- HackTool - CrackMapExec Execution Patterns stable (source)
- HackTool - CrackMapExec PowerShell Obfuscation test (source)
- HackTool - CrackMapExec Process Patterns test (source)
- HackTool - CreateMiniDump Execution test (source)
- HackTool - Default PowerSploit/Empire Scheduled Task Creation test (source)
- HackTool - DInjector PowerShell Cradle Execution test (source)
- HackTool - Doppelanger LSASS Dumper Execution experimental (source)
- HackTool - Dumpert Process Dumper Execution test (source)
- Hacktool - EDR-Freeze Execution experimental (source)
- HackTool - EDRSilencer Execution test (source)
- HackTool - Empire PowerShell Launch Parameters test (source)
- HackTool - Empire PowerShell UAC Bypass stable (source)
- HackTool - F-Secure C3 Load by Rundll32 test (source)
- HackTool - GMER Rootkit Detector and Remover Execution test (source)
- HackTool - HandleKatz LSASS Dumper Execution test (source)
- HackTool - Hashcat Password Cracker Execution test (source)
- HackTool - HollowReaper Execution experimental (source)
- HackTool - Htran/NATBypass Execution test (source)
- HackTool - Hydra Password Bruteforce Execution test (source)
- HackTool - Impacket Tools Execution test (source)
- HackTool - Impersonate Execution test (source)
- HackTool - Inveigh Execution test (source)
- HackTool - Jlaive In-Memory Assembly Execution test (source)
- HackTool - Koadic Execution test (source)
- HackTool - KrbRelay Execution test (source)
- HackTool - KrbRelayUp Execution test (source)
- HackTool - LaZagne Execution experimental (source)
- HackTool - LocalPotato Execution test (source)
- HackTool - Mimikatz Execution test (source)
- HackTool - NetExec Execution experimental (source)
- HackTool - PCHunter Execution test (source)
- HackTool - Potential Impacket Lateral Movement Activity stable (source)
- HackTool - PowerTool Execution test (source)
- HackTool - PPID Spoofing SelectMyParent Tool Execution test (source)
- HackTool - PurpleSharp Execution test (source)
- HackTool - Pypykatz Credentials Dumping Activity test (source)
- HackTool - Quarks PwDump Execution test (source)
- HackTool - RedMimicry Winnti Playbook Execution test (source)
- HackTool - RemoteKrbRelay Execution test (source)
- HackTool - Rubeus Execution stable (source)
- HackTool - SafetyKatz Execution test (source)
- HackTool - SecurityXploded Execution stable (source)
- HackTool - SharpChisel Execution test (source)
- HackTool - SharpDPAPI Execution test (source)
- HackTool - SharPersist Execution test (source)
- HackTool - SharpEvtMute Execution test (source)
- HackTool - SharpImpersonation Execution test (source)
- HackTool - SharpLDAPmonitor Execution test (source)
- HackTool - SharpLdapWhoami Execution test (source)
- HackTool - SharpMove Tool Execution test (source)
- HackTool - SharpUp PrivEsc Tool Execution test (source)
- HackTool - SharpView Execution test (source)
- HackTool - SharpWSUS/WSUSpendu Execution test (source)
- HackTool - SILENTTRINITY Stager Execution test (source)
- HackTool - Sliver C2 Implant Activity Pattern test (source)
- HackTool - SOAPHound Execution test (source)
- HackTool - Stracciatella Execution test (source)
- HackTool - SysmonEOP Execution test (source)
- HackTool - TruffleSnout Execution test (source)
- HackTool - UACMe Akagi Execution test (source)
- HackTool - Windows Credential Editor (WCE) Execution test (source)
- HackTool - winPEAS Execution test (source)
- HackTool - WinPwn Execution test (source)
- HackTool - WinRM Access Via Evil-WinRM test (source)
- HackTool - Wmiexec Default Powershell Command test (source)
- HackTool - WSASS Execution experimental (source)
- HackTool - XORDump Execution test (source)
- Hacktool Execution - Imphash test (source)
- Hacktool Execution - PE Metadata test (source)
- HAFNIUM Exchange Exploitation Activity test (source)
- Hardware Model Reconnaissance Via Wmic.EXE test (source)
- Harvesting Of Wifi Credentials Via Netsh.EXE test (source)
- Headless Process Launched Via Conhost.EXE test (source)
- Hermetic Wiper TG Process Patterns test (source)
- HH.EXE Execution test (source)
- Hidden Powershell in Link File Pattern test (source)
- Hiding Files with Attrib.exe test (source)
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine test (source)
- HKTL - SharpSuccessor Privilege Escalation Tool Execution experimental (source)
- HTML File Opened From Download Folder experimental (source)
- HTML Help HH.EXE Suspicious Child Process test (source)
- Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine experimental (source)
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 test (source)
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI test (source)
- Ie4uinit Lolbin Use From Invalid Path test (source)
- IFM creation detected from commandline (installation from media) experimental (source)
- IIS Application Pool credential dumping experimental (source)
- IIS Native-Code Module Command Line Installation test (source)
- IIS WebServer Log Deletion via CommandLine Utilities experimental (source)
- ImagingDevices Unusual Parent/Child Processes test (source)
- Impacket DCOMexec process abuse via MMC experimental (source)
- Impacket WMIexec process execution experimental (source)
- Import LDAP Data Interchange Format File Via Ldifde.EXE test (source)
- Import New Module Via PowerShell CommandLine test (source)
- Import PowerShell Modules From Suspicious Directories - ProcCreation test (source)
- Imports Registry Key From a File test (source)
- Imports Registry Key From an ADS test (source)
- Indirect Command Execution By Program Compatibility Wizard test (source)
- Indirect Command Execution From Script File Via Bash.EXE test (source)
- Indirect Command Execution via SFTP ProxyCommand experimental (source)
- Indirect Inline Command Execution Via Bash.EXE test (source)
- InfDefaultInstall.exe .inf Execution test (source)
- Injected Browser Process Spawning Rundll32 - GuLoader Activity test (source)
- Insecure Proxy/DOH Transfer Via Curl.EXE test (source)
- Insecure Transfer Via Curl.EXE test (source)
- Insensitive Subfolder Search Via Findstr.EXE test (source)
- Install New Package Via Winget Local Manifest test (source)
- Installation of WSL Kali-Linux experimental (source)
- Interactive AT Job test (source)
- Interesting Service Enumeration Via Sc.EXE test (source)
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) test (source)
- Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test (source)
- Invoke-Obfuscation CLIP+ Launcher test (source)
- Invoke-Obfuscation COMPRESS OBFUSCATION test (source)
- Invoke-Obfuscation Obfuscated IEX Invocation test (source)
- Invoke-Obfuscation STDIN+ Launcher test (source)
- Invoke-Obfuscation VAR+ Launcher test (source)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test (source)
- Invoke-Obfuscation Via Stdin test (source)
- Invoke-Obfuscation Via Use Clip test (source)
- Invoke-Obfuscation Via Use MSHTA test (source)
- Java Running with Remote Debugging test (source)
- JScript Compiler Execution test (source)
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental (source)
- Kapeka Backdoor Execution Via RunDLL32.EXE test (source)
- Kapeka Backdoor Persistence Activity test (source)
- Kavremover Dropped Binary LOLBIN Usage test (source)
- Kernel Memory Dump Via LiveKD test (source)
- Lace Tempest Cobalt Strike Download test (source)
- Lace Tempest Malware Loader Execution test (source)
- Launch-VsDevShell.PS1 Proxy Execution test (source)
- Lazarus Group Activity test (source)
- Lazarus System Binary Masquerading test (source)
- Loaded Module Enumeration Via Tasklist.EXE test (source)
- Local Accounts Discovery test (source)
- Local File Read Using Curl.EXE test (source)
- Local Groups Reconnaissance Via Wmic.EXE test (source)
- LockerGoga Ransomware Activity stable (source)
- Logged-On User Password Change Via Ksetup.EXE test (source)
- LOL-Binary Copied From System Directory test (source)
- LOLBAS Data Exfiltration by DataSvcUtil.exe test (source)
- LOLBIN Execution From Abnormal Drive test (source)
- Lolbin Runexehelper Use As Proxy test (source)
- Lolbin Unregmp2.exe Use As Proxy test (source)
- LSA PPL Protection Setting Modification via CommandLine test (source)
- LSASS credential dump with LSASSY (process) experimental (source)
- LSASS Dump Keyword In CommandLine test (source)
- LSASS Process Reconnaissance Via Findstr.EXE test (source)
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe experimental (source)
- Malicious Base64 Encoded PowerShell Keywords in Command Lines test (source)
- Malicious PE Execution by Microsoft Visual Studio Debugger test (source)
- Malicious PowerShell Commandlets - ProcessCreation test (source)
- Malicious Windows Script Components File Execution by TAEF Detection test (source)
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test (source)
- Manual Execution of Script Inside of a Compressed File test (source)
- Massive processes termination burst experimental (source)
- Massive services deletion burst experimental (source)
- Massive services termination burst experimental (source)
- Mavinject Inject DLL Into Running Process test (source)
- MERCURY APT Activity test (source)
- Metasploit reverse shell injection in SQL Server experimental (source)
- Microsoft Defender service deactivation attempt (command) experimental (source)
- Microsoft IIS Connection Strings Decryption test (source)
- Microsoft IIS Service Account Password Dumped test (source)
- Microsoft Workflow Compiler Execution test (source)
- Mint Sandstorm - AsperaFaspex Suspicious Process Execution test (source)
- Mint Sandstorm - Log4J Wstomcat Process Execution test (source)
- Mint Sandstorm - ManageEngine Suspicious Process Execution test (source)
- MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental (source)
- MMC Spawning Windows Shell test (source)
- MMC20 Lateral Movement test (source)
- Modify Group Policy Settings test (source)
- Monitoring For Persistence Via BITS test (source)
- MpiExec Lolbin test (source)
- MSDT Execution Via Answer File test (source)
- MSExchange Transport Agent Installation test (source)
- MSHTA Execution with Suspicious File Extensions test (source)
- Mshtml.DLL RunHTMLApplication Suspicious Usage test (source)
- Msiexec Quiet Installation test (source)
- MsiExec Web Install test (source)
- Mstsc.EXE Execution From Uncommon Parent test (source)
- Mstsc.EXE Execution With Local RDP File test (source)
- Msxsl.EXE Execution test (source)
- Mustang Panda Dropper test (source)
- Net WebClient Casing Anomalies test (source)
- Net.EXE Execution test (source)
- Netsh Allow Group Policy on Microsoft Defender Firewall test (source)
- Network Reconnaissance Activity test (source)
- Network share discovery and/or connection via commandline (source)
- New ActiveScriptEventConsumer Created Via Wmic.EXE test (source)
- New Capture Session Launched Via DXCap.EXE test (source)
- New DLL Registered Via Odbcconf.EXE test (source)
- New DMSA Service Account Created in Specific OUs experimental (source)
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test (source)
- New Firewall Rule Added Via Netsh.EXE test (source)
- New Generic Credentials Added Via Cmdkey.EXE test (source)
- New Kernel Driver Via SC.EXE test (source)
- New Network Trace Capture Started Via Netsh.EXE test (source)
- New Port Forwarding Rule Added Via Netsh.EXE test (source)
- New Process Created Via Taskmgr.EXE test (source)
- New Process Created Via Wmic.EXE test (source)
- New Remote Desktop Connection Initiated Via Mstsc.EXE test (source)
- New Root Certificate Installed Via CertMgr.EXE test (source)
- New Root Certificate Installed Via Certutil.EXE test (source)
- New Self Extracting Package Created Via IExpress.EXE test (source)
- New Service Creation Using PowerShell test (source)
- New Service Creation Using Sc.EXE test (source)
- New User Created Via Net.EXE test (source)
- New User Created Via Net.EXE With Never Expire Option test (source)
- New Virtual Smart Card Created Via TpmVscMgr.EXE test (source)
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet test (source)
- Nltest.EXE Execution test (source)
- Node Process Executions test (source)
- NodeJS Execution of JavaScript File experimental (source)
- Non Interactive PowerShell Process Spawned test (source)
- Non-privileged Usage of Reg or Powershell test (source)
- Notepad Password Files Discovery experimental (source)
- NotPetya Ransomware Activity test (source)
- Nslookup PowerShell Download Cradle - ProcessCreation test (source)
- NtdllPipe Like Activity Execution test (source)
- NTFS symbolic link configuration change experimental (source)
- NTFS symbolic link creation experimental (source)
- NTLM Hash Leak Via Curl NTLM Authentication test (source)
- Number of oustanding SMB requests increased experimental (source)
- Obfuscated IP Download Activity test (source)
- Obfuscated IP Via CLI test (source)
- Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental (source)
- Obfuscated PowerShell OneLiner Execution test (source)
- Odbcconf.EXE Suspicious DLL Location test (source)
- OilRig APT Activity test (source)
- OneNote.EXE Execution of Malicious Embedded Scripts test (source)
- OpenEDR Spawning Command Shell experimental (source)
- OpenWith.exe Executes Specified Binary test (source)
- Operation Wocao Activity test (source)
- Operator Bloopers Cobalt Strike Commands test (source)
- Operator Bloopers Cobalt Strike Modules test (source)
- Outlook EnableUnsafeClientMailRules Setting Enabled test (source)
- PaperCut MF/NG Exploitation Related Indicators test (source)
- PaperCut MF/NG Potential Exploitation test (source)
- Password policy discovery via commandline (source)
- Password Protected Compressed File Extraction Via 7Zip test (source)
- Password Provided In Command Line Of Net.EXE test (source)
- Password Set to Never Expire via WMI experimental (source)
- PDQ Deploy Remote Adminstartion Tool Execution test (source)
- Peach Sandstorm APT Process Activity Indicators test (source)
- Perl Inline Command Execution test (source)
- Permission Check Via Accesschk.EXE test (source)
- Permission Misconfiguration Reconnaissance Via Findstr.EXE test (source)
- Persistence Via Sticky Key Backdoor test (source)
- Persistence Via TypedPaths - CommandLine test (source)
- Phishing Pattern ISO in Archive test (source)
- Php Inline Command Execution test (source)
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE test (source)
- Ping Hex IP test (source)
- Pingback Backdoor Activity test (source)
- PktMon.EXE Execution test (source)
- Port Forwarding Activity Via SSH.EXE test (source)
- Portable Gpg.EXE Execution test (source)
- Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production (source)
- Possible Privilege Escalation via Weak Service Permissions test (source)
- Potential ACTINIUM Persistence Activity test (source)
- Potential Active Directory Enumeration Using AD Module - ProcCreation test (source)
- Potential Adplus.EXE Abuse test (source)
- Potential Amazon SSM Agent Hijacking test (source)
- Potential AMSI Bypass Using NULL Bits test (source)
- Potential AMSI Bypass Via .NET Reflection test (source)
- Potential Application Whitelisting Bypass via Dnx.EXE test (source)
- Potential APT FIN7 Exploitation Activity test (source)
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity test (source)
- Potential APT Mustang Panda Activity Against Australian Gov test (source)
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 test (source)
- Potential APT10 Cloud Hopper Activity test (source)
- Potential Arbitrary Code Execution Via Node.EXE test (source)
- Potential Arbitrary Command Execution Using Msdt.EXE test (source)
- Potential Arbitrary Command Execution Via FTP.EXE test (source)
- Potential Arbitrary DLL Load Using Winword test (source)
- Potential Arbitrary File Download Using Office Application test (source)
- Potential Arbitrary File Download Via Cmdl32.EXE test (source)
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt test (source)
- Potential Baby Shark Malware Activity test (source)
- Potential BearLPE Exploitation test (source)
- Potential Binary Impersonating Sysinternals Tools test (source)
- Potential Binary Proxy Execution Via Cdb.EXE test (source)
- Potential Binary Proxy Execution Via VSDiagnostics.EXE test (source)
- Potential BlackByte Ransomware Activity test (source)
- Potential BOINC Software Execution (UC-Berkeley Signature) test (source)
- Potential Browser Data Stealing test (source)
- Potential CobaltStrike Process Patterns test (source)
- Potential COM Objects Download Cradles Usage - Process Creation test (source)
- Potential Command Line Path Traversal Evasion Attempt test (source)
- Potential Commandline Obfuscation Using Escape Characters test (source)
- Potential CommandLine Obfuscation Using Unicode Characters test (source)
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image test (source)
- Potential CommandLine Path Traversal Via Cmd.EXE test (source)
- Potential Compromised 3CXDesktopApp Execution test (source)
- Potential Compromised 3CXDesktopApp Update Activity test (source)
- Potential Configuration And Service Reconnaissance Via Reg.EXE test (source)
- Potential Conti Ransomware Activity test (source)
- Potential Conti Ransomware Database Dumping Activity Via SQLCmd test (source)
- Potential Cookies Session Hijacking test (source)
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI test (source)
- Potential Credential Dumping Via LSASS Process Clone test (source)
- Potential Credential Dumping Via WER test (source)
- Potential Crypto Mining Activity stable (source)
- Potential CVE-2021-26857 Exploitation Attempt stable (source)
- Potential CVE-2021-40444 Exploitation Attempt test (source)
- Potential CVE-2021-41379 Exploitation Attempt test (source)
- Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon test (source)
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test (source)
- Potential CVE-2022-26809 Exploitation Attempt test (source)
- Potential CVE-2022-29072 Exploitation Attempt test (source)
- Potential CVE-2023-21554 QueueJumper Exploitation test (source)
- Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution test (source)
- Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI test (source)
- Potential Data Exfiltration Activity Via CommandLine Tools test (source)
- Potential Data Exfiltration Via Curl.EXE test (source)
- Potential Data Stealing Via Chromium Headless Debugging test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 test (source)
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 test (source)
- Potential Defense Evasion Via Binary Rename test (source)
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries test (source)
- Potential Defense Evasion Via Right-to-Left Override test (source)
- Potential Devil Bait Malware Reconnaissance test (source)
- Potential Discovery Activity Via Dnscmd.EXE test (source)
- Potential DLL File Download Via PowerShell Invoke-WebRequest test (source)
- Potential DLL Injection Or Execution Using Tracker.exe test (source)
- Potential DLL Injection Via AccCheckConsole test (source)
- Potential DLL Sideloading Activity Via ExtExport.EXE test (source)
- Potential DLL Sideloading Via DeviceEnroller.EXE test (source)
- Potential Dosfuscation Activity test (source)
- Potential Download/Upload Activity Using Type Command test (source)
- Potential Dridex Activity stable (source)
- Potential Dropper Script Execution Via WScript/CScript/MSHTA test (source)
- Potential Dtrack RAT Activity stable (source)
- Potential Emotet Activity stable (source)
- Potential Emotet Rundll32 Execution test (source)
- Potential EmpireMonkey Activity test (source)
- Potential Encoded PowerShell Patterns In CommandLine test (source)
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp test (source)
- Potential Executable Run Itself As Sacrificial Process experimental (source)
- Potential Execution of Sysinternals Tools test (source)
- Potential Exploitation Attempt From Office Application test (source)
- Potential Exploitation Attempt Of Undocumented WindowsServer RCE test (source)
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental (source)
- Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group test (source)
- Potential Exploitation of GoAnywhere MFT Vulnerability experimental (source)
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 experimental (source)
- Potential Fake Instance Of Hxtsr.EXE Executed test (source)
- Potential File Download Via MS-AppInstaller Protocol Handler test (source)
- Potential File Override/Append Via SET Command test (source)
- Potential File Overwrite Via Sysinternals SDelete test (source)
- Potential Goofy Guineapig Backdoor Activity test (source)
- Potential Goofy Guineapig GoolgeUpdate Process Anomaly test (source)
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI test (source)
- Potential Homoglyph Attack Using Lookalike Characters test (source)
- Potential KamiKakaBot Activity - Lure Document Execution test (source)
- Potential KamiKakaBot Activity - Shutdown Schedule Task Creation test (source)
- Potential Ke3chang/TidePool Malware Activity test (source)
- Potential Lateral Movement via Windows Remote Shell experimental (source)
- Potential LethalHTA Technique Execution test (source)
- Potential LSASS Process Dump Via Procdump stable (source)
- Potential Manage-bde.wsf Abuse To Proxy Execution test (source)
- Potential Maze Ransomware Activity test (source)
- Potential Memory Dumping Activity Via LiveKD test (source)
- Potential Meterpreter/CobaltStrike Activity test (source)
- Potential Mftrace.EXE Abuse test (source)
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE test (source)
- Potential Mpclient.DLL Sideloading Via Defender Binaries test (source)
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution test (source)
- Potential MsiExec Masquerading test (source)
- Potential MSTSC Shadowing Activity test (source)
- Potential MuddyWater APT Activity test (source)
- Potential Network Sniffing Activity Using Network Tools test (source)
- Potential Notepad++ CVE-2025-49144 Exploitation experimental (source)
- Potential NTLM Coercion Via Certutil.EXE test (source)
- Potential Obfuscated Ordinal Call Via Rundll32 test (source)
- Potential Password Reconnaissance Via Findstr.EXE test (source)
- Potential Password Spraying Attempt Using Dsacls.EXE test (source)
- Potential Persistence Attempt Via Existing Service Tampering test (source)
- Potential Persistence Attempt Via Run Keys Using Reg.EXE test (source)
- Potential Persistence Via Logon Scripts - CommandLine test (source)
- Potential Persistence Via Microsoft Compatibility Appraiser test (source)
- Potential Persistence Via Netsh Helper DLL test (source)
- Potential Persistence Via Powershell Search Order Hijacking - Task test (source)
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script test (source)
- Potential Pikabot Discovery Activity test (source)
- Potential Pikabot Hollowing Activity test (source)
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test (source)
- Potential PlugX Activity test (source)
- Potential PowerShell Command Line Obfuscation test (source)
- Potential PowerShell Console History Access Attempt via History File experimental (source)
- Potential PowerShell Downgrade Attack test (source)
- Potential PowerShell Execution Policy Tampering - ProcCreation test (source)
- Potential PowerShell Execution Via DLL test (source)
- Potential PowerShell Obfuscation Via Reversed Commands test (source)
- Potential PowerShell Obfuscation Via WCHAR/CHAR test (source)
- Potential Powershell ReverseShell Connection stable (source)
- Potential Privilege Escalation To LOCAL SYSTEM test (source)
- Potential Privilege Escalation Using Symlink Between Osk and Cmd test (source)
- Potential Privilege Escalation via Service Permissions Weakness test (source)
- Potential Process Execution Proxy Via CL_Invocation.ps1 test (source)
- Potential Process Injection Via Msra.EXE test (source)
- Potential Product Class Reconnaissance Via Wmic.EXE test (source)
- Potential Product Reconnaissance Via Wmic.EXE test (source)
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution test (source)
- Potential Provlaunch.EXE Binary Proxy Execution Abuse test (source)
- Potential Proxy Execution Via Explorer.EXE From Shell Process test (source)
- Potential PsExec Remote Execution test (source)
- Potential Qakbot Rundll32 Execution test (source)
- Potential QBot Activity stable (source)
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test (source)
- Potential Raspberry Robin CPL Execution Activity test (source)
- Potential Raspberry Robin Dot Ending File test (source)
- Potential RDP Session Hijacking Activity test (source)
- Potential RDP Tunneling Via Plink test (source)
- Potential RDP Tunneling Via SSH test (source)
- Potential Recon Activity Using DriverQuery.EXE test (source)
- Potential Recon Activity Via Nltest.EXE test (source)
- Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test (source)
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE test (source)
- Potential ReflectDebugger Content Execution Via WerFault.EXE test (source)
- Potential Register_App.Vbs LOLScript Abuse test (source)
- Potential Regsvr32 Commandline Flag Anomaly test (source)
- Potential Remote Desktop Tunneling test (source)
- Potential Remote SquiblyTwo Technique Execution test (source)
- Potential Renamed Rundll32 Execution test (source)
- Potential Rundll32 Execution With DLL Stored In ADS test (source)
- Potential Russian APT Credential Theft Activity stable (source)
- Potential Ryuk Ransomware Activity stable (source)
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 test (source)
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators experimental (source)
- Potential ShellDispatch.DLL Functionality Abuse test (source)
- Potential Shim Database Persistence via Sdbinst.EXE test (source)
- Potential Signing Bypass Via Windows Developer Features test (source)
- Potential SMB Relay Attack Tool Execution test (source)
- Potential SNAKE Malware Installation Binary Indicator test (source)
- Potential SNAKE Malware Installation CLI Arguments Indicator test (source)
- Potential SNAKE Malware Persistence Service Execution test (source)
- Potential Snatch Ransomware Activity stable (source)
- Potential SPN Enumeration Via Setspn.EXE test (source)
- Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental (source)
- Potential Suspicious Activity Using SeCEdit test (source)
- Potential Suspicious Browser Launch From Document Reader Process test (source)
- Potential Suspicious Child Process Of 3CXDesktopApp test (source)
- Potential Suspicious Execution From GUID Like Folder Names test (source)
- Potential Suspicious Mofcomp Execution test (source)
- Potential Suspicious Registry File Imported Via Reg.EXE test (source)
- Potential Suspicious Windows Feature Enabled - ProcCreation test (source)
- Potential SysInternals ProcDump Evasion test (source)
- Potential SystemNightmare Exploitation Attempt test (source)
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE test (source)
- Potential Tampering With Security Products Via WMIC test (source)
- Potential UAC Bypass Via Sdclt.EXE test (source)
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE test (source)
- Potential WinAPI Calls Via CommandLine test (source)
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename test (source)
- Potential Windows Defender Tampering Via Wmic.EXE test (source)
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable (source)
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE test (source)
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler test (source)
- Potentially Suspicious Cabinet File Expansion test (source)
- Potentially Suspicious Call To Win32_NTEventlogFile Class test (source)
- Potentially Suspicious Child Process Of ClickOnce Application test (source)
- Potentially Suspicious Child Process Of DiskShadow.EXE test (source)
- Potentially Suspicious Child Process of KeyScrambler.exe test (source)
- Potentially Suspicious Child Process Of Regsvr32 test (source)
- Potentially Suspicious Child Process Of VsCode test (source)
- Potentially Suspicious Child Process Of WinRAR.EXE test (source)
- Potentially Suspicious Child Processes Spawned by ConHost experimental (source)
- Potentially Suspicious CMD Shell Output Redirect test (source)
- Potentially Suspicious Command Targeting Teams Sensitive Files test (source)
- Potentially Suspicious Compression Tool Parameters test (source)
- Potentially Suspicious Desktop Background Change Using Reg.EXE test (source)
- Potentially Suspicious DLL Registered Via Odbcconf.EXE test (source)
- Potentially Suspicious Electron Application CommandLine test (source)
- Potentially Suspicious Event Viewer Child Process test (source)
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities test (source)
- Potentially Suspicious Execution From Parent Process In Public Folder test (source)
- Potentially Suspicious Execution Of PDQDeployRunner test (source)
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location test (source)
- Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension test (source)
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE test (source)
- Potentially Suspicious GoogleUpdate Child Process test (source)
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary experimental (source)
- Potentially Suspicious JWT Token Search Via CLI test (source)
- Potentially Suspicious NTFS Symlink Behavior Modification test (source)
- Potentially Suspicious Office Document Executed From Trusted Location test (source)
- Potentially Suspicious Ping/Copy Command Combination test (source)
- Potentially Suspicious PowerShell Child Processes test (source)
- Potentially Suspicious Powershell Script Execution From Temp Folder test (source)
- Potentially Suspicious Regsvr32 HTTP IP Pattern test (source)
- Potentially Suspicious Regsvr32 HTTP/FTP Pattern test (source)
- Potentially Suspicious Rundll32 Activity test (source)
- Potentially Suspicious Rundll32.EXE Execution of UDL File test (source)
- Potentially Suspicious Usage Of Qemu test (source)
- Potentially Suspicious WebDAV LNK Execution test (source)
- Potentially Suspicious Windows App Activity test (source)
- PowerShell Base64 Encoded FromBase64String Cmdlet test (source)
- PowerShell Base64 Encoded IEX Cmdlet test (source)
- PowerShell Base64 Encoded Invoke Keyword test (source)
- Powershell Base64 Encoded MpPreference Cmdlet test (source)
- PowerShell Base64 Encoded Reflective Assembly Load test (source)
- PowerShell Base64 Encoded WMI Classes test (source)
- Powershell Defender Disable Scan Feature test (source)
- Powershell Defender Exclusion test (source)
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' experimental (source)
- PowerShell Download and Execution Cradles test (source)
- PowerShell Download Pattern test (source)
- Powershell Executed From Headless ConHost Process test (source)
- PowerShell Execution With Potential Decryption Capabilities test (source)
- PowerShell Get-Clipboard Cmdlet Via CLI test (source)
- PowerShell Get-Process LSASS test (source)
- Powershell Inline Execution From A File test (source)
- PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental (source)
- PowerShell SAM Copy test (source)
- PowerShell Script Change Permission Via Set-Acl test (source)
- PowerShell Script Run in AppData test (source)
- PowerShell Set-Acl On Windows Folder test (source)
- Powershell Token Obfuscation - Process Creation test (source)
- PowerShell Web Access Feature Enabled Via DISM test (source)
- PPL Tampering Via WerFaultSecure experimental (source)
- PrintBrm ZIP Creation of Extraction test (source)
- Private Keys Reconnaissance Via CommandLine Tools test (source)
- Privilege Escalation via Named Pipe Impersonation test (source)
- Procdump Execution test (source)
- Process Access via TrolleyExpress Exclusion test (source)
- Process Creation Using Sysnative Folder test (source)
- Process Execution From A Potentially Suspicious Folder test (source)
- Process Execution From WebDAV Share experimental (source)
- Process Launched Without Image Name test (source)
- Process Memory Dump Via Comsvcs.DLL test (source)
- Process Memory Dump Via Dotnet-Dump test (source)
- Process Memory Dump via RdrLeakDiag.EXE test (source)
- Process Proxy Execution Via Squirrel.EXE test (source)
- Process Reconnaissance Via Wmic.EXE test (source)
- Process Terminated Via Taskkill test (source)
- Program Executed Using Proxy/Local Command Via SSH.EXE test (source)
- Proxy Execution via Vshadow experimental (source)
- Proxy Execution Via Wuauclt.EXE test (source)
- Ps.exe Renamed SysInternals Tool test (source)
- PSexec application execution experimental (source)
- Psexec Execution test (source)
- PsExec Service Child Process Execution as LOCAL SYSTEM test (source)
- PsExec Service Execution test (source)
- PsExec/PAExec Escalation to LOCAL SYSTEM test (source)
- PUA - 3Proxy Execution test (source)
- PUA - AdFind Suspicious Execution test (source)
- PUA - AdFind.EXE Execution experimental (source)
- PUA - Adidnsdump Execution test (source)
- PUA - Advanced IP Scanner Execution test (source)
- PUA - Advanced Port Scanner Execution test (source)
- PUA - AdvancedRun Execution test (source)
- PUA - AdvancedRun Suspicious Execution test (source)
- PUA - Chisel Tunneling Tool Execution test (source)
- PUA - CleanWipe Execution test (source)
- PUA - Crassus Execution test (source)
- PUA - CsExec Execution test (source)
- PUA - DefenderCheck Execution test (source)
- PUA - DIT Snapshot Viewer test (source)
- PUA - Fast Reverse Proxy (FRP) Execution test (source)
- PUA - Kernel Driver Utility (KDU) Execution experimental (source)
- PUA - Memory Dump Mount Via MemProcFS experimental (source)
- PUA - Mouse Lock Execution test (source)
- PUA - Netcat Suspicious Execution test (source)
- PUA - Ngrok Execution test (source)
- PUA - Nimgrab Execution test (source)
- PUA - NimScan Execution test (source)
- PUA - NirCmd Execution test (source)
- PUA - NirCmd Execution As LOCAL SYSTEM test (source)
- PUA - Nmap/Zenmap Execution test (source)
- PUA - NPS Tunneling Tool Execution test (source)
- PUA - NSudo Execution test (source)
- PUA - PingCastle Execution test (source)
- PUA - PingCastle Execution From Potentially Suspicious Parent test (source)
- PUA - Potential PE Metadata Tamper Using Rcedit test (source)
- PUA - Process Hacker Execution test (source)
- PUA - Radmin Viewer Utility Execution test (source)
- PUA - Rclone Execution test (source)
- PUA - Restic Backup Tool Execution experimental (source)
- PUA - RunXCmd Execution test (source)
- PUA - Seatbelt Execution test (source)
- PUA - SoftPerfect Netscan Execution test (source)
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE test (source)
- PUA - System Informer Execution test (source)
- PUA - TruffleHog Execution experimental (source)
- PUA - WebBrowserPassView Execution test (source)
- PUA - Wsudo Suspicious Execution test (source)
- PUA- IOX Tunneling Tool Execution test (source)
- Pubprn.vbs Proxy Execution test (source)
- Python Function Execution Security Warning Disabled In Excel test (source)
- Python Inline Command Execution test (source)
- Python One-Liners with Base64 Decoding experimental (source)
- Python Spawning Pretty TTY on Windows test (source)
- Qakbot Regsvr32 Calc Pattern test (source)
- Qakbot Rundll32 Exports Execution test (source)
- Qakbot Rundll32 Fake DLL Extension Execution test (source)
- Qakbot Uninstaller Execution test (source)
- Query Usage To Exfil Data test (source)
- QuickAssist Execution experimental (source)
- Raccine Uninstall test (source)
- Rar Usage with Password and Compression Level test (source)
- Raspberry Robin Initial Execution From External Drive test (source)
- Raspberry Robin Subsequent Execution of Commands test (source)
- RDP Connection Allowed Via Netsh.EXE test (source)
- RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental (source)
- RDP Port Forwarding Rule Added Via Netsh.EXE test (source)
- RDP shadow session started (command) experimental (source)
- RDP tunneling configuration enabled for port forwarding experimental (source)
- Read Contents From Stdin Via Cmd.EXE test (source)
- Rebuild Performance Counter Values Via Lodctr.EXE test (source)
- Recon Command Output Piped To Findstr.EXE test (source)
- Recon Information for Export with Command Prompt test (source)
- RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental (source)
- Reg Add Suspicious Paths test (source)
- RegAsm.EXE Execution Without CommandLine Flags or Files experimental (source)
- Regedit as Trusted Installer test (source)
- REGISTER_APP.VBS Proxy Execution test (source)
- Registry Export of Third-Party Credentials experimental (source)
- Registry Manipulation via WMI Stdregprov experimental (source)
- Registry Modification Attempt Via VBScript experimental (source)
- Registry Modification of MS-settings Protocol Handler test (source)
- Registry Modification Via Regini.EXE test (source)
- Regsvr32 DLL Execution With Suspicious File Extension test (source)
- Regsvr32 DLL Execution With Uncommon Extension test (source)
- Regsvr32 Execution From Highly Suspicious Location test (source)
- Regsvr32 Execution From Potential Suspicious Location test (source)
- Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly test (source)
- Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions test (source)
- Remote Access Tool - Ammy Admin Agent Execution test (source)
- Remote Access Tool - AnyDesk Execution test (source)
- Remote Access Tool - Anydesk Execution From Suspicious Folder test (source)
- Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate test (source)
- Remote Access Tool - AnyDesk Piped Password Via CLI test (source)
- Remote Access Tool - AnyDesk Silent Installation test (source)
- Remote Access Tool - Cmd.EXE Execution via AnyViewer test (source)
- Remote Access Tool - GoToAssist Execution test (source)
- Remote Access Tool - LogMeIn Execution test (source)
- Remote Access Tool - MeshAgent Command Execution via MeshCentral test (source)
- Remote Access Tool - NetSupport Execution test (source)
- Remote Access Tool - NetSupport Execution From Unusual Location test (source)
- Remote Access Tool - Potential MeshAgent Execution - Windows experimental (source)
- Remote Access Tool - Renamed MeshAgent Execution - Windows experimental (source)
- Remote Access Tool - RURAT Execution From Unusual Location test (source)
- Remote Access Tool - ScreenConnect Execution test (source)
- Remote Access Tool - ScreenConnect Installation Execution test (source)
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution test (source)
- Remote Access Tool - ScreenConnect Remote Command Execution test (source)
- Remote Access Tool - ScreenConnect Remote Command Execution - Hunting test (source)
- Remote Access Tool - ScreenConnect Server Web Shell Execution test (source)
- Remote Access Tool - Simple Help Execution test (source)
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server experimental (source)
- Remote Access Tool - Team Viewer Session Started On Windows Host test (source)
- Remote Access Tool - UltraViewer Execution test (source)
- Remote CHM File Download/Execution Via HH.EXE test (source)
- Remote Code Execute via Winrm.vbs test (source)
- Remote File Download Via Desktopimgdownldr Utility test (source)
- Remote File Download Via Findstr.EXE test (source)
- Remote PowerShell Session Host Process (WinRM) test (source)
- Remote XSL Execution Via Msxsl.EXE test (source)
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses test (source)
- Remotely Hosted HTA File Executed Via Mshta.EXE test (source)
- Renamed AdFind Execution test (source)
- Renamed AutoHotkey.EXE Execution test (source)
- Renamed AutoIt Execution test (source)
- Renamed BOINC Client Execution test (source)
- Renamed BrowserCore.EXE Execution test (source)
- Renamed Cloudflared.EXE Execution test (source)
- Renamed CreateDump Utility Execution test (source)
- Renamed CURL.EXE Execution test (source)
- Renamed FTP.EXE Execution test (source)
- Renamed Gpg.EXE Execution test (source)
- Renamed Jusched.EXE Execution test (source)
- Renamed Mavinject.EXE Execution test (source)
- Renamed MegaSync Execution test (source)
- Renamed Microsoft Teams Execution test (source)
- Renamed Msdt.EXE Execution test (source)
- Renamed NetSupport RAT Execution test (source)
- Renamed NirCmd.EXE Execution test (source)
- Renamed Office Binary Execution test (source)
- Renamed PAExec Execution test (source)
- Renamed PingCastle Binary Execution test (source)
- Renamed Plink Execution test (source)
- Renamed ProcDump Execution test (source)
- Renamed Procdump tool used for dumping LSASS process experimental (source)
- Renamed PsExec Service Execution test (source)
- Renamed Remote Utilities RAT (RURAT) Execution test (source)
- Renamed Schtasks Execution experimental (source)
- Renamed SysInternals DebugView Execution test (source)
- Renamed Sysinternals Sdelete Execution test (source)
- Renamed Visual Studio Code Tunnel Execution test (source)
- Renamed Vmnat.exe Execution test (source)
- Renamed Whoami Execution test (source)
- Renamed ZOHO Dctask64 Execution test (source)
- Replace.exe Usage test (source)
- Response File Execution Via Odbcconf.EXE test (source)
- RestrictedAdminMode Registry Value Tampering - ProcCreation test (source)
- REvil Kaseya Incident Malware Patterns test (source)
- Rhadamanthys Stealer Module Launch Via Rundll32.EXE test (source)
- Root Certificate Installed From Susp Locations test (source)
- Rorschach Ransomware Execution Activity test (source)
- Ruby Inline Command Execution test (source)
- Run Once Task Execution as Configured in Registry test (source)
- Run PowerShell Script from ADS test (source)
- Run PowerShell Script from Redirected Input Stream test (source)
- Rundll32 Execution With Uncommon DLL Extension test (source)
- Rundll32 Execution Without CommandLine Parameters test (source)
- Rundll32 Execution Without Parameters test (source)
- Rundll32 InstallScreenSaver Execution test (source)
- Rundll32 Registered COM Objects test (source)
- Rundll32 Spawned Via Explorer.EXE test (source)
- RunDLL32 Spawning Explorer test (source)
- Rundll32 UNC Path Execution test (source)
- Rundll32.EXE Calling DllRegisterServer Export Function Explicitly test (source)
- RunMRU Registry Key Deletion experimental (source)
- SafeBoot Registry Key Deleted Via Reg.EXE test (source)
- SC.EXE Query Execution test (source)
- Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test (source)
- Scheduled persistent task with SYSTEM privileges creation experimental (source)
- Scheduled Task Creation From Potential Suspicious Parent Location test (source)
- Scheduled Task Creation Masquerading as System Processes experimental (source)
- Scheduled Task Creation Via Schtasks.EXE test (source)
- Scheduled task creation with command line experimental (source)
- Scheduled Task Creation with Curl and PowerShell Execution Combo experimental (source)
- Scheduled Task Executing Encoded Payload from Registry test (source)
- Scheduled Task Executing Payload from Registry test (source)
- Schtasks Creation Or Modification With SYSTEM Privileges test (source)
- Schtasks From Suspicious Folders test (source)
- Screen Capture Activity Via Psr.EXE test (source)
- Script Event Consumer Spawning Process test (source)
- Script Interpreter Execution From Suspicious Folder test (source)
- Script Interpreter Spawning Credential Scanner - Windows experimental (source)
- Scripting/CommandLine Process Spawned Regsvr32 test (source)
- Sdclt Child Processes test (source)
- Sdiagnhost Calling Suspicious Child Process test (source)
- SearchIndexer suspicious process activity experimental (source)
- Security Event Logging Disabled via MiniNt Registry Key - Process experimental (source)
- Security package (SSP) added (Reg via command) experimental (source)
- Security Privileges Enumeration Via Whoami.EXE test (source)
- Security Service Disabled Via Reg.EXE test (source)
- Security Tools Keyword Lookup Via Findstr.EXE test (source)
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location test (source)
- Sensitive File Access Via Volume Shadow Copy Backup test (source)
- Sensitive File Dump Via Print.EXE test (source)
- Sensitive File Dump Via Wbadmin.EXE test (source)
- Sensitive File Recovery From Backup Via Wbadmin.EXE test (source)
- Serial console process spawning CMD shell (via command) experimental (source)
- Serpent Backdoor Payload Execution Via Scheduled Task test (source)
- Serv-U Exploitation CVE-2021-35211 by DEV-0322 test (source)
- Service abuse with malicious ImagePath (service) experimental (source)
- Service creation (command) experimental (source)
- Service DACL Abuse To Hide Services Via Sc.EXE test (source)
- Service deactivation (command) experimental (source)
- Service permissions hijacked for privileges abuse (service) experimental (source)
- Service Reconnaissance Via Wmic.EXE test (source)
- Service Registry Key Deleted Via Reg.EXE test (source)
- Service Security Descriptor Tampering Via Sc.EXE test (source)
- Service Started/Stopped Via Wmic.EXE test (source)
- Service Startup Type Change Via Wmic.EXE experimental (source)
- Service StartupType Change Via PowerShell Set-Service test (source)
- Service StartupType Change Via Sc.EXE test (source)
- Set Files as System Files Using Attrib.EXE test (source)
- Set Suspicious Files as System Files Using Attrib.EXE test (source)
- Setup16.EXE Execution With Custom .Lst File test (source)
- Shadow Copies Creation Using Operating Systems Utilities test (source)
- Shadow Copies Deletion Using Operating Systems Utilities stable (source)
- Shai-Hulud 2.0 Malicious NPM Package Installation experimental (source)
- Shai-Hulud Malicious Bun Execution experimental (source)
- Shai-Hulud Malware Indicators - Windows experimental (source)
- Share And Session Enumeration Using Net.EXE stable (source)
- Shell Process Spawned by Java.EXE test (source)
- Shell32 DLL Execution in Suspicious Directory test (source)
- ShimCache Flush stable (source)
- Small Sieve Malware CommandLine Indicator test (source)
- SMB over QUIC Via Net.EXE test (source)
- Sofacy Trojan Loader Activity test (source)
- SOURGUM Actor Behaviours test (source)
- SPN added to an account by command line experimental (source)
- Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental (source)
- SQL Client Tools PowerShell Session Detection test (source)
- SQL Server database's table enumeration experimental (source)
- SQL server sqlcmd utility abuse for privilege escalation experimental (source)
- SQLite Chromium Profile Data DB Access test (source)
- SQLite Firefox Profile Data DB Access test (source)
- Start of NT Virtual DOS Machine test (source)
- Start Windows Service Via Net.EXE test (source)
- Stickey key called CMD via command execution experimental (source)
- Stickey key called CMD via command execution (hash detection) experimental (source)
- Sticky Key Like Backdoor Execution test (source)
- Stop Windows Service Via Net.EXE test (source)
- Stop Windows Service Via PowerShell Stop-Service test (source)
- Stop Windows Service Via Sc.EXE test (source)
- Suspect Svchost Activity test (source)
- Suspicious Active Directory Database Snapshot Via ADExplorer test (source)
- Suspicious AddinUtil.EXE CommandLine Execution test (source)
- Suspicious Advpack Call Via Rundll32.EXE test (source)
- Suspicious AgentExecutor PowerShell Execution test (source)
- Suspicious ArcSOC.exe Child Process experimental (source)
- Suspicious Autorun Registry Modified via WMI experimental (source)
- Suspicious Binary In User Directory Spawned From Office Application test (source)
- Suspicious BitLocker Access Agent Update Utility Execution experimental (source)
- Suspicious Cabinet File Execution Via Msdt.EXE test (source)
- Suspicious Calculator Usage test (source)
- Suspicious CertReq Command to Download experimental (source)
- Suspicious Child Process Created as System test (source)
- Suspicious Child Process of AspNetCompiler test (source)
- Suspicious Child Process Of BgInfo.EXE test (source)
- Suspicious Child Process Of Manage Engine ServiceDesk test (source)
- Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental (source)
- Suspicious Child Process of SAP NetWeaver experimental (source)
- Suspicious Child Process of SolarWinds WebHelpDesk experimental (source)
- Suspicious Child Process Of SQL Server test (source)
- Suspicious Child Process Of Veeam Dabatase test (source)
- Suspicious Child Process Of Wermgr.EXE test (source)
- Suspicious Chromium Browser Instance Executed With Custom Extension test (source)
- Suspicious ClickFix/FileFix Execution Pattern experimental (source)
- Suspicious CodePage Switch Via CHCP test (source)
- Suspicious Command Patterns In Scheduled Task Creation test (source)
- Suspicious Control Panel DLL Load test (source)
- Suspicious Copy From or To System Directory test (source)
- Suspicious CrushFTP Child Process experimental (source)
- Suspicious Csi.exe Usage test (source)
- Suspicious Curl.EXE Download test (source)
- Suspicious CustomShellHost Execution test (source)
- Suspicious Debugger Registration Cmdline test (source)
- Suspicious Desktopimgdownldr Command test (source)
- Suspicious Diantz Alternate Data Stream Execution test (source)
- Suspicious Diantz Download and Compress Into a CAB File test (source)
- Suspicious DLL Loaded via CertOC.EXE test (source)
- Suspicious Double Extension File Execution stable (source)
- Suspicious Download From Direct IP Via Bitsadmin test (source)
- Suspicious Download From File-Sharing Website Via Bitsadmin test (source)
- Suspicious Download from Office Domain test (source)
- Suspicious Download Via Certutil.EXE test (source)
- Suspicious Driver Install by pnputil.exe test (source)
- Suspicious Driver/DLL Installation Via Odbcconf.EXE test (source)
- Suspicious DumpMinitool Execution test (source)
- Suspicious Electron Application Child Processes test (source)
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test (source)
- Suspicious Encoded PowerShell Command Line test (source)
- Suspicious Eventlog Clearing or Configuration Change Activity stable (source)
- Suspicious Execution From Outlook Temporary Folder test (source)
- Suspicious Execution Location Of Wermgr.EXE test (source)
- Suspicious Execution of Hostname test (source)
- Suspicious Execution of InstallUtil Without Log test (source)
- Suspicious Execution of Powershell with Base64 test (source)
- Suspicious Execution of Shutdown test (source)
- Suspicious Execution of Shutdown to Log Out test (source)
- Suspicious Execution of Systeminfo test (source)
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental (source)
- Suspicious Extrac32 Alternate Data Stream Execution test (source)
- Suspicious Extrac32 Execution test (source)
- Suspicious File Characteristics Due to Missing Fields test (source)
- Suspicious File Download From File Sharing Domain Via Curl.EXE test (source)
- Suspicious File Download From File Sharing Domain Via Wget.EXE test (source)
- Suspicious File Download From IP Via Curl.EXE test (source)
- Suspicious File Download From IP Via Wget.EXE test (source)
- Suspicious File Download From IP Via Wget.EXE - Paths test (source)
- Suspicious File Downloaded From Direct IP Via Certutil.EXE test (source)
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE test (source)
- Suspicious File Encoded To Base64 Via Certutil.EXE test (source)
- Suspicious File Execution From Internet Hosted WebDav Share test (source)
- Suspicious FileFix Execution Pattern experimental (source)
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation test (source)
- Suspicious Git Clone test (source)
- Suspicious Greedy Compression Using Rar.EXE test (source)
- Suspicious Group And Account Reconnaissance Activity Using Net.EXE test (source)
- Suspicious GrpConv Execution test (source)
- Suspicious GUP Usage test (source)
- Suspicious HH.EXE Execution test (source)
- Suspicious High IntegrityLevel Conhost Legacy Option test (source)
- Suspicious HWP Sub Processes test (source)
- Suspicious IIS Module Registration test (source)
- Suspicious IIS URL GlobalRules Rewrite Via AppCmd test (source)
- Suspicious Invoke-WebRequest Execution test (source)
- Suspicious Invoke-WebRequest Execution With DirectIP test (source)
- Suspicious JavaScript Execution Via Mshta.EXE test (source)
- Suspicious Kerberos Ticket Request via CLI experimental (source)
- Suspicious Kernel Dump Using Dtrace test (source)
- Suspicious Key Manager Access test (source)
- Suspicious LNK Command-Line Padding with Whitespace Characters experimental (source)
- Suspicious Manipulation Of Default Accounts Via Net.EXE test (source)
- Suspicious Microsoft Office Child Process test (source)
- Suspicious Microsoft OneNote Child Process test (source)
- Suspicious Modification Of Scheduled Tasks test (source)
- Suspicious Msbuild Execution By Uncommon Parent Process test (source)
- Suspicious MSDT Parent Process test (source)
- Suspicious MSHTA Child Process test (source)
- Suspicious Mshta.EXE Execution Patterns test (source)
- Suspicious MsiExec Embedding Parent test (source)
- Suspicious Msiexec Execute Arbitrary DLL test (source)
- Suspicious Msiexec Quiet Install From Remote Location test (source)
- Suspicious Mstsc.EXE Execution With Local RDP File test (source)
- Suspicious Network Command test (source)
- Suspicious New Instance Of An Office COM Object test (source)
- Suspicious New Service Creation test (source)
- Suspicious NTLM Authentication on the Printer Spooler Service test (source)
- Suspicious Obfuscated PowerShell Code test (source)
- Suspicious Outlook Child Process test (source)
- Suspicious Parent Double Extension File Execution test (source)
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script test (source)
- Suspicious Ping/Del Command Combination test (source)
- Suspicious Plink Port Forwarding test (source)
- Suspicious Powercfg Execution To Change Lock Screen Timeout test (source)
- Suspicious PowerShell Download and Execute Pattern test (source)
- Suspicious PowerShell Encoded Command Patterns test (source)
- Suspicious PowerShell IEX Execution Patterns test (source)
- Suspicious PowerShell Invocation From Script Engines test (source)
- Suspicious PowerShell Invocations - Specific - ProcessCreation test (source)
- Suspicious PowerShell Mailbox Export to Share test (source)
- Suspicious PowerShell Parameter Substring test (source)
- Suspicious PowerShell Parent Process test (source)
- Suspicious PrinterPorts Creation (CVE-2020-1048) test (source)
- Suspicious Process By Web Server Process test (source)
- Suspicious Process Created Via Wmic.EXE test (source)
- Suspicious Process Execution From Fake Recycle.Bin Folder test (source)
- Suspicious Process Masquerading As SvcHost.EXE test (source)
- Suspicious Process Parents test (source)
- Suspicious Process Patterns NTDS.DIT Exfil test (source)
- Suspicious Process Spawned by CentreStack Portal AppPool experimental (source)
- Suspicious Process Start Locations test (source)
- Suspicious Processes Spawned by Java.EXE test (source)
- Suspicious Processes Spawned by WinRM test (source)
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE test (source)
- Suspicious Program Names test (source)
- Suspicious Provlaunch.EXE Child Process test (source)
- Suspicious Query of MachineGUID test (source)
- Suspicious RASdial Activity test (source)
- Suspicious RazerInstaller Explorer Subprocess test (source)
- Suspicious RDP Redirect Using TSCON test (source)
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet test (source)
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test (source)
- Suspicious Recursive Takeown test (source)
- Suspicious Redirection to Local Admin Share test (source)
- Suspicious Reg Add BitLocker test (source)
- Suspicious Registry Modification From ADS Via Regini.EXE test (source)
- Suspicious Regsvr32 Execution From Remote Share test (source)
- Suspicious Remote Child Process From Outlook test (source)
- Suspicious Response File Execution Via Odbcconf.EXE test (source)
- Suspicious RunAs-Like Flag Combination test (source)
- Suspicious Rundll32 Activity Invoking Sys File test (source)
- Suspicious Rundll32 Execution With Image Extension test (source)
- Suspicious Rundll32 Invoking Inline VBScript test (source)
- Suspicious Rundll32 Setupapi.dll Activity test (source)
- Suspicious Runscripthelper.exe test (source)
- Suspicious Scan Loop Network test (source)
- Suspicious Scheduled Task Creation Involving Temp Folder test (source)
- Suspicious Scheduled Task Creation via Masqueraded XML File test (source)
- Suspicious Scheduled Task Name As GUID test (source)
- Suspicious Schtasks Execution AppData Folder test (source)
- Suspicious Schtasks Schedule Type With High Privileges test (source)
- Suspicious Schtasks Schedule Types test (source)
- Suspicious ScreenSave Change by Reg.exe test (source)
- Suspicious Serv-U Process Pattern test (source)
- Suspicious Service Binary Directory test (source)
- Suspicious Service DACL Modification Via Set-Service Cmdlet test (source)
- Suspicious Service Path Modification test (source)
- Suspicious ShellExec_RunDLL Call Via Ordinal test (source)
- Suspicious Shells Spawn by Java Utility Keytool test (source)
- Suspicious Speech Runtime Binary Child Process experimental (source)
- Suspicious Splwow64 Without Params test (source)
- Suspicious SPN enumeration previous to Kerberoasting attack (native commands) experimental (source)
- Suspicious Spool Service Child Process test (source)
- Suspicious SysAidServer Child test (source)
- Suspicious Sysmon as Execution Parent test (source)
- Suspicious SYSTEM User Process Creation test (source)
- Suspicious SYSVOL Domain Group Policy Access test (source)
- Suspicious Tasklist Discovery Command test (source)
- Suspicious TSCON Start as SYSTEM test (source)
- Suspicious UltraVNC Execution test (source)
- Suspicious Uninstall of Windows Defender Feature via PowerShell experimental (source)
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) test (source)
- Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental (source)
- Suspicious Usage Of ShellExec_RunDLL test (source)
- Suspicious Use of CSharp Interactive Console test (source)
- Suspicious Use of PsLogList test (source)
- Suspicious Userinit Child Process test (source)
- Suspicious VBoxDrvInst.exe Parameters test (source)
- Suspicious VBScript UN2452 Pattern test (source)
- Suspicious Velociraptor Child Process experimental (source)
- Suspicious Vsls-Agent Command With AgentExtensionPath Load test (source)
- Suspicious WebDav Client Execution Via Rundll32.EXE test (source)
- Suspicious Where Execution test (source)
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE test (source)
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE test (source)
- Suspicious Windows Service Tampering test (source)
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE test (source)
- Suspicious Windows Update Agent Empty Cmdline test (source)
- Suspicious WindowsTerminal Child Processes test (source)
- Suspicious WMIC Execution Via Office Process test (source)
- Suspicious WmiPrvSE Child Process test (source)
- Suspicious Workstation Locking via Rundll32 test (source)
- Suspicious X509Enrollment - Process Creation test (source)
- Suspicious XOR Encoded PowerShell Command test (source)
- Suspicious ZipExec Execution test (source)
- SyncAppvPublishingServer Execute Arbitrary PowerShell Code test (source)
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code test (source)
- Sysinternals PsService Execution test (source)
- Sysinternals PsSuspend Execution test (source)
- Sysinternals PsSuspend Suspicious Execution test (source)
- Sysmon Configuration Update test (source)
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE test (source)
- Sysmon Driver Unloaded Via Fltmc.EXE test (source)
- Sysprep on AppData Folder test (source)
- System Disk And Volume Reconnaissance Via Wmic.EXE test (source)
- System File Execution Location Anomaly test (source)
- System Information Discovery via Registry Queries experimental (source)
- System Information Discovery Via Wmic.EXE test (source)
- System Language Discovery via Reg.Exe experimental (source)
- System Network Connections Discovery Via Net.EXE test (source)
- System Restore Registry Modification via CommandLine experimental (source)
- TAIDOOR RAT DLL Load test (source)
- Tamper Windows Defender Remove-MpPreference test (source)
- Tap Installer Execution test (source)
- Task Manager access indicator for potential LSASS dump experimental (source)
- Taskkill Symantec Endpoint Protection test (source)
- Taskmgr as LOCAL_SYSTEM test (source)
- Tasks Folder Evasion test (source)
- Terminal Service Process Spawn test (source)
- Time Travel Debugging Utility Usage test (source)
- Tor Client/Browser Execution test (source)
- Trickbot Malware Activity stable (source)
- TropicTrooper Campaign November 2018 stable (source)
- TrustedPath UAC Bypass Pattern test (source)
- Tunneling Tool Execution test (source)
- Turla Group Commands May 2020 test (source)
- Turla Group Lateral Movement test (source)
- UAC Bypass Abusing Winsat Path Parsing - Process test (source)
- UAC Bypass Tools Using ComputerDefaults test (source)
- UAC Bypass Using ChangePK and SLUI test (source)
- UAC Bypass Using Consent and Comctl32 - Process test (source)
- UAC Bypass Using Disk Cleanup test (source)
- UAC Bypass Using DismHost test (source)
- UAC Bypass Using Event Viewer RecentViews test (source)
- UAC Bypass Using IDiagnostic Profile test (source)
- UAC Bypass Using IEInstal - Process test (source)
- UAC Bypass Using MSConfig Token Modification - Process test (source)
- UAC Bypass Using NTFS Reparse Point - Process test (source)
- UAC Bypass Using PkgMgr and DISM test (source)
- UAC Bypass Using Windows Media Player - Process test (source)
- UAC Bypass via ICMLuaUtil test (source)
- UAC Bypass via Windows Firewall Snap-In Hijack test (source)
- UAC Bypass WSReset test (source)
- UEFI Persistence Via Wpbbin - ProcessCreation test (source)
- UNC2452 PowerShell Pattern test (source)
- UNC2452 Process Creation Patterns test (source)
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE test (source)
- Uncommon AddinUtil.EXE CommandLine Execution test (source)
- Uncommon Child Process Of AddinUtil.EXE test (source)
- Uncommon Child Process Of Appvlp.EXE test (source)
- Uncommon Child Process Of BgInfo.EXE test (source)
- Uncommon Child Process Of Conhost.EXE test (source)
- Uncommon Child Process Of Defaultpack.EXE test (source)
- Uncommon Child Process Of Setres.EXE test (source)
- Uncommon Child Process Spawned By Odbcconf.EXE test (source)
- Uncommon Child Processes Of SndVol.exe test (source)
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE test (source)
- Uncommon FileSystem Load Attempt By Format.com test (source)
- Uncommon Link.EXE Parent Process test (source)
- Uncommon One Time Only Scheduled Task At 00:00 test (source)
- Uncommon Sigverif.EXE Child Process test (source)
- Uncommon Svchost Command Line Parameter experimental (source)
- Uncommon Svchost Parent Process test (source)
- Uncommon System Information Discovery Via Wmic.EXE test (source)
- Uncommon Userinit Child Process test (source)
- Uninstall Crowdstrike Falcon Sensor test (source)
- Uninstall Sysinternals Sysmon test (source)
- Unmount Share Via Net.EXE test (source)
- Unsigned AppX Installation Attempt Using Add-AppxPackage test (source)
- Unusual Child Process of dns.exe test (source)
- Unusual Parent Process For Cmd.EXE test (source)
- Unusually Long PowerShell CommandLine test (source)
- Ursnif Redirection Of Discovery Commands test (source)
- Usage Of Web Request Commands And Cmdlets test (source)
- Use Icacls to Hide File to Everyone test (source)
- Use NTFS Short Name in Command Line test (source)
- Use NTFS Short Name in Image test (source)
- Use of FSharp Interpreters test (source)
- Use of OpenConsole test (source)
- Use of Pcalua For Execution test (source)
- Use of Remote.exe test (source)
- Use of Scriptrunner.exe test (source)
- Use Of The SFTP.EXE Binary As A LOLBIN test (source)
- Use of TTDInject.exe test (source)
- Use of UltraVNC Remote Access Software test (source)
- Use of VisualUiaVerifyNative.exe test (source)
- Use of VSIISExeLauncher.exe test (source)
- Use of W32tm as Timer test (source)
- Use of Wfc.exe test (source)
- Use Short Name Path in Command Line test (source)
- Use Short Name Path in Image test (source)
- User added to a group via commandline (source)
- User Added To Highly Privileged Group test (source)
- User Added to Local Administrators Group test (source)
- User Added to Remote Desktop Users Group test (source)
- User creation via commandline (source)
- User Discovery And Export Via Get-ADUser Cmdlet test (source)
- User enumeration and creation related to Manic Menagerie 2.0 (via cmdline) (source)
- User properties enumeration via commandline (source)
- User Shell Folders Registry Modification via CommandLine experimental (source)
- Using SettingSyncHost.exe as LOLBin test (source)
- UtilityFunctions.ps1 Proxy Dll test (source)
- Veeam Backup Database Suspicious Query test (source)
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE test (source)
- Verclsid.exe Runs COM Object test (source)
- Virtualbox Driver Installation or Starting of VMs test (source)
- Visual Basic Command Line Compiler Usage test (source)
- Visual Studio Code Tunnel Execution test (source)
- Visual Studio Code Tunnel Service Installation test (source)
- Visual Studio Code Tunnel Shell Execution test (source)
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution test (source)
- Visual Studio NodejsTools PressAnyKey Renamed Execution test (source)
- VMToolsd Suspicious Child Process test (source)
- VolumeShadowCopy Symlink Creation Via Mklink stable (source)
- VSS backup deletion (WMI) experimental (source)
- Vulnerable Driver Blocklist Registry Tampering Via CommandLine experimental (source)
- Wab Execution From Non Default Location test (source)
- Wab/Wabmig Unusual Parent Or Child Processes test (source)
- WannaCry Ransomware Activity test (source)
- Wdigest authentication enabled (Reg via command) experimental (source)
- Weak or Abused Passwords In CLI test (source)
- WebDav Client Execution Via Rundll32.EXE test (source)
- Webserver IIS module installed (command) experimental (source)
- Webserver IIS module installed (command) experimental (source)
- Webshell Detection With Command Line Keywords test (source)
- Webshell Hacking Activity Patterns test (source)
- Webshell Tool Reconnaissance Activity test (source)
- WhoAmI as Parameter test (source)
- Whoami.EXE Execution Anomaly test (source)
- Whoami.EXE Execution From Privileged Process test (source)
- Whoami.EXE Execution With Output Option test (source)
- Windows Admin Share Mount Via Net.EXE test (source)
- Windows AMSI Related Registry Tampering Via CommandLine experimental (source)
- Windows Backup Deleted Via Wbadmin.EXE test (source)
- Windows Binary Executed From WSL test (source)
- Windows Credential Guard Registry Tampering Via CommandLine experimental (source)
- Windows Credential Manager Access via VaultCmd test (source)
- Windows Default Domain GPO Modification via GPME experimental (source)
- Windows Defender Context Menu Removed experimental (source)
- Windows Defender Definition Files Removed test (source)
- Windows EventLog Autologger Session Registry Modification Via CommandLine experimental (source)
- Windows Firewall Disabled via PowerShell test (source)
- Windows Hotfix Updates Reconnaissance Via Wmic.EXE test (source)
- Windows Internet Hosted WebDav Share Mount Via Net.EXE test (source)
- Windows Kernel Debugger Execution test (source)
- Windows MSIX Package Support Framework AI_STUBS Execution experimental (source)
- Windows native backup deletion experimental (source)
- Windows native Pktmon sniffer abuse experimental (source)
- Windows Processes Suspicious Parent Directory test (source)
- Windows Recall Feature Enabled Via Reg.EXE test (source)
- Windows Recovery Environment Disabled Via Reagentc experimental (source)
- Windows Share Mount Via Net.EXE test (source)
- Windows Shell/Scripting Processes Spawning Suspicious Programs test (source)
- Windows Subsystem for Linux (WSL) installation (command) experimental (source)
- Windows Suspicious Child Process from Node.js - React2Shell experimental (source)
- Windows traffic capture abuse experimental (source)
- Winlogon process contact to C2 - Blacklotus (Sysmon) experimental (source)
- Winnti Malware HK University Campaign test (source)
- Winnti Pipemon Characteristics stable (source)
- Winrar Compressing Dump Files test (source)
- WinRAR Execution in Non-Standard Folder test (source)
- WinRM listening service reconnaissance (process) experimental (source)
- Winrs Local Command Execution experimental (source)
- WinRS usage for remote execution (source)
- Winscp Execution From Non Standard Folder experimental (source)
- Wlrmdr.EXE Uncommon Argument Or Child Process experimental (source)
- WMI Backdoor Exchange Transport Agent test (source)
- WMI Persistence - Script Event Consumer test (source)
- WMI spwaning PowerShell process - WMImplant experimental (source)
- WMIC Remote Command Execution test (source)
- WmiPrvSE Spawned A Process stable (source)
- Write Protect For Storage Disabled test (source)
- Writing Of Malicious Files To The Fonts Folder test (source)
- Wscript Shell Run In CommandLine test (source)
- WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test (source)
- WSL Child Process Anomaly test (source)
- WSL Kali-Linux Usage experimental (source)
- Wusa.EXE Executed By Parent Process Located In Suspicious Location test (source)
- XBAP Execution From Uncommon Locations Via PresentationHost.EXE test (source)
- XSL Script Execution Via WMIC.EXE test (source)
- Xwizard.EXE Execution From Non-Default Location test (source)
- ZxShell Malware test (source)
Event ID 3 Network connection 61 rules
- Communication To LocaltoNet Tunneling Service Initiated test (source)
- Communication To Ngrok Tunneling Service Initiated test (source)
- Communication To Uncommon Destination Ports test (source)
- Dfsvc.EXE Initiated Network Connection Over Uncommon Port test (source)
- Dfsvc.EXE Network Connection To Non-Local IPs test (source)
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address test (source)
- HH.EXE Initiated HTTP Network Connection test (source)
- Local Network Connection Initiated By Script Interpreter test (source)
- Microsoft Sync Center Suspicious Network Connections test (source)
- Msiexec.EXE Initiated Network Connection Over HTTP test (source)
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder test (source)
- Network Communication Initiated To Portmap.IO Domain test (source)
- Network Communication With Crypto Mining Pool stable (source)
- Network Connection Initiated By AddinUtil.EXE test (source)
- Network Connection Initiated By Eqnedt32.EXE test (source)
- Network Connection Initiated By IMEWDBLD.EXE test (source)
- Network Connection Initiated By PowerShell Process test (source)
- Network Connection Initiated By Regsvr32.EXE test (source)
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location test (source)
- Network Connection Initiated From Users\Public Folder test (source)
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process test (source)
- Network Connection Initiated To BTunnels Domains test (source)
- Network Connection Initiated To Cloudflared Tunnels Domains test (source)
- Network Connection Initiated To DevTunnels Domain test (source)
- Network Connection Initiated To Mega.nz test (source)
- Network Connection Initiated To Visual Studio Code Tunnels Domain test (source)
- Network Connection Initiated via Finger.EXE experimental (source)
- Network Connection Initiated Via Notepad.EXE test (source)
- New Connection Initiated To Potential Dead Drop Resolver Domain test (source)
- Office Application Initiated Network Connection Over Uncommon Ports test (source)
- Office Application Initiated Network Connection To Non-Local IP test (source)
- Outbound Network Connection Initiated By Cmstp.EXE test (source)
- Outbound Network Connection Initiated By Microsoft Dialer test (source)
- Outbound Network Connection Initiated By Script Interpreter test (source)
- Outbound Network Connection To Public IP Via Winlogon test (source)
- Outbound RDP Connections Over Non-Standard Tools test (source)
- Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon test (source)
- Potential Pikabot C2 Activity test (source)
- Potential Remote PowerShell Session Initiated test (source)
- Potentially Suspicious Azure Front Door Connection test (source)
- Potentially Suspicious Malware Callback Communication test (source)
- Potentially Suspicious Network Connection To Notion API test (source)
- Potentially Suspicious Wuauclt Network Connection test (source)
- Process Initiated Network Connection To Ngrok Domain test (source)
- Python Initiated Connection test (source)
- RDP Over Reverse SSH Tunnel test (source)
- RDP to HTTP or HTTPS Target Ports test (source)
- RegAsm.EXE Initiating Network Connection To Public IP test (source)
- Remote Access Tool - AnyDesk Incoming Connection experimental (source)
- Rundll32 Internet Connection test (source)
- Silenttrinity Stager Msbuild Activity test (source)
- Suspicious Dropbox API Usage test (source)
- Suspicious Network Connection Binary No CommandLine test (source)
- Suspicious Network Connection to IP Lookup Service APIs test (source)
- Suspicious Non-Browser Network Communication With Google API experimental (source)
- Suspicious Non-Browser Network Communication With Telegram API test (source)
- Suspicious Outbound SMTP Connections test (source)
- Suspicious Wordpad Outbound Connections test (source)
- Uncommon Connection to Active Directory Web Services test (source)
- Uncommon Network Connection Initiated By Certutil.EXE test (source)
- Uncommon Outbound Kerberos Connection test (source)
Event ID 6 Driver loaded 10 rules
- Driver Load From A Temporary Directory test (source)
- Malicious Driver Load test (source)
- Malicious Driver Load By Name test (source)
- PUA - Process Hacker Driver Load test (source)
- PUA - System Informer Driver Load test (source)
- Vulnerable Driver Load test (source)
- Vulnerable Driver Load By Name test (source)
- Vulnerable HackSys Extreme Vulnerable Driver Load test (source)
- Vulnerable WinRing0 Driver Load test (source)
- WinDivert Driver Load test (source)
Event ID 7 Image loaded 123 rules
- Abusable DLL Potential Sideloading From Suspicious Location test (source)
- Amsi.DLL Load By Uncommon Process test (source)
- Amsi.DLL Loaded Via LOLBIN Process test (source)
- APT PRIVATELOG Image Load Pattern test (source)
- Aruba Network Service Potential DLL Sideloading test (source)
- BaaUpdate.exe Suspicious DLL Load experimental (source)
- BITS Client BitsProxy DLL Loaded By Uncommon Process experimental (source)
- Clfs.SYS Loaded By Process Located In a Potential Suspicious Location experimental (source)
- CLR DLL Loaded Via Office Applications test (source)
- CredUI.DLL Loaded By Uncommon Process test (source)
- Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process test (source)
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE test (source)
- Diamond Sleet APT DLL Sideloading Indicators test (source)
- DLL Load By System Process From Suspicious Locations test (source)
- DLL Loaded From Suspicious Location Via Cmspt.EXE test (source)
- DLL Names Used By SVR For GraphicalProton Backdoor test (source)
- DLL Sideloading Of ShellChromeAPI.DLL test (source)
- DotNET Assembly DLL Loaded Via Office Application test (source)
- DotNet CLR DLL Loaded By Scripting Applications test (source)
- Fax Service DLL Search Order Hijack test (source)
- FoggyWeb Backdoor DLL Loading test (source)
- GAC DLL Loaded Via Office Applications test (source)
- HackTool - SharpEvtMute DLL Load test (source)
- HackTool - SILENTTRINITY Stager DLL Load test (source)
- Kapeka Backdoor Loaded Via Rundll32.EXE test (source)
- Katz Stealer DLL Loaded experimental (source)
- Lazarus APT DLL Sideloading Activity test (source)
- Load Of RstrtMgr.DLL By A Suspicious Process test (source)
- Load Of RstrtMgr.DLL By An Uncommon Process test (source)
- Malicious DLL Load By Compromised 3CXDesktopApp test (source)
- Microsoft Excel Add-In Loaded test (source)
- Microsoft Excel Add-In Loaded From Uncommon Location test (source)
- Microsoft Office DLL Sideload test (source)
- Microsoft VBA For Outlook Addin Loaded Via Outlook test (source)
- Microsoft Word Add-In Loaded test (source)
- MMC Loading Script Engines DLLs experimental (source)
- PCRE.NET Package Image Load test (source)
- Pingback Backdoor DLL Loading Activity test (source)
- Potential 7za.DLL Sideloading test (source)
- Potential Antivirus Software DLL Sideloading test (source)
- Potential appverifUI.DLL Sideloading test (source)
- Potential AVKkid.DLL Sideloading test (source)
- Potential Azure Browser SSO Abuse test (source)
- Potential CCleanerDU.DLL Sideloading test (source)
- Potential CCleanerReactivator.DLL Sideloading test (source)
- Potential Chrome Frame Helper DLL Sideloading test (source)
- Potential COLDSTEEL Persistence Service DLL Load test (source)
- Potential CSharp Streamer RAT Loading .NET Executable Image test (source)
- Potential CVE-2024-35250 Exploitation Activity experimental (source)
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test (source)
- Potential DLL Sideloading Of DBGCORE.DLL test (source)
- Potential DLL Sideloading Of DBGHELP.DLL test (source)
- Potential DLL Sideloading Of DbgModel.DLL test (source)
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test (source)
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test (source)
- Potential DLL Sideloading Of MpSvc.DLL test (source)
- Potential DLL Sideloading Of MsCorSvc.DLL test (source)
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders test (source)
- Potential DLL Sideloading Using Coregen.exe test (source)
- Potential DLL Sideloading Via ClassicExplorer32.dll test (source)
- Potential DLL Sideloading Via comctl32.dll test (source)
- Potential DLL Sideloading Via JsSchHlp test (source)
- Potential DLL Sideloading Via VMware Xfer test (source)
- Potential EACore.DLL Sideloading test (source)
- Potential Edputil.DLL Sideloading test (source)
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load experimental (source)
- Potential Goopdate.DLL Sideloading test (source)
- Potential Iviewers.DLL Sideloading test (source)
- Potential JLI.dll Side-Loading experimental (source)
- Potential Libvlc.DLL Sideloading test (source)
- Potential Mfdetours.DLL Sideloading test (source)
- Potential Mpclient.DLL Sideloading test (source)
- Potential Python DLL SideLoading test (source)
- Potential Raspberry Robin Aclui Dll SideLoading test (source)
- Potential Rcdll.DLL Sideloading test (source)
- Potential RjvPlatform.DLL Sideloading From Default Location test (source)
- Potential RjvPlatform.DLL Sideloading From Non-Default Location test (source)
- Potential RoboForm.DLL Sideloading test (source)
- Potential ShellDispatch.DLL Sideloading test (source)
- Potential SmadHook.DLL Sideloading test (source)
- Potential SolidPDFCreator.DLL Sideloading test (source)
- Potential System DLL Sideloading From Non System Locations test (source)
- Potential Vcruntime140 DLL Sideloading experimental (source)
- Potential Vivaldi_elf.DLL Sideloading test (source)
- Potential Waveedit.DLL Sideloading test (source)
- Potential Wazuh Security Platform DLL Sideloading test (source)
- Potential WWlib.DLL Sideloading test (source)
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load test (source)
- PowerShell Core DLL Loaded By Non PowerShell Process test (source)
- PowerShell Core DLL Loaded Via Office Application test (source)
- Python Image Load By Non-Python Process test (source)
- Remote DLL Load Via Rundll32.EXE test (source)
- Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location experimental (source)
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32 test (source)
- Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded test (source)
- Suspicious Unsigned Thor Scanner Execution stable (source)
- Suspicious Volume Shadow Copy VSS_PS.dll Load test (source)
- Suspicious Volume Shadow Copy Vssapi.dll Load test (source)
- Suspicious WSMAN Provider Image Loads test (source)
- System Control Panel Item Loaded From Uncommon Location test (source)
- System Drawing DLL Load test (source)
- Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test (source)
- Third Party Software DLL Sideloading test (source)
- Time Travel Debugging Utility Usage - Image test (source)
- Trusted Path Bypass via Windows Directory Spoofing experimental (source)
- UAC Bypass Using Iscsicpl - ImageLoad test (source)
- UAC Bypass With Fake DLL test (source)
- Unsigned .node File Loaded experimental (source)
- Unsigned DLL Loaded by Windows Utility test (source)
- Unsigned Image Loaded Into LSASS Process test (source)
- Unsigned Mfdetours.DLL Sideloading test (source)
- Unsigned Module Loaded by ClickOnce Application test (source)
- VBA DLL Loaded Via Office Application test (source)
- VMGuestLib DLL Sideload test (source)
- VMMap Signed Dbghelp.DLL Potential Sideloading test (source)
- VMMap Unsigned Dbghelp.DLL Potential Sideloading test (source)
- WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze experimental (source)
- Windows Spooler Service Suspicious Binary Load test (source)
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test (source)
- WMI Module Loaded By Uncommon Process test (source)
- WMI Persistence - Command Line Event Consumer test (source)
- WMIC Loading Scripting Libraries test (source)
- Wmiprvse Wbemcomn DLL Hijack test (source)
Event ID 8 CreateRemoteThread 15 rules
- CreateRemoteThread API and LoadLibrary test (source)
- HackTool - CACTUSTORCH Remote Thread Creation test (source)
- HackTool - Potential CobaltStrike Process Injection test (source)
- Password Dumper Remote Thread in LSASS stable (source)
- Potential Bumblebee Remote Thread Creation test (source)
- Potential Credential Dumping Attempt Via PowerShell Remote Thread test (source)
- Rare Remote Thread Creation By Uncommon Source Image test (source)
- Remote Thread Created In KeePass.EXE test (source)
- Remote Thread Created In Shell Application test (source)
- Remote Thread Creation By Uncommon Source Image test (source)
- Remote Thread Creation In Mstsc.Exe From Suspicious Location test (source)
- Remote Thread Creation In Uncommon Target Image test (source)
- Remote Thread Creation Ttdinject.exe Proxy test (source)
- Remote Thread Creation Via PowerShell test (source)
- Remote Thread Creation Via PowerShell In Uncommon Target test (source)
Event ID 9 RawAccessRead 1 rule
Event ID 10 ProcessAccess 30 rules
- CMSTP Execution Process Access stable (source)
- Credential Dumping Activity By Python Based Tool stable (source)
- Credential Dumping Attempt Via Svchost test (source)
- Credential Dumping Attempt Via WerFault test (source)
- Function Call From Undocumented COM Interface EditionUpgradeManager test (source)
- HackTool - CobaltStrike BOF Injection Pattern test (source)
- HackTool - Generic Process Access test (source)
- HackTool - HandleKatz Duplicating LSASS Handle test (source)
- HackTool - LittleCorporal Generated Maldoc Injection test (source)
- HackTool - SysmonEnte Execution test (source)
- LSASS Access From Potentially White-Listed Processes test (source)
- LSASS Access From Program In Potentially Suspicious Folder test (source)
- LSASS dump via process access experimental (source)
- LSASS Memory Access by Tool With Dump Keyword In Name test (source)
- Lsass Memory Dump via Comsvcs DLL test (source)
- Malware Shellcode in Verclsid Target Process test (source)
- Potential Credential Dumping Activity Via LSASS test (source)
- Potential Credential Dumping Attempt Via PowerShell test (source)
- Potential Direct Syscall of NtOpenProcess test (source)
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access experimental (source)
- Potential Shellcode Injection test (source)
- Potentially Suspicious GrantedAccess Flags On LSASS test (source)
- Remote LSASS Process Access Through Windows Remote Management stable (source)
- Suspicious LSASS Access Via MalSecLogon test (source)
- Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze experimental (source)
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental (source)
- Suspicious Svchost Process Access test (source)
- UAC Bypass Using WOW64 Logger DLL Hijack test (source)
- Uncommon GrantedAccess Flags On LSASS test (source)
- Uncommon Process Access Rights For Target Image test (source)
Event ID 11 FileCreate 222 rules
- .RDP File Created By Uncommon Application test (source)
- ADExplorer Writing Complete AD Snapshot Into .dat File experimental (source)
- ADSI-Cache File Creation By Uncommon Tool test (source)
- Advanced IP Scanner - File Event test (source)
- Adwind RAT / JRAT File Artifact test (source)
- Anydesk Temporary Artefact test (source)
- APT29 2018 Phishing Campaign File Indicators stable (source)
- Assembly DLL Creation Via AspNetCompiler test (source)
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File test (source)
- Axios NPM Compromise File Creation Indicators - Windows experimental (source)
- BloodHound Collection Files test (source)
- Created Files by Microsoft Sync Center test (source)
- Creation Exe for Service with Unquoted Path test (source)
- Creation of a Diagcab test (source)
- Creation of an Executable by an Executable test (source)
- Creation Of Non-Existent System DLL test (source)
- Creation of WerFault.exe/Wer.dll in Unusual Folder test (source)
- Cred Dump Tools Dropped Files test (source)
- CSExec Service File Creation test (source)
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern test (source)
- CVE-2021-26858 Exchange Exploitation test (source)
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum test (source)
- CVE-2021-44077 POC Default Dropped File test (source)
- CVE-2022-24527 Microsoft Connected Cache LPE test (source)
- CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File test (source)
- CVE-2023-40477 Potential Exploitation - .REV File Creation test (source)
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation test (source)
- DarkGate - Autoit3.EXE File Creation By Uncommon Process test (source)
- DarkGate - Drop DarkGate Loader In C:\Temp Directory test (source)
- Desktop.INI Created by Uncommon Process test (source)
- Diamond Sleet APT File Creation Indicators test (source)
- DLL Search Order Hijackig Via Additional Space in Path test (source)
- DMP/HDMP File Creation test (source)
- DPAPI Backup Keys And Certificate Export Activity IOC test (source)
- Drop Binaries Into Spool Drivers Color Folder test (source)
- Dynamic CSharp Compile Artefact test (source)
- EVTX Created In Uncommon Location test (source)
- Exchange transport agent injection via configuration file experimental (source)
- File Creation In Suspicious Directory By Msdt.EXE test (source)
- File Creation Related To RAT Clients experimental (source)
- File With Uncommon Extension Created By An Office Application test (source)
- Files With System DLL Name In Unsuspected Locations test (source)
- Files With System Process Name In Unsuspected Locations test (source)
- Forest Blizzard APT - File Creation Activity test (source)
- Forest Blizzard APT - JavaScript Constrained File Creation test (source)
- FunkLocker Ransomware File Creation experimental (source)
- GatherNetworkInfo.VBS Reconnaissance Script Output test (source)
- Goofy Guineapig Backdoor IOC test (source)
- GoToAssist Temporary Installation Artefact test (source)
- HackTool - CrackMapExec File Indicators test (source)
- HackTool - Dumpert Process Dumper Default File test (source)
- HackTool - Impacket File Indicators experimental (source)
- HackTool - Inveigh Execution Artefacts test (source)
- HackTool - Mimikatz Kirbi File Creation test (source)
- HackTool - NetExec File Indicators experimental (source)
- HackTool - NPPSpy Hacktool Usage test (source)
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump test (source)
- HackTool - Powerup Write Hijack DLL test (source)
- HackTool - QuarksPwDump Dump File test (source)
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators test (source)
- HackTool - SafetyKatz Dump Indicator test (source)
- HackTool - Typical HiveNightmare SAM File Export test (source)
- Hijack Legit RDP Session to Move Laterally test (source)
- Installation of TeamViewer Desktop test (source)
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event test (source)
- ISO File Created Within Temp Folders test (source)
- ISO or Image Mount Indicator in Recent Files test (source)
- Lace Tempest File Indicators test (source)
- Legitimate Application Dropped Archive test (source)
- Legitimate Application Dropped Executable test (source)
- Legitimate Application Dropped Script test (source)
- Legitimate Application Writing Files In Uncommon Location experimental (source)
- LiveKD Driver Creation test (source)
- LiveKD Driver Creation By Uncommon Process test (source)
- LiveKD Kernel Memory Dump File Created test (source)
- LSASS Process Dump Artefact In CrashDumps Folder test (source)
- LSASS Process Memory Dump Creation Via Taskmgr.EXE test (source)
- LSASS Process Memory Dump Files test (source)
- Malicious DLL File Dropped in the Teams or OneDrive Folder test (source)
- Malicious PowerShell Scripts - FileCreation test (source)
- Mimikatz malicious Security package (SSP) exfiltrates cleartext passwords in file experimental (source)
- Moriya Rootkit File Created test (source)
- New Custom Shim Database Created test (source)
- New Outlook Macro Created test (source)
- NTDS Exfiltration Filename Patterns test (source)
- NTDS.DIT Created test (source)
- NTDS.DIT Creation By Uncommon Parent Process test (source)
- NTDS.DIT Creation By Uncommon Process test (source)
- Octopus Scanner Malware test (source)
- Office Macro File Creation test (source)
- Office Macro File Creation From Suspicious Process test (source)
- Office Macro File Download test (source)
- OneNote Attachment File Dropped In Suspicious Location test (source)
- Onyx Sleet APT File Creation Indicators test (source)
- PCRE.NET Package Temp Files test (source)
- PDF File Created By RegEdit.EXE test (source)
- PFX File Creation test (source)
- Pingback Backdoor File Indicators test (source)
- Potential APT FIN7 Related PowerShell Script Created test (source)
- Potential Binary Or Script Dropper Via PowerShell test (source)
- Potential COLDSTEEL Persistence Service DLL Creation test (source)
- Potential COLDSTEEL RAT File Indicators test (source)
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader test (source)
- Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation test (source)
- Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location test (source)
- Potential CVE-2023-36884 Exploitation Dropped File test (source)
- Potential DCOM InternetExplorer.Application DLL Hijack test (source)
- Potential Devil Bait Related Indicator test (source)
- Potential File Extension Spoofing Using Right-to-Left Override test (source)
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream test (source)
- Potential Homoglyph Attack Using Lookalike Characters in Filename test (source)
- Potential Initial Access via DLL Search Order Hijacking test (source)
- Potential Kapeka Decrypted Backdoor Indicator test (source)
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity test (source)
- Potential Persistence Attempt Via ErrorHandler.Cmd test (source)
- Potential Persistence Via Microsoft Office Add-In test (source)
- Potential Persistence Via Microsoft Office Startup Folder test (source)
- Potential Persistence Via Notepad++ Plugins test (source)
- Potential Persistence Via Outlook Form test (source)
- Potential Privilege Escalation Attempt Via .Exe.Local Technique test (source)
- Potential RipZip Attack on Startup Folder test (source)
- Potential SAM Database Dump test (source)
- Potential SAP NetWeaver Webshell Creation experimental (source)
- Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create experimental (source)
- Potential Startup Shortcut Persistence Via PowerShell.EXE test (source)
- Potential Suspicious PowerShell Module File Created test (source)
- Potential Webshell Creation On Static Website test (source)
- Potential Winnti Dropper Activity test (source)
- Potentially Suspicious DMP/HDMP File Creation test (source)
- Potentially Suspicious File Creation by OpenEDR's ITSMService experimental (source)
- Potentially Suspicious WDAC Policy File Creation experimental (source)
- PowerShell Module File Created test (source)
- PowerShell Module File Created By Non-PowerShell Process test (source)
- PowerShell Profile Modification test (source)
- PowerShell Script Dropped Via PowerShell.EXE test (source)
- Process Explorer Driver Creation By Non-Sysinternals Binary test (source)
- Process Monitor Driver Creation By Non-Sysinternals Binary test (source)
- PSEXEC Remote Execution File Artefact test (source)
- PsExec Service File Creation test (source)
- PSScriptPolicyTest Creation By Uncommon Process test (source)
- Publisher Attachment File Dropped In Suspicious Location test (source)
- Python Path Configuration File Creation - Windows test (source)
- Rclone Config File Creation test (source)
- RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir experimental (source)
- RemCom Service File Creation test (source)
- Remote Access Tool - ScreenConnect Temporary File test (source)
- Renamed VsCode Code Tunnel Execution - File Indicator test (source)
- Scheduled Task Created - FileCreation test (source)
- SCR File Write Event test (source)
- ScreenConnect - SlashAndGrab Exploitation Indicators test (source)
- ScreenConnect Temporary Installation Artefact test (source)
- ScreenConnect User Database Modification test (source)
- Self Extraction Directive File Created In Potentially Suspicious Location test (source)
- Small Sieve Malware File Indicator Creation test (source)
- SNAKE Malware Installer Name Indicators test (source)
- SNAKE Malware Kernel Driver File Indicator test (source)
- SNAKE Malware WerFault Persistence File Creation test (source)
- Startup Folder File Write test (source)
- Sticky key file created from CMD copy experimental (source)
- Suspicious ASPX File Drop by Exchange test (source)
- Suspicious Binaries and Scripts in Public Folder experimental (source)
- Suspicious Binary Writes Via AnyDesk test (source)
- Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit experimental (source)
- Suspicious Creation TXT File in User Desktop test (source)
- Suspicious Creation with Colorcpl test (source)
- Suspicious Deno File Written from Remote Source experimental (source)
- Suspicious Desktopimgdownldr Target File test (source)
- Suspicious DotNET CLR Usage Log Artifact test (source)
- Suspicious Double Extension Files test (source)
- Suspicious Executable File Creation test (source)
- Suspicious File Created by ArcSOC.exe experimental (source)
- Suspicious File Created in Outlook Temporary Directory experimental (source)
- Suspicious File Created In PerfLogs test (source)
- Suspicious File Created Via OneNote Application test (source)
- Suspicious File Creation Activity From Fake Recycle.Bin Folder test (source)
- Suspicious File Creation In Uncommon AppData Folder test (source)
- Suspicious File Drop by Exchange test (source)
- Suspicious File Write to SharePoint Layouts Directory experimental (source)
- Suspicious File Write to Webapps Root Directory experimental (source)
- Suspicious Files in Default GPO Folder test (source)
- Suspicious Get-Variable.exe Creation test (source)
- Suspicious Interactive PowerShell as SYSTEM test (source)
- Suspicious LNK Double Extension File Created test (source)
- Suspicious MSExchangeMailboxReplication ASPX Write test (source)
- Suspicious Outlook Macro Created test (source)
- Suspicious PROCEXP152.sys File Created In TMP test (source)
- Suspicious Scheduled Task Write to System32 Tasks test (source)
- Suspicious Screensaver Binary File Creation test (source)
- Suspicious Startup Folder Persistence test (source)
- Suspicious Word Cab File Write CVE-2021-40444 test (source)
- TeamViewer Remote Session test (source)
- UAC Bypass Abusing Winsat Path Parsing - File test (source)
- UAC Bypass Using .NET Code Profiler on MMC test (source)
- UAC Bypass Using Consent and Comctl32 - File test (source)
- UAC Bypass Using EventVwr test (source)
- UAC Bypass Using IDiagnostic Profile - File test (source)
- UAC Bypass Using IEInstal - File test (source)
- UAC Bypass Using MSConfig Token Modification - File test (source)
- UAC Bypass Using NTFS Reparse Point - File test (source)
- UAC Bypass Using Windows Media Player - File test (source)
- UEFI Persistence Via Wpbbin - FileCreation test (source)
- Uncommon File Created by Notepad++ Updater Gup.EXE experimental (source)
- Uncommon File Created In Office Startup Folder test (source)
- Uncommon File Creation By Mysql Daemon Process test (source)
- VHD Image Download Via Browser test (source)
- Visual Studio Code Tunnel Remote File Creation test (source)
- VsCode Code Tunnel Execution File Indicator test (source)
- VsCode Powershell Profile Modification test (source)
- WDAC Policy File Creation In CodeIntegrity Folder experimental (source)
- WebDAV Temporary Local File Creation test (source)
- Webserver IIS configuration edited (SYSMON) experimental (source)
- WerFault LSASS Process Memory Dump test (source)
- Windows Binaries Write Suspicious Extensions test (source)
- Windows Shell/Scripting Application File Write to Suspicious Folder test (source)
- Windows Terminal Profile Settings Modification By Uncommon Process test (source)
- WinRAR Creating Files in Startup Locations experimental (source)
- WinSxS Executable File Creation By Non-System Process test (source)
- WMI Persistence - Script Event Consumer File Write test (source)
- Wmiexec Default Output File test (source)
- Wmiprvse Wbemcomn DLL Hijack - File test (source)
- Writing Local Admin Share test (source)
- WScript or CScript Dropper - File test (source)
Event ID 12 RegistryEvent (Object create and delete) 50 rules
- Atbroker Registry Change test (source)
- CMSTP Execution Registry Event stable (source)
- Creation of a Local Hidden User Account by Registry test (source)
- Diamond Sleet APT Scheduled Task Creation - Registry test (source)
- Disable Security Events Logging Adding Reg Key MiniNt test (source)
- DLL Load via LSASS test (source)
- Esentutl Volume Shadow Copy Service Keys test (source)
- FlowCloud Registry Markers test (source)
- HybridConnectionManager Service Installation - Registry test (source)
- Impacket SMBexec service creation (registry) experimental (source)
- Leviathan Registry Key Activity test (source)
- Mimikatz driver registration (Reg via Sysmon) experimental (source)
- Narrator's Feedback-Hub Persistence test (source)
- NetNTLM Downgrade Attack - Registry test (source)
- Netsh helper DLL abuse (Reg via Sysmon) experimental (source)
- New DLL Added to AppCertDlls Registry Key test (source)
- New DLL Added to AppInit_DLLs Registry Key test (source)
- New PortProxy Registry Entry Added test (source)
- OceanLotus Registry Activity test (source)
- Office Application Startup - Office Test test (source)
- OilRig APT Registry Persistence test (source)
- Pandemic Registry Key test (source)
- Path To Screensaver Binary Modified test (source)
- Potential Credential Dumping Via LSASS SilentProcessExit Technique test (source)
- Potential NetWire RAT Activity - Registry test (source)
- Potential Persistence Via Disk Cleanup Handler - Registry test (source)
- Potential Qakbot Registry Activity test (source)
- Potential Ursnif Malware Activity - Registry test (source)
- PrinterNightmare Mimikatz Driver Name test (source)
- RDP shadow session configuration enabled (registry) experimental (source)
- RedMimicry Winnti Playbook Registry Manipulation test (source)
- Registry Entries For Azorult Malware test (source)
- Registry Persistence Mechanisms in Recycle Bin test (source)
- Registry Tampering by Potentially Suspicious Processes experimental (source)
- Run Once Task Configuration in Registry test (source)
- Scheduled Task Created - Registry test (source)
- Security Support Provider (SSP) Added to LSA Configuration test (source)
- Shell Open Registry Keys Manipulation test (source)
- SNAKE Malware Covert Store Registry Key test (source)
- Stickey key IFEO registry changed (Reg via Sysmon) experimental (source)
- Sticky Key Like Backdoor Usage - Registry test (source)
- Suspicious Camera and Microphone Access test (source)
- Suspicious Run Key from Download test (source)
- System crash behavior manipulation - WMImplant (registry) experimental (source)
- UAC Bypass Via Wsreset test (source)
- Wdigest CredGuard Registry Modification test (source)
- Windows Credential Editor Registry test (source)
- Windows Defender Threat Severity Default Action Modified experimental (source)
- Windows Registry Trust Record Modification test (source)
- WINEKEY Registry Modification test (source)
Event ID 13 RegistryEvent (Value Set) 276 rules
- Activate Suppression of Windows Security Center Notifications test (source)
- Add Debugger Entry To AeDebug For Persistence test (source)
- Add Debugger Entry To Hangs Key For Persistence test (source)
- Add DisallowRun Execution to Registry test (source)
- Add Port Monitor Persistence in Registry test (source)
- Allow RDP Remote Assistance Feature test (source)
- AMSI Disabled via Registry Modification experimental (source)
- Antivirus Filter Driver Disallowed On Dev Drive - Registry test (source)
- Atbroker Registry Change test (source)
- Blackbyte Ransomware Registry test (source)
- Blue Mockingbird - Registry test (source)
- Bypass UAC Using DelegateExecute test (source)
- Bypass UAC Using Event Viewer test (source)
- Bypass UAC Using SilentCleanup Task test (source)
- Change the Fax Dll test (source)
- Change User Account Associated with the FAX Service test (source)
- Change Winevt Channel Access Permission Via Registry test (source)
- Classes Autorun Keys Modification test (source)
- ClickOnce Trust Prompt Tampering test (source)
- CMSTP Execution Registry Event stable (source)
- COM Hijack via Sdclt test (source)
- COM Hijacking via TreatAs test (source)
- COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental (source)
- Command Executed Via Run Dialog Box - Registry test (source)
- Common Autorun Keys Modification test (source)
- CrashControl CrashDump Disabled test (source)
- Creation of a Local Hidden User Account by Registry test (source)
- CurrentControlSet Autorun Keys Modification test (source)
- CurrentVersion Autorun Keys Modification test (source)
- CurrentVersion NT Autorun Keys Modification test (source)
- Custom File Open Handler Executes PowerShell test (source)
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry test (source)
- CVE-2021-31979 CVE-2021-33771 Exploits test (source)
- Default RDP Port Changed to Non Standard Port test (source)
- DHCP Callout DLL Installation test (source)
- Diamond Sleet APT Scheduled Task Creation - Registry test (source)
- Directory Service Restore Mode(DSRM) Registry Value Tampering test (source)
- Disable Administrative Share Creation at Startup test (source)
- Disable Exploit Guard Network Protection on Windows Defender test (source)
- Disable Internal Tools or Feature in Registry test (source)
- Disable Macro Runtime Scan Scope test (source)
- Disable Microsoft Defender Firewall via Registry test (source)
- Disable Privacy Settings Experience in Registry test (source)
- Disable PUA Protection on Windows Defender test (source)
- Disable Security Events Logging Adding Reg Key MiniNt test (source)
- Disable Tamper Protection on Windows Defender test (source)
- Disable Windows Defender Functionalities Via Registry Keys test (source)
- Disable Windows Event Logging Via Registry test (source)
- Disable Windows Firewall by Registry test (source)
- Disable Windows Security Center Notifications test (source)
- Disabled Windows Defender Eventlog test (source)
- Displaying Hidden Files Feature Disabled test (source)
- DLL Load via LSASS test (source)
- DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental (source)
- DNS-over-HTTPS Enabled by Registry test (source)
- Driver Added To Disallowed Images In HVCI - Registry test (source)
- Enable LM Hash Storage test (source)
- Enable Local Manifest Installation With Winget test (source)
- Enable Microsoft Dynamic Data Exchange test (source)
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback test (source)
- Enabling COR Profiler Environment Variables test (source)
- Esentutl Volume Shadow Copy Service Keys test (source)
- ETW Logging Disabled For rpcrt4.dll test (source)
- ETW Logging Disabled For SCM test (source)
- ETW Logging Disabled In .NET Processes - Sysmon Registry test (source)
- Execution DLL of Choice Using WAB.EXE test (source)
- FileFix - Command Evidence in TypedPaths experimental (source)
- FlowCloud Registry Markers test (source)
- Forest Blizzard APT - Custom Protocol Handler Creation test (source)
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test (source)
- Hide Schedule Task Via Index Value Tamper test (source)
- Hiding User Account Via SpecialAccounts Registry Key test (source)
- HybridConnectionManager Service Installation - Registry test (source)
- Hypervisor Enforced Paging Translation Disabled test (source)
- IE Change Domain Zone test (source)
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols test (source)
- Impacket SMBexec service creation (registry) experimental (source)
- Internet Explorer Autorun Keys Modification test (source)
- Internet Explorer DisableFirstRunCustomize Enabled test (source)
- Kapeka Backdoor Autorun Persistence test (source)
- Kapeka Backdoor Configuration Persistence test (source)
- Leviathan Registry Key Activity test (source)
- Lolbas OneDriveStandaloneUpdater.exe Proxy Download test (source)
- Lsass Full Dump Request Via DumpType Registry Settings test (source)
- Macro Enabled In A Potentially Suspicious Document test (source)
- MaxMpxCt Registry Value Changed test (source)
- Microsoft Defender service components status disabled (Registry via Sysmon) experimental (source)
- Microsoft Office Protected View Disabled test (source)
- Microsoft Office Trusted Location Updated test (source)
- Mimikatz driver registration (Reg via Sysmon) experimental (source)
- Modification of IE Registry Settings test (source)
- Modify User Shell Folders Startup Value test (source)
- Narrator's Feedback-Hub Persistence test (source)
- NET NGenAssemblyUsageLog Registry Key Tamper test (source)
- NetNTLM Downgrade Attack - Registry test (source)
- Netsh helper DLL abuse (Reg via Sysmon) experimental (source)
- New Application in AppCompat test (source)
- New BgInfo.EXE Custom DB Path Registry Configuration test (source)
- New BgInfo.EXE Custom VBScript Registry Configuration test (source)
- New BgInfo.EXE Custom WMI Query Registry Configuration test (source)
- New DLL Added to AppCertDlls Registry Key test (source)
- New DLL Added to AppInit_DLLs Registry Key test (source)
- New DNS ServerLevelPluginDll Installed test (source)
- New File Association Using Exefile test (source)
- New Netsh Helper DLL Registered From A Suspicious Location test (source)
- New ODBC Driver Registered test (source)
- New PortProxy Registry Entry Added test (source)
- New Root or CA or AuthRoot Certificate to Store test (source)
- New RUN Key Pointing to Suspicious Folder experimental (source)
- New TimeProviders Registered With Uncommon DLL Name test (source)
- NTLM downgrade attack (Reg via SYSMON) experimental (source)
- OceanLotus Registry Activity test (source)
- Office Application Startup - Office Test test (source)
- Office Autorun Keys Modification test (source)
- Office Macros Warning Disabled test (source)
- OilRig APT Registry Persistence test (source)
- Old TLS1.0/TLS1.1 Protocol Version Enabled test (source)
- Outlook EnableUnsafeClientMailRules Setting Enabled - Registry test (source)
- Outlook Macro Execution Without Warning Setting Enabled test (source)
- Outlook Security Settings Updated - Registry test (source)
- Outlook Task/Note Reminder Received test (source)
- Pandemic Registry Key test (source)
- Path To Screensaver Binary Modified test (source)
- Periodic Backup For System Registry Hives Enabled test (source)
- Persistence Via Disk Cleanup Handler - Autorun test (source)
- Persistence Via Hhctrl.ocx test (source)
- Persistence Via New SIP Provider test (source)
- Potential AMSI COM Server Hijacking test (source)
- Potential Attachment Manager Settings Associations Tamper test (source)
- Potential Attachment Manager Settings Attachments Tamper test (source)
- Potential AutoLogger Sessions Tampering test (source)
- Potential ClickFix Execution Pattern - Registry experimental (source)
- Potential CobaltStrike Service Installations - Registry test (source)
- Potential COLDSTEEL RAT Windows User Creation test (source)
- Potential COM Object Hijacking Via TreatAs Subkey - Registry test (source)
- Potential Credential Dumping Attempt Using New NetworkProvider - REG test (source)
- Potential Credential Dumping Via LSASS SilentProcessExit Technique test (source)
- Potential Encrypted Registry Blob Related To SNAKE Malware test (source)
- Potential EventLog File Location Tampering test (source)
- Potential KamiKakaBot Activity - Winlogon Shell Persistence test (source)
- Potential PendingFileRenameOperations Tampering test (source)
- Potential Persistence Using DebugPath test (source)
- Potential Persistence Via App Paths Default Property test (source)
- Potential Persistence Via AppCompat RegisterAppRestart Layer test (source)
- Potential Persistence Via AutodialDLL test (source)
- Potential Persistence Via CHM Helper DLL test (source)
- Potential Persistence Via Custom Protocol Handler test (source)
- Potential Persistence Via DLLPathOverride test (source)
- Potential Persistence Via Event Viewer Events.asp test (source)
- Potential Persistence Via Excel Add-in - Registry test (source)
- Potential Persistence Via GlobalFlags test (source)
- Potential Persistence Via Logon Scripts - Registry test (source)
- Potential Persistence Via LSA Extensions test (source)
- Potential Persistence Via Mpnotify test (source)
- Potential Persistence Via MyComputer Registry Keys test (source)
- Potential Persistence Via Netsh Helper DLL - Registry test (source)
- Potential Persistence Via New AMSI Providers - Registry test (source)
- Potential Persistence Via Outlook Home Page test (source)
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test (source)
- Potential Persistence Via Outlook Today Page test (source)
- Potential Persistence Via Scrobj.dll COM Hijacking test (source)
- Potential Persistence Via Shim Database In Uncommon Location test (source)
- Potential Persistence Via Shim Database Modification test (source)
- Potential Persistence Via TypedPaths test (source)
- Potential Persistence Via Visual Studio Tools for Office test (source)
- Potential PowerShell Execution Policy Tampering test (source)
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG test (source)
- Potential PSFactoryBuffer COM Hijacking test (source)
- Potential Qakbot Registry Activity test (source)
- Potential Ransomware Activity Using LegalNotice Message test (source)
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap test (source)
- Potential Registry Persistence Attempt Via DbgManagedDebugger test (source)
- Potential Registry Persistence Attempt Via Windows Telemetry test (source)
- Potential SentinelOne Shell Context Menu Scan Command Tampering test (source)
- Potential Signing Bypass Via Windows Developer Features - Registry test (source)
- Potential WerFault ReflectDebugger Registry Value Abuse test (source)
- Potentially Suspicious Command Executed Via Run Dialog Box - Registry test (source)
- Potentially Suspicious Desktop Background Change Via Registry test (source)
- Potentially Suspicious ODBC Driver Registered test (source)
- PowerShell as a Service in Registry test (source)
- PowerShell Logging Disabled Via Registry Key Tampering test (source)
- PowerShell Script Execution Policy Enabled test (source)
- PrinterNightmare Mimikatz Driver Name test (source)
- PUA - Sysinternal Tool Execution - Registry test (source)
- PUA - Sysinternals Tools Execution - Registry test (source)
- Python Function Execution Security Warning Disabled In Excel - Registry test (source)
- RDP Sensitive Settings Changed test (source)
- RDP Sensitive Settings Changed to Zero test (source)
- RDP shadow session configuration enabled (registry) experimental (source)
- RedMimicry Winnti Playbook Registry Manipulation test (source)
- Register New IFiltre For Persistence test (source)
- Registry Disable System Restore test (source)
- Registry Entries For Azorult Malware test (source)
- Registry Explorer Policy Modification test (source)
- Registry Hide Function from User test (source)
- Registry Modification for OCI DLL Redirection experimental (source)
- Registry Modification to Hidden File Extension test (source)
- Registry Persistence Mechanisms in Recycle Bin test (source)
- Registry Persistence via Explorer Run Key test (source)
- Registry Persistence via Service in Safe Mode test (source)
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test (source)
- Registry Tampering by Potentially Suspicious Processes experimental (source)
- RestrictedAdminMode Registry Value Tampering test (source)
- Run Once Task Configuration in Registry test (source)
- Running Chrome VPN Extensions via the Registry 2 VPN Extension test (source)
- Scheduled Task Created - Registry test (source)
- Scheduled TaskCache Change by Uncommon Program test (source)
- ScreenSaver Registry Key Set test (source)
- Scripted Diagnostics Turn Off Check Enabled - Registry test (source)
- Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental (source)
- Security Support Provider (SSP) Added to LSA Configuration test (source)
- Service Binary in Suspicious Folder test (source)
- Service Binary in User Controlled Folder test (source)
- ServiceDll Hijack test (source)
- Session Manager Autorun Keys Modification test (source)
- Shell Context Menu Command Tampering test (source)
- Shell Open Registry Keys Manipulation test (source)
- Small Sieve Malware Registry Persistence test (source)
- SNAKE Malware Covert Store Registry Key test (source)
- Stickey key IFEO registry changed (Reg via Sysmon) experimental (source)
- Sticky Key Like Backdoor Usage - Registry test (source)
- Suspicious Application Allowed Through Exploit Guard test (source)
- Suspicious Camera and Microphone Access test (source)
- Suspicious Environment Variable Has Been Registered test (source)
- Suspicious Execution Of Renamed Sysinternals Tools - Registry test (source)
- Suspicious Keyboard Layout Load test (source)
- Suspicious Path In Keyboard Layout IME File Registry Value test (source)
- Suspicious PowerShell In Registry Run Keys test (source)
- Suspicious Printer Driver Empty Manufacturer test (source)
- Suspicious Run Key from Download test (source)
- Suspicious Service Installed test (source)
- Suspicious Set Value of MSDT in Registry (CVE-2022-30190) test (source)
- Suspicious Shell Open Command Registry Modification experimental (source)
- Suspicious Shim Database Patching Activity test (source)
- Suspicious SIP or trust provider registration experimental (source)
- Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental (source)
- Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental (source)
- Sysmon Driver Altitude Change test (source)
- System crash behavior manipulation - WMImplant (registry) experimental (source)
- System Scripts Autorun Keys Modification test (source)
- Tamper With Sophos AV Registry Keys test (source)
- Trust Access Disable For VBApplications test (source)
- UAC Bypass Abusing Winsat Path Parsing - Registry test (source)
- UAC Bypass Using Windows Media Player - Registry test (source)
- UAC Bypass via Event Viewer test (source)
- UAC Bypass via Sdclt test (source)
- UAC Bypass Via Wsreset test (source)
- UAC Disabled stable (source)
- UAC Notification Disabled test (source)
- UAC Secure Desktop Prompt Disabled test (source)
- Uncommon Extension In Keyboard Layout IME File Registry Value test (source)
- Uncommon Microsoft Office Trusted Location Added test (source)
- Usage of Renamed Sysinternals Tools - RegistrySet test (source)
- VBScript Payload Stored in Registry test (source)
- Wdigest authentication enabled (registry) experimental (source)
- Wdigest CredGuard Registry Modification test (source)
- Wdigest Enable UseLogonCredential test (source)
- WFP Filter Added via Registry experimental (source)
- Windows Credential Editor Registry test (source)
- Windows Credential Guard Disabled - Registry experimental (source)
- Windows Defender Exclusions Added - Registry test (source)
- Windows Defender Service Disabled - Registry test (source)
- Windows Defender Threat Severity Default Action Modified experimental (source)
- Windows Event Log Access Tampering Via Registry experimental (source)
- Windows Hypervisor Enforced Code Integrity Disabled test (source)
- Windows Recall Feature Enabled - Registry test (source)
- Windows Registry Trust Record Modification test (source)
- Windows Vulnerable Driver Blocklist Disabled experimental (source)
- WINEKEY Registry Modification test (source)
- Winget Admin Settings Modification test (source)
- Winlogon AllowMultipleTSSessions Enable test (source)
- Winlogon Notify Key Logon Persistence test (source)
- WinSock2 Autorun Keys Modification test (source)
- Wow6432Node Classes Autorun Keys Modification test (source)
- Wow6432Node CurrentVersion Autorun Keys Modification test (source)
- Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test (source)
Event ID 14 RegistryEvent (Key and Value Rename) 55 rules
- Atbroker Registry Change test (source)
- CMSTP Execution Registry Event stable (source)
- Creation of a Local Hidden User Account by Registry test (source)
- Delete Defender Scan ShellEx Context Menu Registry Key experimental (source)
- Diamond Sleet APT Scheduled Task Creation - Registry test (source)
- Disable Security Events Logging Adding Reg Key MiniNt test (source)
- DLL Load via LSASS test (source)
- Esentutl Volume Shadow Copy Service Keys test (source)
- FlowCloud Registry Markers test (source)
- Folder Removed From Exploit Guard ProtectedFolders List - Registry test (source)
- HybridConnectionManager Service Installation - Registry test (source)
- Impacket SMBexec service creation (registry) experimental (source)
- Leviathan Registry Key Activity test (source)
- Mimikatz driver registration (Reg via Sysmon) experimental (source)
- Narrator's Feedback-Hub Persistence test (source)
- NetNTLM Downgrade Attack - Registry test (source)
- Netsh helper DLL abuse (Reg via Sysmon) experimental (source)
- New DLL Added to AppCertDlls Registry Key test (source)
- New DLL Added to AppInit_DLLs Registry Key test (source)
- New PortProxy Registry Entry Added test (source)
- OceanLotus Registry Activity test (source)
- Office Application Startup - Office Test test (source)
- OilRig APT Registry Persistence test (source)
- Pandemic Registry Key test (source)
- Path To Screensaver Binary Modified test (source)
- Potential Credential Dumping Via LSASS SilentProcessExit Technique test (source)
- Potential Qakbot Registry Activity test (source)
- PrinterNightmare Mimikatz Driver Name test (source)
- RDP shadow session configuration enabled (registry) experimental (source)
- RedMimicry Winnti Playbook Registry Manipulation test (source)
- Registry Persistence Mechanisms in Recycle Bin test (source)
- Registry Tampering by Potentially Suspicious Processes experimental (source)
- Removal Of AMSI Provider Registry Keys test (source)
- Removal Of Index Value to Hide Schedule Task - Registry test (source)
- Removal of Potential COM Hijacking Registry Keys test (source)
- Removal Of SD Value to Hide Schedule Task - Registry test (source)
- Run Once Task Configuration in Registry test (source)
- RunMRU Registry Key Deletion - Registry experimental (source)
- Scheduled Task Created - Registry test (source)
- Security Support Provider (SSP) Added to LSA Configuration test (source)
- Shell Open Registry Keys Manipulation test (source)
- SNAKE Malware Covert Store Registry Key test (source)
- Sticky Key Like Backdoor Usage - Registry test (source)
- Suspicious Camera and Microphone Access test (source)
- Suspicious Run Key from Download test (source)
- System crash behavior manipulation - WMImplant (registry) experimental (source)
- Terminal Server Client Connection History Cleared - Registry test (source)
- UAC Bypass Via Wsreset test (source)
- Wdigest CredGuard Registry Modification test (source)
- Windows Credential Editor Registry test (source)
- Windows Credential Guard Related Registry Value Deleted - Registry experimental (source)
- Windows Defender Threat Severity Default Action Modified experimental (source)
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted test (source)
- Windows Registry Trust Record Modification test (source)
- WINEKEY Registry Modification test (source)
Event ID 15 FileCreateStreamHash 9 rules
- Creation Of a Suspicious ADS File Outside a Browser Download test (source)
- Exports Registry Key To an Alternate Data Stream test (source)
- HackTool Named File Stream Created test (source)
- Hidden Executable In NTFS Alternate Data Stream test (source)
- Potential Suspicious Winget Package Installation test (source)
- Potentially Suspicious File Download From ZIP TLD test (source)
- Suspicious File Download From File Sharing Websites - File Stream test (source)
- Unusual File Download from Direct IP Address test (source)
- Unusual File Download From File Sharing Websites - File Stream test (source)
Event ID 17 PipeEvent (Pipe Created) 20 rules
- ADFS Database Named Pipe Connection By Uncommon Tool test (source)
- Alternate PowerShell Hosts Pipe test (source)
- CobaltStrike Named Pipe test (source)
- CobaltStrike Named Pipe Pattern Regex test (source)
- CobaltStrike Named Pipe Patterns test (source)
- HackTool - CoercedPotato Named Pipe Creation test (source)
- HackTool - Credential Dumping Tools Named Pipe Created test (source)
- HackTool - DiagTrackEoP Default Named Pipe test (source)
- HackTool - EfsPotato Named Pipe Creation test (source)
- HackTool - Koh Default Named Pipe test (source)
- Malicious Named Pipe Created test (source)
- New PowerShell Instance Created test (source)
- PsExec Default Named Pipe test (source)
- PsExec Tool Execution From Suspicious Locations - PipeName test (source)
- PUA - CSExec Default Named Pipe test (source)
- PUA - PAExec Default Named Pipe test (source)
- PUA - RemCom Default Named Pipe test (source)
- RedSun - Named Pipe Created experimental (source)
- Turla Group Named Pipes test (source)
- WMI Event Consumer Created Named Pipe test (source)
Event ID 18 PipeEvent (Pipe Connected) 20 rules
- ADFS Database Named Pipe Connection By Uncommon Tool test (source)
- Alternate PowerShell Hosts Pipe test (source)
- CobaltStrike Named Pipe test (source)
- CobaltStrike Named Pipe Pattern Regex test (source)
- CobaltStrike Named Pipe Patterns test (source)
- HackTool - CoercedPotato Named Pipe Creation test (source)
- HackTool - Credential Dumping Tools Named Pipe Created test (source)
- HackTool - DiagTrackEoP Default Named Pipe test (source)
- HackTool - EfsPotato Named Pipe Creation test (source)
- HackTool - Koh Default Named Pipe test (source)
- Malicious Named Pipe Created test (source)
- New PowerShell Instance Created test (source)
- PsExec Default Named Pipe test (source)
- PsExec Tool Execution From Suspicious Locations - PipeName test (source)
- PUA - CSExec Default Named Pipe test (source)
- PUA - PAExec Default Named Pipe test (source)
- PUA - RemCom Default Named Pipe test (source)
- RedSun - Named Pipe Created experimental (source)
- Turla Group Named Pipes test (source)
- WMI Event Consumer Created Named Pipe test (source)
Event ID 22 DNSEvent (DNS query) 27 rules
- AppX Package Installation Attempts Via AppInstaller.EXE test (source)
- Cloudflared Tunnels Related DNS Requests test (source)
- Diamond Sleet APT DNS Communication Indicators test (source)
- DNS HybridConnectionManager Service Bus test (source)
- DNS Query by Finger Utility experimental (source)
- DNS Query for Anonfiles.com Domain - Sysmon test (source)
- DNS Query Request By QuickAssist.EXE experimental (source)
- DNS Query Request By Regsvr32.EXE test (source)
- DNS Query Request To OneLaunch Update Service test (source)
- DNS Query To AzureWebsites.NET By Non-Browser Process test (source)
- DNS Query To Common Malware Hosting and Shortener Services experimental (source)
- DNS Query To Devtunnels Domain test (source)
- DNS Query To Katz Stealer Domains experimental (source)
- DNS Query To MEGA Hosting Website test (source)
- DNS Query To Remote Access Software Domain From Non-Browser App test (source)
- DNS Query To Ufile.io test (source)
- DNS Query To Visual Studio Code Tunnels Domain test (source)
- DNS Query Tor .Onion Address - Sysmon test (source)
- DNS Server Discovery Via LDAP Query test (source)
- DPRK Threat Actor - C2 Communication DNS Indicators test (source)
- Notepad++ Updater DNS Query to Uncommon Domains experimental (source)
- Potential Compromised 3CXDesktopApp Beaconing Activity - DNS test (source)
- Potential SocGholish Second Stage C2 DNS Query test (source)
- Suspicious Cobalt Strike DNS Beaconing - Sysmon test (source)
- Suspicious DNS Query for IP Lookup Service APIs test (source)
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental (source)
- TeamViewer Domain Query By Non-TeamViewer Application test (source)
Event ID 23 FileDelete (File Delete archived) 14 rules
- ADS Zone.Identifier Deleted test (source)
- ADS Zone.Identifier Deleted By Uncommon Application test (source)
- Backup Files Deleted test (source)
- EventLog EVTX File Deleted test (source)
- Exchange PowerShell Cmdlet History Deleted test (source)
- File Deleted Via Sysinternals SDelete test (source)
- IIS WebServer Access Logs Deleted test (source)
- Potential PrintNightmare Exploitation Attempt test (source)
- PowerShell Console History Logs Deleted test (source)
- Prefetch File Deleted test (source)
- Process Deletion of Its Own Executable test (source)
- TeamViewer Log File Deleted test (source)
- Tomcat WebServer Logs Deleted test (source)
- Unusual File Deletion by Dns.exe test (source)
Event ID 26 FileDeleteDetected (File Delete logged) 14 rules
- ADS Zone.Identifier Deleted test (source)
- ADS Zone.Identifier Deleted By Uncommon Application test (source)
- Backup Files Deleted test (source)
- EventLog EVTX File Deleted test (source)
- Exchange PowerShell Cmdlet History Deleted test (source)
- File Deleted Via Sysinternals SDelete test (source)
- IIS WebServer Access Logs Deleted test (source)
- Potential PrintNightmare Exploitation Attempt test (source)
- PowerShell Console History Logs Deleted test (source)
- Prefetch File Deleted test (source)
- Process Deletion of Its Own Executable test (source)
- TeamViewer Log File Deleted test (source)
- Tomcat WebServer Logs Deleted test (source)
- Unusual File Deletion by Dns.exe test (source)
Microsoft-Windows-Windows-Defender
Event ID 1006 1 rule
Event ID 1015 1 rule
Event ID 1116 4 rules
Event ID 1117 1 rule
Event ID 1119 1 rule
Event ID 1121 2 rules
Event ID 1151 1 rule
- Microsoft Defender signatures not up to date experimental (source)
Event ID 3002 2 rules
Event ID 5007 5 rules
Event ID 5101 1 rule
Microsoft-Windows-Windows-Firewall-With-Advanced-Security
Event ID 2003 2 rules
Event ID 2004 6 rules
- Firewall rule added using PowerShell or CMD experimental (source)
- Firewall rule any/any created experimental (source)
- New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application test (source)
- New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE test (source)
- OpenSSH server firewall configuration on Windows (firewall) experimental (source)
- Uncommon New Firewall Rule Added In Windows Firewall Exception List test (source)
Event ID 2005 2 rules
Event ID 2009 1 rule
Event ID 2032 1 rule
Event ID 2033 1 rule
Event ID 2059 1 rule
Event ID 2060 1 rule
Event ID 2071 3 rules
Event ID 2097 3 rules
Microsoft-Windows-CodeIntegrity
Event ID 3032 Code Integrity determined a revoked image FileNameBuffer is loaded into the system. 1 rule
Event ID 3035 Code Integrity determined a revoked image FileNameBuffer is loaded into the system. 1 rule
Event ID 3037 Code Integrity determined an unsigned image FileNameBuffer is loaded into the system. 1 rule
MSSQLSERVER
Event ID 15457 4 rules
Event ID 17199 1 rule
Event ID 17200 1 rule
Event ID 17201 1 rule
Event ID 17202 1 rule
Event ID 17810 1 rule
Event ID 18456 2 rules
Event ID 18470 1 rule
Event ID 33205 13 rules
- MSSQL Add Account To Sysadmin Role test (source)
- MSSQL Disable Audit Settings test (source)
- MSSQL SPProcoption Set test (source)
- MSSQL XPCmdshell Suspicious Execution test (source)
- SQL SA admin user enabled experimental (source)
- SQL Server - Brutforce enumeration with non existing users (login) experimental (source)
- SQL Server - Connection attempt using a disabled account experimental (source)
- SQL Server - Member got new privileges added on a database experimental (source)
- SQL Server - Member got new privileges added on a SQL instance level experimental (source)
- SQL Server - new member added to a database role experimental (source)
- SQL Server - new member added to a server role experimental (source)
- SQL Server auditing deactivated experimental (source)
- SQL Server database auditing deactivated experimental (source)
Microsoft-Windows-AppXDeployment-Server
Event ID 412 error ErrorCode: Deployment of package PackageFullName was blocked by AppLocker. 1 rule
Microsoft-Windows-SoftwareRestrictionPolicies
Microsoft-Windows-WindowsUpdateClient
Event ID 16 Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the... 1 rule
- Windows Update Error stable (source)
Event ID 20 Installation Failure: Windows failed to install the following update with error errorCode: updateTitle. 1 rule
- Windows Update Error stable (source)
Event ID 24 Uninstallation Failure: Windows failed to uninstall the following update with error errorCode: updatelist. 1 rule
- Windows Update Error stable (source)
MsiInstaller
Event ID 11724 1 rule
ESENT
Event ID 216 1 rule
- Ntdsutil Abuse test (source)
Event ID 325 3 rules
Event ID 326 2 rules
- IFM detected - ESENT (installation from media) experimental (source)
- Ntdsutil Abuse test (source)
Event ID 327 2 rules
- IFM detected - ESENT (installation from media) experimental (source)
- Ntdsutil Abuse test (source)
Microsoft-Windows-AppLocker
Microsoft-Windows-DHCP-Server
Microsoft-Windows-DNS-Server-Service
Microsoft-Windows-Kerberos-Key-Distribution-Center
Microsoft-Windows-TaskScheduler
Service-Control-Manager
Event ID 7023 2 rules
Event ID 7036 3 rules
Event ID 7045 55 rules
- Anydesk Remote Access Software Service Installation test (source)
- CobaltStrike Service Installations - System test (source)
- COLDSTEEL Persistence Service Creation test (source)
- Credential Dumping Tools Service Execution - System test (source)
- CSExec Service Installation test (source)
- Encoded PowerShell payload deployed via service experimental (source)
- Goofy Guineapig Backdoor Service Creation test (source)
- HackTool Service Registration or Execution test (source)
- Impacket SMBexec service registration (native) experimental (source)
- Invoke-Obfuscation CLIP+ Launcher - System test (source)
- Invoke-Obfuscation COMPRESS OBFUSCATION - System test (source)
- Invoke-Obfuscation Obfuscated IEX Invocation - System test (source)
- Invoke-Obfuscation RUNDLL LAUNCHER - System test (source)
- Invoke-Obfuscation STDIN+ Launcher - System test (source)
- Invoke-Obfuscation VAR+ Launcher - System test (source)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test (source)
- Invoke-Obfuscation Via Stdin - System test (source)
- Invoke-Obfuscation Via Use Clip - System test (source)
- Invoke-Obfuscation Via Use MSHTA - System test (source)
- Invoke-Obfuscation Via Use Rundll32 - System test (source)
- KrbRelayUp Service Installation test (source)
- KrbRelayUp service installation (native) experimental (source)
- Massive service installation - Tchopper experimental (source)
- Mesh Agent Service Installation test (source)
- Meterpreter or Cobalt Strike Getsystem Service Installation - System test (source)
- Mimikatz driver deployed via service experimental (source)
- Moriya Rootkit - System test (source)
- NetSupport Manager Service Install test (source)
- New PDQDeploy Service - Client Side test (source)
- New PDQDeploy Service - Server Side test (source)
- OilRig APT Schedule Task Persistence - System test (source)
- PAExec Service Installation test (source)
- PowerShell Scripts Installed as Services test (source)
- ProcessHacker Privilege Elevation test (source)
- PsExec Service Installation test (source)
- PSexec service installation experimental (source)
- RDP session hijack via service creation abuse experimental (source)
- RemCom Service Installation test (source)
- Remote Access Tool Services Have Been Installed - System test (source)
- Remote Utilities Host Service Install test (source)
- RTCore Suspicious Service Installation test (source)
- Service Installation in Suspicious Folder test (source)
- Service Installation with Suspicious Folder Pattern test (source)
- Service Installed By Unusual Client - System test (source)
- Sliver C2 Default Service Installation test (source)
- smbexec.py Service Installation test (source)
- SNAKE Malware Service Persistence test (source)
- StoneDrill Service Install test (source)
- Suspicious Service Installation test (source)
- Suspicious Service Installation Script test (source)
- TacticalRMM Service Installation test (source)
- Tap Driver Installation test (source)
- Turla PNG Dropper Service test (source)
- Turla Service Install test (source)
- Uncommon Service Installation Image Path test (source)
LsaSrv
Microsoft-Windows-DriverFrameworks-UserMode
Microsoft-Windows-Eventlog
Event ID 104 The LogFileCleared.Channel log file was cleared. 3 rules
- Event log cleared (native) experimental (source)
- Eventlog Cleared test (source)
- Important Windows Eventlog Cleared test (source)
Event ID 517 The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102). 1 rule
Event ID 1102 The audit log was cleared. 2 rules
- Event log cleared (native) experimental (source)
- Security Eventlog Cleared test (source)
Microsoft-Windows-TerminalServices-LocalSessionManager
PowerShell
Event ID 400 11 rules
- bXOR Operator Usage In PowerShell Command Line - PowerShell Classic test (source)
- Delete Volume Shadow Copies Via WMI With PowerShell stable (source)
- Netcat The Powershell Version test (source)
- Nslookup PowerShell Download Cradle test (source)
- PowerShell Called from an Executable Version Mismatch test (source)
- PowerShell Downgrade Attack - PowerShell test (source)
- PowerShell Download Via Net.WebClient - PowerShell Classic test (source)
- Remote PowerShell Session (PS Classic) test (source)
- Renamed Powershell Under Powershell Channel test (source)
- Uncommon PowerShell Hosts test (source)
- Use Get-NetTCPConnection test (source)
Event ID 600 1 rule
Event ID 800 37 rules
- Active Directory Forest PowerShell class called from a non administrative host experimental (source)
- BITS payload downloaded via PowerShell experimental (source)
- DCOM lateral movement (via MMC20) experimental (source)
- Domain group membership change experimental (source)
- DoT (DNS over TLS) activation (PowerShell) experimental (source)
- DSRM password changed (Reg via PowerShell) experimental (source)
- Encoded PowerShell payload deployed (PowerShell) experimental (source)
- Event log clear attempt (PowerShell) experimental (source)
- Event log cleared using Diagnostics (via PowerShell) stable (source)
- Exchange transport agent installation artifacts (PowerShell) experimental (source)
- Firewall configuration enumerated (PowerShell) experimental (source)
- Firewall deactivation (PowerShell) experimental (source)
- Group discovery (PowerShell) (source)
- Local group membership change experimental (source)
- LSASS credential dump with LSASSY (PowerShell) experimental (source)
- Microsoft Defender critical security components disabled (PowerShell) experimental (source)
- Microsoft Defender default action changed to allow any threat (PowerShell) experimental (source)
- Microsoft Defender security components disabled (PowerShell) experimental (source)
- Microsoft Defender threat exclusion added (PowerShell) experimental (source)
- OpenSSH native server feature installation experimental (source)
- OpenSSH server firewall configuration on Windows (PowerShell) experimental (source)
- OpenSSH service activation on Windows experimental (source)
- Payload downloaded via PowerShell (source)
- PipeShell exfiltration over named pipes experimental (source)
- Print spooler privilege escalation via printer added (CVE-2020-1048) experimental (source)
- Service abuse with backdoored "command failure" (Reg via PowerShell) experimental (source)
- Service abuse with malicious ImagePath (Reg via PowerShell) experimental (source)
- Service creation (PowerShell) experimental (source)
- Service permissions hijacked for privileges abuse (PowerShell) experimental (source)
- Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental (source)
- Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental (source)
- System time changed (PowerShell) experimental (source)
- Vault credentials manager accessed experimental (source)
- VSS backup deletion via WMI (Powershell) experimental (source)
- Webserver IIS module installed (PowerShell) experimental (source)
- Webserver IIS module installed via GAC manipulation (PowerShell) experimental (source)
- WMI registration (PowerShell) experimental (source)
Microsoft-Windows-Bits-Client
Event ID 16403 task_016403 5 rules
- BITS Transfer Job Download From Direct IP test (source)
- BITS Transfer Job Download From File Sharing Domains test (source)
- BITS Transfer Job Download To Potential Suspicious Folder test (source)
- BITS Transfer Job Downloading File Potential Suspicious Extension test (source)
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD test (source)
Microsoft-Windows-Directory-Services-SAM
Microsoft-Windows-NTLM
Microsoft-Windows-PowerShell
Event ID 4103 Payload Context: ContextInfo User Data: UserData. 71 rules
- Active Directory Forest PowerShell class called from a non administrative host experimental (source)
- AD Groups Or Users Enumeration Using PowerShell - PoshModule test (source)
- Alternate PowerShell Hosts - PowerShell Module test (source)
- Bad Opsec Powershell Code Artifacts test (source)
- BitLocker server feature activation (PowerShell) experimental (source)
- BITS payload downloaded via PowerShell experimental (source)
- Clear PowerShell History - PowerShell Module test (source)
- DCOM lateral movement (via MMC20) experimental (source)
- DoT (DNS over TLS) activation (PowerShell) experimental (source)
- DSRM password changed (Reg via PowerShell) experimental (source)
- Encoded PowerShell payload deployed (PowerShell) experimental (source)
- Event log clear attempt (PowerShell) experimental (source)
- Event log cleared using Diagnostics (via PowerShell) stable (source)
- Exchange transport agent installation artifacts (PowerShell) experimental (source)
- Firewall configuration enumerated (PowerShell) experimental (source)
- Firewall deactivation (PowerShell) experimental (source)
- Group discovery (PowerShell) (source)
- HackTool - Evil-WinRm Execution - PowerShell Module test (source)
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test (source)
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test (source)
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test (source)
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test (source)
- Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test (source)
- Invoke-Obfuscation VAR+ Launcher - PowerShell Module test (source)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test (source)
- Invoke-Obfuscation Via Stdin - PowerShell Module test (source)
- Invoke-Obfuscation Via Use Clip - PowerShell Module test (source)
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module test (source)
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test (source)
- Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test (source)
- LSASS credential dump with LSASSY (PowerShell) experimental (source)
- Malicious PowerShell Commandlets - PoshModule test (source)
- Malicious PowerShell Scripts - PoshModule test (source)
- Microsoft Defender critical security components disabled (PowerShell) experimental (source)
- Microsoft Defender default action changed to allow any threat (PowerShell) experimental (source)
- Microsoft Defender security components disabled (PowerShell) experimental (source)
- Microsoft Defender threat exclusion added (PowerShell) experimental (source)
- OpenSSH native server feature installation experimental (source)
- OpenSSH server firewall configuration on Windows (PowerShell) experimental (source)
- OpenSSH service activation on Windows experimental (source)
- Payload downloaded via PowerShell (source)
- PipeShell exfiltration over named pipes experimental (source)
- Potential Active Directory Enumeration Using AD Module - PsModule test (source)
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module test (source)
- PowerShell Decompress Commands test (source)
- PowerShell Get Clipboard test (source)
- Print spooler privilege escalation via printer added (CVE-2020-1048) experimental (source)
- Remote PowerShell Session (PS Module) test (source)
- Service abuse with backdoored "command failure" (Reg via PowerShell) experimental (source)
- Service abuse with malicious ImagePath (Reg via PowerShell) experimental (source)
- Service creation (PowerShell) experimental (source)
- Service permissions hijacked for privileges abuse (PowerShell) experimental (source)
- Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental (source)
- Suspicious Computer Machine Password by PowerShell test (source)
- Suspicious Get Information for SMB Share - PowerShell Module test (source)
- Suspicious Get Local Groups Information test (source)
- Suspicious Get-ADDBAccount Usage test (source)
- Suspicious PowerShell Download - PoshModule test (source)
- Suspicious PowerShell Invocations - Generic - PowerShell Module test (source)
- Suspicious PowerShell Invocations - Specific - PowerShell Module test (source)
- Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental (source)
- SyncAppvPublishingServer Bypass Powershell Restriction - PS Module test (source)
- System time changed (PowerShell) experimental (source)
- Use Get-NetTCPConnection - PowerShell Module test (source)
- Vault credentials manager accessed experimental (source)
- VSS backup deletion via WMI (Powershell) experimental (source)
- Webserver IIS module installed (PowerShell) experimental (source)
- Webserver IIS module installed via GAC manipulation (PowerShell) experimental (source)
- Windows Subsystem for Linux (WSL) installation (PowerShell) experimental (source)
- WMI registration (PowerShell) experimental (source)
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Module test (source)
Event ID 4104 Creating Scriptblock text (MessageNumber of MessageTotal). 218 rules
- AADInternals PowerShell Cmdlets Execution - PsScript test (source)
- Abuse of Service Permissions to Hide Services Via Set-Service - PS test (source)
- Access to Browser Login Data test (source)
- Active Directory Computers Enumeration With Get-AdComputer test (source)
- Active Directory Forest PowerShell class called from a non administrative host experimental (source)
- Active Directory Group Enumeration With Get-AdGroup test (source)
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock test (source)
- Add Windows Capability Via PowerShell Script test (source)
- AMSI Bypass Pattern Assembly GetType test (source)
- Automated Collection Bookmarks Using Get-ChildItem PowerShell test (source)
- Automated Collection Command PowerShell test (source)
- BitLocker server feature activation (PowerShell) experimental (source)
- BITS payload downloaded via PowerShell experimental (source)
- Certificate Exported Via PowerShell - ScriptBlock test (source)
- Change PowerShell Policies to an Insecure Level - PowerShell test (source)
- Change User Agents with WebRequest test (source)
- Clear PowerShell History - PowerShell test (source)
- Clearing Windows Console History test (source)
- Code Executed Via Office Add-in XLL File test (source)
- Compress-Archive Cmdlet Execution test (source)
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell test (source)
- Create Volume Shadow Copy with Powershell test (source)
- DCOM lateral movement (via MMC20) experimental (source)
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script test (source)
- Detected Windows Software Discovery - PowerShell test (source)
- DirectorySearcher Powershell Exploitation test (source)
- Disable of ETW Trace - Powershell test (source)
- Disable Powershell Command History test (source)
- Disable-WindowsOptionalFeature Command PowerShell test (source)
- DMSA Link Attributes Modified experimental (source)
- DMSA Service Account Created in Specific OUs - PowerShell experimental (source)
- Domain group membership change experimental (source)
- DoT (DNS over TLS) activation (PowerShell) experimental (source)
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock test (source)
- DSRM password changed (Reg via PowerShell) experimental (source)
- Dump Credentials from Windows Credential Manager With PowerShell test (source)
- Enable Windows Remote Management test (source)
- Encoded PowerShell payload deployed (PowerShell) experimental (source)
- Enumerate Credentials from Windows Credential Manager With PowerShell test (source)
- Event log clear attempt (PowerShell) experimental (source)
- Event log cleared using Diagnostics (via PowerShell) stable (source)
- Exchange transport agent installation artifacts (PowerShell) experimental (source)
- Execute Invoke-command on Remote Host test (source)
- Extracting Information with PowerShell test (source)
- Firewall configuration enumerated (PowerShell) experimental (source)
- Firewall deactivation (PowerShell) experimental (source)
- Get-ADUser Enumeration Using UserAccountControl Flags test (source)
- Group discovery (PowerShell) (source)
- HackTool - Rubeus Execution - ScriptBlock test (source)
- HackTool - WinPwn Execution - ScriptBlock test (source)
- Import PowerShell Modules From Suspicious Directories test (source)
- Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental (source)
- Invoke-Obfuscation CLIP+ Launcher - PowerShell test (source)
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test (source)
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test (source)
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test (source)
- Invoke-Obfuscation STDIN+ Launcher - Powershell test (source)
- Invoke-Obfuscation VAR+ Launcher - PowerShell test (source)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test (source)
- Invoke-Obfuscation Via Stdin - Powershell test (source)
- Invoke-Obfuscation Via Use Clip - Powershell test (source)
- Invoke-Obfuscation Via Use MSHTA - PowerShell test (source)
- Invoke-Obfuscation Via Use Rundll32 - PowerShell test (source)
- Lace Tempest PowerShell Evidence Eraser test (source)
- Lace Tempest PowerShell Launcher test (source)
- Live Memory Dump Using Powershell test (source)
- Local group membership change experimental (source)
- LSASS credential dump with LSASSY (PowerShell) experimental (source)
- Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental (source)
- Malicious Nishang PowerShell Commandlets test (source)
- Malicious PowerShell Commandlets - ScriptBlock test (source)
- Malicious PowerShell Keywords test (source)
- Malicious ShellIntel PowerShell Commandlets test (source)
- Manipulation of User Computer or Group Security Principals Across AD test (source)
- Microsoft Defender critical security components disabled (PowerShell) experimental (source)
- Microsoft Defender default action changed to allow any threat (PowerShell) experimental (source)
- Microsoft Defender security components disabled (PowerShell) experimental (source)
- Microsoft Defender threat exclusion added (PowerShell) experimental (source)
- Modify Group Policy Settings - ScriptBlockLogging test (source)
- New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock test (source)
- NTFS Alternate Data Stream test (source)
- OpenSSH native server feature installation experimental (source)
- OpenSSH server firewall configuration on Windows (PowerShell) experimental (source)
- OpenSSH service activation on Windows experimental (source)
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy test (source)
- Payload downloaded via PowerShell (source)
- PipeShell exfiltration over named pipes experimental (source)
- Potential Active Directory Enumeration Using AD Module - PsScript test (source)
- Potential AMSI Bypass Script Using NULL Bits test (source)
- Potential APT FIN7 POWERHOLD Execution test (source)
- Potential COM Objects Download Cradles Usage - PS Script test (source)
- Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet test (source)
- Potential Data Exfiltration Via Audio File test (source)
- Potential In-Memory Execution Using Reflection.Assembly test (source)
- Potential Invoke-Mimikatz PowerShell Script test (source)
- Potential Keylogger Activity test (source)
- Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock test (source)
- Potential Persistence Via PowerShell User Profile Using Add-Content test (source)
- Potential Persistence Via Security Descriptors - ScriptBlock test (source)
- Potential PowerShell Obfuscation Using Alias Cmdlets test (source)
- Potential PowerShell Obfuscation Using Character Join test (source)
- Potential POWERTRASH Script Execution test (source)
- Potential Registry Reconnaissance Via PowerShell Script test (source)
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock test (source)
- Potential Suspicious PowerShell Keywords test (source)
- Potential Suspicious Windows Feature Enabled test (source)
- Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental (source)
- Potential WinAPI Calls Via PowerShell Scripts test (source)
- Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript test (source)
- Powershell Add Name Resolution Policy Table Rule test (source)
- PowerShell ADRecon Execution test (source)
- PowerShell Create Local User test (source)
- Powershell Create Scheduled Task test (source)
- PowerShell Credential Prompt test (source)
- PowerShell Deleted Mounted Share test (source)
- Powershell Detect Virtualization Environment test (source)
- Powershell Directory Enumeration test (source)
- Powershell DNSExfiltration test (source)
- Powershell Execute Batch Script test (source)
- PowerShell Get-Process LSASS in ScriptBlock test (source)
- PowerShell Hotfix Enumeration test (source)
- PowerShell ICMP Exfiltration test (source)
- Powershell Install a DLL in System Directory test (source)
- Powershell Keylogging test (source)
- Powershell Local Email Collection test (source)
- Powershell LocalAccount Manipulation test (source)
- Powershell MsXml COM Object test (source)
- PowerShell PSAttack test (source)
- PowerShell Remote Session Creation test (source)
- PowerShell Script Change Permission Via Set-Acl - PsScript test (source)
- PowerShell Script With File Hostname Resolving Capabilities test (source)
- PowerShell Script With File Upload Capabilities test (source)
- Powershell Sensitive File Discovery test (source)
- PowerShell Set-Acl On Windows Folder - PsScript test (source)
- PowerShell ShellCode test (source)
- Powershell Store File In Alternate Data Stream test (source)
- Powershell Suspicious Win32_PnPEntity test (source)
- Powershell Timestomp test (source)
- Powershell Token Obfuscation - Powershell test (source)
- PowerShell Web Access Installation - PsScript test (source)
- Powershell WMI Persistence test (source)
- PowerShell WMI Win32_Product Install MSI test (source)
- PowerShell Write-EventLog Usage test (source)
- Powershell XML Execute Command test (source)
- PowerView PowerShell Cmdlets - ScriptBlock test (source)
- Print spooler privilege escalation via printer added (CVE-2020-1048) experimental (source)
- PSAsyncShell - Asynchronous TCP Reverse Shell test (source)
- Recon Information for Export with PowerShell test (source)
- Registry Modification Attempt Via VBScript - PowerShell experimental (source)
- Registry-Free Process Scope COR_PROFILER test (source)
- Remove Account From Domain Admin Group test (source)
- Replace Desktop Wallpaper by Powershell test (source)
- Root Certificate Installed - PowerShell test (source)
- Security Software Discovery Via Powershell Script test (source)
- Service abuse with backdoored "command failure" (Reg via PowerShell) experimental (source)
- Service abuse with malicious ImagePath (Reg via PowerShell) experimental (source)
- Service creation (PowerShell) experimental (source)
- Service permissions hijacked for privileges abuse (PowerShell) experimental (source)
- Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental (source)
- Service Registry Permissions Weakness Check test (source)
- Silence.EDA Detection test (source)
- SMB over QUIC Via PowerShell Script test (source)
- Suspicious Connection to Remote Account test (source)
- Suspicious Eventlog Clear test (source)
- Suspicious FromBase64String Usage On Gzip Archive - Ps Script test (source)
- Suspicious Get Information for SMB Share test (source)
- Suspicious Get Local Groups Information - PowerShell test (source)
- Suspicious Get-ADReplAccount test (source)
- Suspicious GetTypeFromCLSID ShellExecute test (source)
- Suspicious GPO Discovery With Get-GPO test (source)
- Suspicious Hyper-V Cmdlets test (source)
- Suspicious Invoke-Item From Mount-DiskImage test (source)
- Suspicious IO.FileStream test (source)
- Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock test (source)
- Suspicious Mount-DiskImage test (source)
- Suspicious New-PSDrive to Admin Share test (source)
- Suspicious PowerShell Download - Powershell Script test (source)
- Suspicious PowerShell Get Current User test (source)
- Suspicious PowerShell Invocations - Generic test (source)
- Suspicious PowerShell Invocations - Specific test (source)
- Suspicious PowerShell Mailbox Export to Share - PS test (source)
- Suspicious PowerShell WindowStyle Option test (source)
- Suspicious Process Discovery With Get-Process test (source)
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test (source)
- Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental (source)
- Suspicious SSL Connection test (source)
- Suspicious Start-Process PassThru test (source)
- Suspicious TCP Tunnel Via PowerShell Script test (source)
- Suspicious Unblock-File test (source)
- Suspicious X509Enrollment - Ps Script test (source)
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction test (source)
- System time changed (PowerShell) experimental (source)
- Tamper Windows Defender - ScriptBlockLogging test (source)
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging test (source)
- Testing Usage of Uncommonly Used Port test (source)
- Troubleshooting Pack Cmdlet Execution test (source)
- Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript test (source)
- Usage Of Web Request Commands And Cmdlets - ScriptBlock test (source)
- Use Of Remove-Item to Delete File - ScriptBlock test (source)
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell test (source)
- Vault credentials manager accessed experimental (source)
- Veeam Backup Servers Credential Dumping Script Execution test (source)
- Vice Society directory crawling script for data exfiltration (via ps_script) stable (source)
- VSS backup deletion via WMI (Powershell) experimental (source)
- Webserver IIS module installed (PowerShell) experimental (source)
- Webserver IIS module installed via GAC manipulation (PowerShell) experimental (source)
- WinAPI Function Calls Via PowerShell Scripts test (source)
- WinAPI Library Calls Via PowerShell Scripts test (source)
- Windows Defender Exclusions Added - PowerShell test (source)
- Windows Firewall Profile Disabled test (source)
- Windows Mail App Mailbox Access Via PowerShell Script test (source)
- Windows Screen Capture with CopyFromScreen test (source)
- Windows Subsystem for Linux (WSL) installation (PowerShell) experimental (source)
- Winlogon Helper DLL test (source)
- WMI registration (PowerShell) experimental (source)
- WMIC Unquoted Services Path Lookup - PowerShell test (source)
- WMImplant Hack Tool test (source)
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Script test (source)
Microsoft-Windows-PrintService
Microsoft-Windows-Security-Kerberos
Microsoft-Windows-Security-Mitigations
Microsoft-Windows-WMI-Activity
ScreenConnect
TermDD
Event ID 50 1 rule
Event ID 56 1 rule
Application-Error
Event ID 1000 5 rules
- CVE-2023-40477 Potential Exploitation - WinRAR Application Crash test (source)
- CVE-2024-49113 Exploitation Attempt - LDAP Nightmare experimental (source)
- LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089 experimental (source)
- LSASS Process Crashed - Application experimental (source)
- Microsoft Malware Protection Engine Crash test (source)
Application-Popup
Event ID 26 1 rule
Microsoft-Windows-AppModel-Runtime
Microsoft-Windows-AppxPackagingOM
Microsoft-Windows-Audit-CVE
Microsoft-Windows-Backup
Microsoft-Windows-CAPI2
Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Microsoft-Windows-CertificationAuthority
Microsoft-Windows-DNS-Client
Event ID 3008 DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults. 6 rules
- DNS Query for Anonfiles.com Domain - DNS Client test (source)
- DNS Query To MEGA Hosting Website - DNS Client test (source)
- DNS Query To Put.io - DNS Client test (source)
- DNS Query To Ufile.io - DNS Client test (source)
- Query Tor Onion Address - DNS Client test (source)
- Suspicious Cobalt Strike DNS Beaconing - DNS Client test (source)