| Microsoft 365 (Office 365) Potential Ransomware Activity Detected |
master |
40 |
|
| Registry Checked For Lanmanserver DisableCompression Parameter |
master |
4663 |
Microsoft-Windows-Security-Auditing |
| Failed Logon Followed By A Success From Public IP Addresses |
master |
4625 |
Microsoft-Windows-Security-Auditing |
| Rubeus Register New Logon Process |
master |
4611 |
Microsoft-Windows-Security-Auditing |
| Smss Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| xWizard Execution |
master |
1 |
Kernel-Process |
| Searchindexer Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Execution From Suspicious Folder |
master |
1 |
Microsoft-Windows-Sysmon |
| Grabbing Sensitive Hives Via Reg Utility |
master |
1, 5 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Compress Data for Exfiltration via Archiver |
master |
1 |
Kernel-Process |
| Windows Sandbox Start |
master |
1, 5 |
Kernel-Process |
| Wsmprovhost Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Protected Storage Service Access |
master |
5145 |
Microsoft-Windows-Security-Auditing |
| Remote Registry Management Using Reg Utility |
master |
5145 |
Microsoft-Windows-Security-Auditing |
| Microsoft 365 (Office 365) MCAS Repeated Delete |
master |
98 |
|
| Antivirus Relevant File Paths Alerts |
master |
1116 |
Microsoft-Windows-Windows Defender |
| Windows Defender Deactivation Using PowerShell Script |
master |
4104 |
Microsoft-Windows-PowerShell |
| Rebooting |
master |
1 |
Kernel-Process |
| Microsoft Defender Antivirus Configuration Changed |
master |
5007 |
Microsoft-Windows-Windows Defender |
| PowerView commandlets 2 |
master |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Windows Registry Persistence COM Key Linking |
master |
1, 13 |
Microsoft-Windows-Sysmon |
| Commonly Used Commands To Stop Services And Remove Backups |
master |
1 |
Microsoft-Windows-Sysmon |
| DNS Query For Iplookup |
master |
22 |
Microsoft-Windows-DNS-Client |
| Privileged AD Builtin Group Modified |
master |
4728 |
Microsoft-Windows-Security-Auditing |
| Microsoft Defender Antivirus Disable Using Registry |
master |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Suspicious PsExec Execution |
master |
5145 |
Microsoft-Windows-Security-Auditing |
| Potential RDP Connection To Non-Domain Host |
master |
8001 |
Microsoft-Windows-NTLM |
| WMIC Loading Scripting Libraries |
master |
7 |
Microsoft-Windows-Sysmon |
| Usage Of Sysinternals Tools |
master |
1, 13 |
Microsoft-Windows-Sysmon |
| FoggyWeb Backdoor DLL Loading |
master |
7 |
Microsoft-Windows-Sysmon |
| Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting |
master |
13 |
Microsoft-Windows-Sysmon |
| Opening Of a Password File |
master |
5 |
Kernel-Process |
| Suspicious DLL Loaded Via Office Applications |
master |
7 |
Microsoft-Windows-Sysmon |
| Shadow Copies |
master |
4104, 4688 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Security-Auditing |
| Microsoft Defender for Office 365 Medium Severity AIR Alert |
master |
64 |
|
| Advanced IP Scanner |
master |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Access To Sensitive File Extensions |
master |
5145 |
Microsoft-Windows-Security-Auditing |
| Possible Replay Attack |
master |
4649 |
Microsoft-Windows-Security-Auditing |
| Disable Windows Defender Credential Guard |
master |
13 |
Microsoft-Windows-Sysmon |
| ISO LNK Infection Chain |
master |
5, 11 |
Kernel-Process, Microsoft-Windows-Kernel-File |
| Outlook Registry Access |
master |
1 |
Microsoft-Windows-Sysmon |
| Wininit Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Narrator Feedback-Hub Persistence |
master |
13 |
Microsoft-Windows-Sysmon |
| Cobalt Strike Named Pipes |
master |
17 |
Microsoft-Windows-Sysmon |
| Abusing Azure Browser SSO |
master |
7 |
Microsoft-Windows-Sysmon |
| Remote Service Activity Via SVCCTL Named Pipe |
master |
5145 |
Microsoft-Windows-Security-Auditing |
| Microsoft Defender Antivirus History Deleted |
master |
1013 |
Microsoft-Windows-Windows Defender |
| Dllhost Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| In-memory PowerShell |
master |
7 |
Microsoft-Windows-Sysmon |
| WMI DLL Loaded Via Office |
master |
7 |
Microsoft-Windows-Sysmon |
| Process Herpaderping |
master |
25 |
Microsoft-Windows-Sysmon |
| Spoolsv Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Taskhostw Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Powershell Web Request |
master |
3 |
Microsoft-Windows-Kernel-Network |
| Microsoft 365 Security and Compliance Center High Severity Alert |
master |
40 |
|
| SCM Database Privileged Operation |
master |
4674 |
Microsoft-Windows-Security-Auditing |
| AD User Enumeration |
master |
4662 |
Microsoft-Windows-Security-Auditing |
| Web Application Launching Shell |
master |
1, 4688 |
Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
| Sysmon Windows File Block Executable |
master |
27 |
Microsoft-Windows-Sysmon |
| Webshell Creation |
master |
11 |
Microsoft-Windows-Sysmon |
| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically |
master |
64 |
|
| Searchprotocolhost Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Elevated Msiexec Via Repair Functionality |
master |
1, 5 |
Kernel-Process |
| Process Hollowing Detection |
master |
25 |
Microsoft-Windows-Sysmon |
| Taskhost or Taskhostw Suspicious Child Found |
master |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Cmd.exe Command Line |
master |
1 |
Microsoft-Windows-Sysmon |
| Disable Security Events Logging Adding Reg Key MiniNt |
master |
13 |
Microsoft-Windows-Sysmon |
| Csrss Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Office Macro Security Registry Modifications |
master |
13 |
Microsoft-Windows-Sysmon |
| Account Removed From A Security Enabled Group |
master |
4729 |
Microsoft-Windows-Security-Auditing |
| Microsoft 365 Device Code Authentication |
master |
15 |
|
| Network Share Discovery |
master |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Microsoft 365 (Office 365) MCAS Inbox Hiding |
master |
98 |
|
| Malware Persistence Registry Key |
master |
1, 13 |
Microsoft-Windows-Sysmon |
| File Or Folder Permissions Modifications |
master |
1 |
Microsoft-Windows-Sysmon |
| Microsoft 365 (Office 365) MCAS Repeated Failed Login |
master |
98 |
|
| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability |
master |
3 |
Microsoft-Windows-Sysmon |
| Suspicious Microsoft Defender Antivirus Exclusion Command |
master |
1 |
Microsoft-Windows-Sysmon |
| Autorun Keys Modification |
master |
12 |
Microsoft-Windows-Sysmon |
| Elevated Shell Launched By Browser |
master |
5 |
Kernel-Process |
| Correlation Multi Service Disable |
master |
1, 5 |
Kernel-Process |
| CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv |
master |
7, 11 |
Microsoft-Windows-Sysmon |
| Logonui Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| MS Office Product Spawning Exe in User Dir |
master |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Office Product Spawning Windows Shell |
master |
1 |
Microsoft-Windows-Sysmon |
| Windows Registry Persistence COM Search Order Hijacking |
master |
13 |
Microsoft-Windows-Sysmon |
| Account Added To A Security Enabled Group |
master |
4728 |
Microsoft-Windows-Security-Auditing |
| DNS Server Error Failed Loading The ServerLevelPluginDLL |
master |
150 |
Microsoft-Windows-DNS-Server-Service |
| Remote Monitoring and Management Software - Atera |
master |
13 |
Microsoft-Windows-Sysmon |
| Correlation Internal Ntlm Password Spraying |
master |
4625 |
Microsoft-Windows-Security-Auditing |
| Netsh Port Opening |
master |
1 |
Microsoft-Windows-Sysmon |
| Svchost Wrong Parent |
master |
4688 |
Microsoft-Windows-Security-Auditing |
| Winrshost Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| Winlogon wrong parent |
master |
1 |
Microsoft-Windows-Sysmon |
| User Account Deleted |
master |
4726 |
Microsoft-Windows-Security-Auditing |
| Svchost DLL Search Order Hijack |
master |
7 |
Microsoft-Windows-Sysmon |
| LSASS Memory Dump |
master |
10 |
Microsoft-Windows-Sysmon |
| Microsoft 365 (Office 365) MCAS New Country |
master |
98 |
|
| Pandemic Windows Implant |
master |
1, 13 |
Microsoft-Windows-Sysmon |
| Stop Backup Services |
master |
1, 13 |
Kernel-Process, Microsoft-Windows-Sysmon |
| AD Privileged Users Or Groups Reconnaissance |
master |
4661 |
Microsoft-Windows-Security-Auditing |
| Computer Account Deleted |
master |
4743 |
Microsoft-Windows-Security-Auditing |
| NjRat Registry Changes |
master |
1, 13 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Microsoft 365 Security and Compliance Center Medium Severity Alert |
master |
40 |
|
| User Account Created |
master |
4720 |
Microsoft-Windows-Security-Auditing |
| SCM Database Handle Failure |
master |
4656 |
Microsoft-Windows-Security-Auditing |
| DNS ServerLevelPluginDll Installation |
master |
1, 13 |
Microsoft-Windows-Sysmon |
| Suspicious Windows Installer Execution |
master |
1 |
Microsoft-Windows-Sysmon |
| Powershell Winlogon Helper DLL |
master |
13, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Admin Share Access |
master |
5140 |
Microsoft-Windows-Security-Auditing |
| Microsoft Defender Antivirus Exclusion Configuration |
master |
13, 5007 |
Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
| Lsass Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| WithSecure Elements Warning Severity |
master |
4740 |
Microsoft-Windows-Security-Auditing |
| Tenable Identity Exposure / Alsid High Severity Alert |
master |
79016668 |
|
| Microsoft Office Creating Suspicious File |
master |
11 |
Microsoft-Windows-Sysmon |
| TOR Usage Generic Rule |
master |
3 |
Microsoft-Windows-Sysmon |
| PowerShell Malicious PowerShell Commandlets |
master |
4104 |
Microsoft-Windows-PowerShell |
| Correlation Internal Kerberos Password Spraying |
master |
4768 |
Microsoft-Windows-Security-Auditing |
| Powershell Suspicious Startup Shortcut Persistence |
master |
11 |
Microsoft-Windows-Kernel-File |
| Tenable Identity Exposure / Alsid Critical Severity Alert |
master |
83820799 |
|
| Admin User RDP Remote Logon |
master |
4624 |
Microsoft-Windows-Security-Auditing |
| Microsoft 365 (Office 365) MCAS Risky IP |
master |
98 |
|
| Taskhost Wrong Parent |
master |
1 |
Microsoft-Windows-Sysmon |
| MMC Spawning Windows Shell |
master |
1 |
Microsoft-Windows-Sysmon |
| Windows Firewall Changes |
master |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action |
master |
64 |
|
| User Added to Local Administrators |
master |
4732 |
Microsoft-Windows-Security-Auditing |
| Microsoft Defender for Office 365 High Severity AIR Alert |
master |
64 |
|
| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys |
master |
13 |
Microsoft-Windows-Sysmon |
| FromBase64String Command Line |
master |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| LSASS Access From Non System Account |
master |
4656 |
Microsoft-Windows-Security-Auditing |
| Microsoft 365 (Office 365) MCAS Detection Velocity |
master |
98 |
|
| Remote Monitoring and Management Software - AnyDesk |
master |
1, 22 |
Kernel-Process, Microsoft-Windows-DNS-Client |
| User Couldn't Call A Privileged Service LsaRegisterLogonProcess |
master |
4673 |
Microsoft-Windows-Security-Auditing |
| Suspicious New Printer Ports In Registry |
master |
13 |
Microsoft-Windows-Sysmon |
| Searchprotocolhost Child Found |
master |
1 |
Microsoft-Windows-Sysmon |
| Putty Sessions Listing |
master |
1, 4663 |
Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
| Net.exe User Account Creation |
master |
1 |
Microsoft-Windows-Sysmon |
| Credential Dumping-Tools Common Named Pipes |
master |
17 |
Microsoft-Windows-Sysmon |
| PowerShell Commands Invocation |
advanced |
1 |
Kernel-Process |
| VSCode Tunnel Shell Exec |
advanced |
1 |
Kernel-Process |
| PowerShell Malicious Nishang PowerShell Commandlets |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| AzureEdge in Command Line |
advanced |
5 |
Kernel-Process |
| Change Default File Association |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Wmic Suspicious Commands |
advanced |
5 |
Kernel-Process |
| Alternate PowerShell Hosts Pipe |
advanced |
17 |
Microsoft-Windows-Sysmon |
| PsExec Process |
advanced |
13, 7045 |
Microsoft-Windows-Sysmon, Service Control Manager |
| Permission Discovery Via Wmic |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Suspicious desktop.ini Action |
advanced |
15 |
Microsoft-Windows-Sysmon |
| Rubeus Tool Command-line |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Suspicious PowerShell Invocations - Generic |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Suspicious XOR Encoded PowerShell Command Line |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| External Disk Drive Or USB Storage Device |
advanced |
6416 |
Microsoft-Windows-Security-Auditing |
| Dism Disabling Windows Defender |
advanced |
1 |
Kernel-Process |
| Credential Dump Tools Related Files |
advanced |
11, 15 |
Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
| Adidnsdump Enumeration |
advanced |
11, 4688 |
Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
| Microsoft Defender Antivirus Tampering Detected |
advanced |
1127 |
Microsoft-Windows-Windows Defender |
| Exfiltration And Tunneling Tools Execution |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Exfiltration Via Pscp |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Suspicious PrinterPorts Creation (CVE-2020-1048) |
advanced |
10 |
Microsoft-Windows-Sysmon |
| Suspicious PowerShell Keywords |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Powershell AMSI Bypass |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Rclone Process |
advanced |
1 |
Microsoft-Windows-Sysmon |
| AutoIt3 Execution From Suspicious Folder |
advanced |
5 |
Kernel-Process |
| NetSh Used To Disable Windows Firewall |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Domain Trust Created Or Removed |
advanced |
4706, 4707 |
Microsoft-Windows-Security-Auditing |
| ACLight Discovering Privileged Accounts |
advanced |
4103 |
Microsoft-Windows-PowerShell |
| Suspicious ADSI-Cache Usage By Unknown Tool |
advanced |
11 |
Microsoft-Windows-Sysmon |
| Remote System Discovery Via Telnet |
advanced |
5 |
Kernel-Process |
| PowerShell NTFS Alternate Data Stream |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| WiFi Credentials Harvesting Using Netsh |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Cmd.exe Used To Run Reconnaissance Commands |
advanced |
1 |
Microsoft-Windows-Sysmon |
| New Service Creation |
advanced |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Compression Followed By Suppression |
advanced |
5 |
Kernel-Process |
| Microsoft 365 Authenticated Activity From Tor IP Address |
advanced |
15, 25 |
|
| Lateral Movement Remote Named Pipe |
advanced |
5145 |
Microsoft-Windows-Security-Auditing |
| Rare Logonui Child Found |
advanced |
1 |
Microsoft-Windows-Sysmon |
| WMImplant Hack Tool |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| AD Object WriteDAC Access |
advanced |
4662 |
Microsoft-Windows-Security-Auditing |
| WMI Event Subscription |
advanced |
21 |
Microsoft-Windows-Sysmon |
| Microsoft Windows Active Directory Module Commandlets |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Default Encoding To UTF-8 PowerShell |
advanced |
1 |
Microsoft-Windows-Sysmon |
| PowerShell Suspicious Context Changes |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| WMI Persistence Script Event Consumer File Write |
advanced |
11 |
Microsoft-Windows-Sysmon |
| PowerView commandlets 1 |
advanced |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| RDP Sensitive Settings Changed |
advanced |
13 |
Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus Threat Detected |
advanced |
1116 |
Microsoft-Windows-Windows Defender |
| Credential Harvesting Via Vaultcmd.exe |
advanced |
1 |
Kernel-Process |
| Non-Legitimate Executable Using AcceptEula Parameter |
advanced |
3, 5 |
Kernel-Process, Microsoft-Windows-Kernel-Process |
| Suspicious PROCEXP152.sys File Created In Tmp |
advanced |
11 |
Microsoft-Windows-Sysmon |
| HTML Smuggling Suspicious Usage |
advanced |
1, 11, 15 |
Microsoft-Windows-Sysmon |
| Dynwrapx Module Loading |
advanced |
7 |
Microsoft-Windows-Sysmon |
| Suspicious URL Requested By Curl Or Wget Commands |
advanced |
22 |
Microsoft-Windows-Sysmon |
| Netsh Allow Command |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Outbound Kerberos Connection |
advanced |
5156 |
Microsoft-Windows-Security-Auditing |
| Svchost Modification |
advanced |
13 |
Microsoft-Windows-Sysmon |
| Active Directory Replication from Non Machine Account |
advanced |
4662 |
Microsoft-Windows-Security-Auditing |
| Suspicious Regasm Regsvcs Usage |
advanced |
1 |
Kernel-Process |
| Correlation Admin Files Checked On Network Share |
advanced |
5145 |
Microsoft-Windows-Security-Auditing |
| WMIC Command To Determine The Antivirus |
advanced |
1, 5, 4104 |
Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| OneNote Suspicious Children Process |
advanced |
1, 15 |
Microsoft-Windows-Sysmon |
| Language Discovery |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Capture a network trace with netsh.exe |
advanced |
1 |
Microsoft-Windows-Sysmon |
| PowerShell Data Compressed |
advanced |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Certify Or Certipy |
advanced |
5 |
Kernel-Process |
| Ntfsinfo Usage |
advanced |
4688 |
Microsoft-Windows-Security-Auditing |
| AccCheckConsole Executing Dll |
advanced |
5 |
Kernel-Process |
| HackTools Suspicious Names |
advanced |
5, 11 |
Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
| Legitimate Process Execution From Unusual Folder |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Disabled IE Security Features |
advanced |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Hiding Files With Attrib.exe |
advanced |
1 |
Microsoft-Windows-Sysmon |
| WerFaultSecure Abuse |
advanced |
1 |
Kernel-Process |
| Powershell UploadString Function |
advanced |
1 |
Microsoft-Windows-Sysmon |
| CreateRemoteThread Common Process Injection |
advanced |
8 |
Microsoft-Windows-Sysmon |
| RDP Login From Localhost |
advanced |
4624 |
Microsoft-Windows-Security-Auditing |
| Adexplorer Usage |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Credentials Extraction |
advanced |
1 |
Kernel-Process |
| Suspicious Regsvr32 Execution |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Hostname |
advanced |
4624 |
Microsoft-Windows-Security-Auditing |
| PowerShell EncodedCommand |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Logon Scripts (UserInitMprLogonScript) |
advanced |
1, 13 |
Microsoft-Windows-Sysmon |
| Netsh Program Allowed With Suspicious Location |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Successful Overpass The Hash Attempt |
advanced |
4624 |
Microsoft-Windows-Security-Auditing |
| Python Opening Ports |
advanced |
5154 |
Microsoft-Windows-Security-Auditing |
| PowerShell AMSI Deactivation Bypass Using .NET Reflection |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| NTDS.dit File In Suspicious Directory |
advanced |
11 |
Microsoft-Windows-Sysmon |
| Unsigned Image Loaded Into LSASS Process |
advanced |
7 |
Microsoft-Windows-Sysmon |
| XCopy Suspicious Usage |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Mimikatz LSASS Memory Access |
advanced |
10 |
Microsoft-Windows-Sysmon |
| Account Tampering - Suspicious Failed Logon Reasons |
advanced |
4625 |
Microsoft-Windows-Security-Auditing |
| Malicious PowerShell Keywords |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Openfiles Usage |
advanced |
1 |
Kernel-Process |
| PowerShell Credential Prompt |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Suspicious Control Process |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Load Of dbghelp/dbgcore DLL From Suspicious Process |
advanced |
7 |
Microsoft-Windows-Sysmon |
| Metasploit PSExec Service Creation |
advanced |
7045 |
Service Control Manager |
| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation |
advanced |
4104 |
Microsoft-Windows-PowerShell |
| Telegram Bot API Request |
advanced |
22 |
Microsoft-Windows-Sysmon |
| RDP Configuration File From Mail Process |
advanced |
1, 11 |
Kernel-Process, Microsoft-Windows-Kernel-File |
| Component Object Model Hijacking |
advanced |
23 |
Microsoft-Windows-Kernel-File |
| PowerShell Download From URL |
advanced |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| RDP Session Discovery |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Microsoft IIS Module Installation |
advanced |
1, 5, 4104 |
Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Unsigned Driver Loaded From Suspicious Location |
advanced |
6 |
Microsoft-Windows-Sysmon |
| Control Panel Items |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Domain Group And Permission Enumeration |
advanced |
1 |
Microsoft-Windows-Sysmon |
| NlTest Usage |
advanced |
1, 5 |
Kernel-Process, Microsoft-Windows-Sysmon |
| SAM Registry Hive Handle Request |
advanced |
4656 |
Microsoft-Windows-Security-Auditing |
| Exploit For CVE-2017-0261 Or CVE-2017-0262 |
advanced |
1 |
Microsoft-Windows-Sysmon |
| Usage Of Procdump With Common Arguments |
advanced |
1, 13 |
Microsoft-Windows-Sysmon |
| Suspicious Windows DNS Queries |
advanced |
5, 22 |
Kernel-Process, Microsoft-Windows-Sysmon |
| System Network Connections Discovery |
advanced |
1 |
Microsoft-Windows-Sysmon |
| FLTMC command usage |
advanced |
5 |
Kernel-Process |
| Suspicious Double Extension |
advanced |
5 |
Microsoft-Windows-Sysmon |
| Network Sniffing Windows |
intermediate |
1, 5 |
Microsoft-Windows-Sysmon |
| Bloodhound and Sharphound Tools Usage |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| XSL Script Processing And SquiblyTwo Attack |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Taskkill Command |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| COM Hijack Via Sdclt |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| UAC Bypass via Event Viewer |
intermediate |
13 |
Microsoft-Windows-Sysmon |
| Microsoft 365 Email Forwarding To Consumer Email Address |
intermediate |
1 |
|
| Suspicious Finger Usage |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Copy Of Legitimate System32 Executable |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| BazarLoader Persistence Using Schtasks |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Password Change On Directory Service Restore Mode (DSRM) Account |
intermediate |
4794 |
Microsoft-Windows-Security-Auditing |
| CMSTP UAC Bypass via COM Object Access |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Mshta Execution |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Venom Multi-hop Proxy agent detection |
intermediate |
1 |
Kernel-Process |
| Explorer Process Executing HTA File |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| PowerCat Function Loading |
intermediate |
4104 |
Microsoft-Windows-PowerShell |
| Suspicious Process Requiring DLL Starts Without DLL |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Qakbot Persistence Using Schtasks |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Csrss Child Found |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| WMIC Uninstall Product |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Outlook Child Process |
intermediate |
4688 |
Microsoft-Windows-Security-Auditing |
| DLL Load via LSASS Registry Key |
intermediate |
12, 13 |
Microsoft-Windows-Sysmon |
| Trickbot Malware Activity |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Ngrok Process Execution |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Microsoft 365 Email Forwarding To Email Address With Rare TLD |
intermediate |
1 |
|
| Werfault DLL Injection |
intermediate |
7 |
Microsoft-Windows-Sysmon |
| MMC20 Lateral Movement |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Network Connection Via Certutil |
intermediate |
1 |
Kernel-Process |
| Data Compressed With Rar With Password |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| PowerShell Execution Via Rundll32 |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Mshta Suspicious Child Process |
intermediate |
1, 5 |
Kernel-Process |
| Detection of default Mimikatz banner |
intermediate |
4103 |
Microsoft-Windows-PowerShell |
| Suspicious DNS Child Process |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| New DLL Added To AppCertDlls Registry Key |
intermediate |
1, 13 |
Microsoft-Windows-Sysmon |
| Suspicious Scheduled Task Creation |
intermediate |
4688 |
Microsoft-Windows-Security-Auditing |
| Lsass Access Through WinRM |
intermediate |
10 |
Microsoft-Windows-Sysmon |
| Suspicious Network Args In Command Line |
intermediate |
1 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Correlation Priv Esc Via Remote Thread |
intermediate |
1, 8, 4703 |
Kernel-Process, Microsoft-Windows-Kernel-Process, Microsoft-Windows-Security-Auditing |
| Impacket Secretsdump.py Tool |
intermediate |
5145 |
Microsoft-Windows-Security-Auditing |
| Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data |
intermediate |
4104 |
Microsoft-Windows-PowerShell |
| Remote Task Creation Via ATSVC Named Pipe |
intermediate |
5145 |
Microsoft-Windows-Security-Auditing |
| Password Dumper Activity On LSASS |
intermediate |
4656 |
Microsoft-Windows-Security-Auditing |
| Suspicious CommandLine Lsassy Pattern |
intermediate |
5 |
Kernel-Process |
| Formbook Hijacked Process Command |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| DHCP Callout DLL Installation |
intermediate |
13 |
Microsoft-Windows-Sysmon |
| UAC Bypass Using Fodhelper |
intermediate |
13 |
Microsoft-Windows-Sysmon |
| LSASS Memory Dump File Creation |
intermediate |
11 |
Microsoft-Windows-Sysmon |
| NTDS.dit File Interaction Through Command Line |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| CMSTP Execution |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| MSBuild Abuse |
intermediate |
1 |
Kernel-Process |
| Suspicious Kerberos Ticket |
intermediate |
4768 |
Microsoft-Windows-Security-Auditing |
| Suspicious certutil command |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| High Privileges Network Share Removal |
intermediate |
1 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Secure Deletion With SDelete |
intermediate |
4663 |
Microsoft-Windows-Security-Auditing |
| Netsh RDP Port Opening |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Remote Enumeration Of Lateral Movement Groups |
intermediate |
4799 |
Microsoft-Windows-Security-Auditing |
| OceanLotus Registry Activity |
intermediate |
13 |
Microsoft-Windows-Sysmon |
| Exchange Mailbox Export |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| MavInject Process Injection |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus Restoration Abuse |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Windows Script Execution |
intermediate |
5 |
Kernel-Process |
| Gpscript Suspicious Parent |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Exploiting SetupComplete.cmd CVE-2019-1378 |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| SOCKS Tunneling Tool |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Njrat Registry Values |
intermediate |
1, 13 |
Microsoft-Windows-Sysmon |
| Suspicious PowerShell Invocations - Specific |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Mshta Command From A Scheduled Task |
intermediate |
1 |
Kernel-Process |
| Netsh Allowed Python Program |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| DNS Exfiltration and Tunneling Tools Execution |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| QakBot Process Creation |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Scripting In A WMI Consumer |
intermediate |
20 |
Microsoft-Windows-Sysmon |
| Active Directory User Backdoors |
intermediate |
5136 |
Microsoft-Windows-Security-Auditing |
| NetNTLM Downgrade Attack |
intermediate |
13, 4657 |
Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
| OneNote Embedded File |
intermediate |
11, 15 |
Microsoft-Windows-Sysmon |
| MalwareBytes Uninstallation |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Transfering Files With Credential Data Via Network Shares |
intermediate |
5145 |
Microsoft-Windows-Security-Auditing |
| Suspicious Commands From MS SQL Server Shell |
intermediate |
1 |
Kernel-Process |
| Microsoft Office Spawning Script |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Cobalt Strike Default Beacons Names |
intermediate |
1, 15 |
Microsoft-Windows-Sysmon |
| Screenconnect Remote Execution |
intermediate |
1, 5 |
Kernel-Process |
| Microsoft 365 (Office 365) Malware Uploaded On SharePoint |
intermediate |
6 |
|
| Rare Lsass Child Found |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Sysprep On AppData Folder |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| DCSync Attack |
intermediate |
4662 |
Microsoft-Windows-Security-Auditing |
| Suspicious Cmd File Copy Command To Network Share |
intermediate |
30 |
Microsoft-Windows-Kernel-File |
| Correlation Suspicious Authentication Coercer Behavior |
intermediate |
4624, 5145 |
Microsoft-Windows-Security-Auditing |
| DC Shadow via Service Principal Name (SPN) creation |
intermediate |
5136 |
Microsoft-Windows-Security-Auditing |
| Phosphorus Domain Controller Discovery |
intermediate |
4104 |
Microsoft-Windows-PowerShell |
| Microsoft Defender Antivirus Disable Services |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| KeePass Config XML In Command-Line |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Cmdkey Cached Credentials Recon |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| DPAPI Domain Backup Key Extraction |
intermediate |
4662 |
Microsoft-Windows-Security-Auditing |
| Registry Key Used By Some Old Agent Tesla Samples |
intermediate |
13 |
Microsoft-Windows-Sysmon |
| Suspicious CodePage Switch with CHCP |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| CertOC Loading Dll |
intermediate |
1 |
Kernel-Process |
| Generic-reverse-shell-oneliner |
intermediate |
3 |
Microsoft-Windows-Kernel-Network |
| Creation or Modification of a GPO Scheduled Task |
intermediate |
5145 |
Microsoft-Windows-Security-Auditing |
| Microsoft Malware Protection Engine Crash |
intermediate |
1000 |
Application Error |
| Powershell Web Request And Windows Script |
intermediate |
5 |
Kernel-Process |
| WCE wceaux.dll Creation |
intermediate |
30 |
Microsoft-Windows-Kernel-File |
| Suspicious Desktopimgdownldr Execution |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Microsoft 365 (Office 365) Malware Uploaded On OneDrive |
intermediate |
6 |
|
| Suspicious LDAP-Attributes Used |
intermediate |
5136 |
Microsoft-Windows-Security-Auditing |
| Python HTTP Server |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Sliver DNS Beaconing |
intermediate |
22 |
Microsoft-Windows-Sysmon |
| HackTools Suspicious Process Names In Command Line |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Windows Suspicious Service Creation |
intermediate |
13, 4697 |
Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
| SolarWinds Wrong Child Process |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus Disable SecurityHealth |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Wmic Service Call |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Netscan Share Access Artefact |
intermediate |
5145 |
Microsoft-Windows-Security-Auditing |
| Suspicious SAM Dump |
intermediate |
16 |
Microsoft-Windows-Kernel-General |
| JS PowerShell Infection Chains |
intermediate |
1 |
Kernel-Process |
| ETW Tampering |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Schtasks Suspicious Parent |
intermediate |
1 |
Kernel-Process |
| Wmic Process Call Creation |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Possible RottenPotato Attack |
intermediate |
4624 |
Microsoft-Windows-Security-Auditing |
| Credential Dumping Tools Service Execution |
intermediate |
7045 |
Service Control Manager |
| Correlation Supicious Powershell Drop and Exec |
intermediate |
1, 3, 11 |
Kernel-Process, Microsoft-Windows-Kernel-File, Microsoft-Windows-Kernel-Network |
| New Or Renamed User Account With '$' In Attribute 'SamAccountName' |
intermediate |
4720 |
Microsoft-Windows-Security-Auditing |
| Windows Suspicious Scheduled Task Creation |
intermediate |
4698 |
Microsoft-Windows-Security-Auditing |
| MOFComp Execution |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Mshta Execution From Wmi |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Exfiltration Domain In Command Line |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| DHCP Server Loaded the CallOut DLL |
intermediate |
1033 |
Microsoft-Windows-DHCP-Server |
| GPO Executable Delivery |
intermediate |
5136 |
Microsoft-Windows-Security-Auditing |
| Suspect Svchost Memory Access |
intermediate |
10 |
Microsoft-Windows-Sysmon |
| DHCP Server Error Failed Loading the CallOut DLL |
intermediate |
1034 |
Microsoft-Windows-DHCP-Server |
| Suspicious Rundll32.exe Executions |
intermediate |
1, 5 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Exchange Server Spawning Suspicious Processes |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Exchange Server Creating Unusual Files |
intermediate |
11 |
Microsoft-Windows-Sysmon |
| Spyware Persistence Using Schtasks |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Malicious Named Pipe |
intermediate |
17 |
Microsoft-Windows-Sysmon |
| Suspicious Driver Loaded |
intermediate |
13 |
Microsoft-Windows-Sysmon |
| TrustedInstaller Impersonation |
intermediate |
4104 |
Microsoft-Windows-PowerShell |
| Eventlog Cleared |
intermediate |
1102 |
Microsoft-Windows-Eventlog |
| SquirrelWaffle Malspam Execution Loading DLL |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Active Directory Delegate To KRBTGT Service |
intermediate |
4738 |
Microsoft-Windows-Security-Auditing |
| Impacket Addcomputer |
intermediate |
4741 |
Microsoft-Windows-Security-Auditing |
| Audio Capture via PowerShell |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Denied Access To Remote Desktop |
intermediate |
4825 |
Microsoft-Windows-Security-Auditing |
| Disable .NET ETW Through COMPlus_ETWEnabled |
intermediate |
1, 13 |
Microsoft-Windows-Sysmon |
| RDP Port Change Using Powershell |
intermediate |
13, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Suspicious DLL side loading from ProgramData |
intermediate |
7 |
Microsoft-Windows-Sysmon |
| Process Memory Dump Using Comsvcs |
intermediate |
1 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Hijack Legit RDP Session To Move Laterally |
intermediate |
11 |
Microsoft-Windows-Sysmon |
| TUN/TAP Driver Installation |
intermediate |
7045 |
Service Control Manager |
| Clear EventLogs Through CommandLine |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| SolarWinds Suspicious File Creation |
intermediate |
11 |
Microsoft-Windows-Sysmon |
| STRRAT Scheduled Task |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Suspicious DLL Loading By Ordinal |
intermediate |
1 |
Microsoft-Windows-Sysmon |
| Formbook File Creation DB1 |
intermediate |
11 |
Microsoft-Windows-Sysmon |
| Microsoft 365 (Office 365) AtpDetection |
intermediate |
47 |
|
| StoneDrill Service Install |
intermediate |
7045 |
Service Control Manager |
| Backup Catalog Deleted |
intermediate |
524 |
Microsoft-Windows-Backup |
| Correlation PowerShell Suspicious DLL Loading |
intermediate |
5, 53504 |
Kernel-Process, Microsoft-Windows-PowerShell |
| Active Directory Replication User Backdoor |
intermediate |
5136 |
Microsoft-Windows-Security-Auditing |
| Microsoft Defender Antivirus Disable Scheduled Tasks |
intermediate |
1, 4104 |
Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Inhibit System Recovery Deleting Backups |
intermediate |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Chafer (APT 39) Activity |
intermediate |
4697, 7045 |
Microsoft-Windows-Security-Auditing, Service Control Manager |
| Reconnaissance Commands Activities |
intermediate |
1 |
Kernel-Process |
| Blue Mockingbird Malware |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Microsoft 365 Sign-in With No User Agent |
elementary |
15 |
|
| WMI Persistence Command Line Event Consumer |
elementary |
7 |
Microsoft-Windows-Sysmon |
| Credential Dumping By LaZagne |
elementary |
10 |
Microsoft-Windows-Sysmon |
| Ursnif Registry Key |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Entra ID Sign-In Via Known AiTM Phishing Kit (Sneaky 2FA) |
elementary |
15 |
|
| Mimikatz Basic Commands |
elementary |
4103 |
Microsoft-Windows-PowerShell |
| Lazarus Loaders |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Certificate Request-adcs Abuse |
elementary |
4887 |
Microsoft-Windows-Security-Auditing |
| Malspam Execution Registering Malicious DLL |
elementary |
1, 11 |
Microsoft-Windows-Sysmon |
| Mustang Panda Dropper |
elementary |
1 |
Microsoft-Windows-Sysmon |
| FlowCloud Malware |
elementary |
13 |
Microsoft-Windows-Sysmon |
| UAC Bypass Via Sdclt |
elementary |
1, 13 |
Microsoft-Windows-Sysmon |
| Process Memory Dump Using Rdrleakdiag |
elementary |
5 |
Kernel-Process |
| DNS Tunnel Technique From MuddyWater |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Entra ID Sign-In Via Known AiTM Phishing Kit (Greatness) |
elementary |
15 |
|
| Antivirus Password Dumper Detection |
elementary |
1116 |
Microsoft-Windows-Windows Defender |
| Entra ID Consent Attempt to Suspicious OAuth Application |
elementary |
15 |
|
| Empire Monkey Activity |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Exploit For CVE-2015-1641 |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA) |
elementary |
15 |
|
| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory |
elementary |
4704 |
Microsoft-Windows-Security-Auditing |
| Netsh RDP Port Forwarding |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Microsoft 365 Suspicious Inbox Rule |
elementary |
1 |
|
| Suncrypt Parameters |
elementary |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Wdigest Enable UseLogonCredential |
elementary |
1, 13 |
Microsoft-Windows-Sysmon |
| Disabling SmartScreen Via Registry |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Smbexec.py Service Installation |
elementary |
7045 |
Service Control Manager |
| Suspicious Headless Web Browser Execution To Download File |
elementary |
5 |
Kernel-Process |
| Entra ID Password Compromised By Known Credential Testing Tool |
elementary |
15 |
|
| RTLO Character |
elementary |
15 |
Microsoft-Windows-Sysmon |
| Phorpiex DriveMgr Command |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Mshta JavaScript Execution |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Exploited CVE-2020-10189 Zoho ManageEngine |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Correlation Impacket Smbexec |
elementary |
5145 |
Microsoft-Windows-Security-Auditing |
| Suspicious VBS Execution Parameter |
elementary |
1 |
Microsoft-Windows-Sysmon |
| LanManServer Registry Modify |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Copying Browser Files With Credentials |
elementary |
1 |
Microsoft-Windows-Sysmon |
| PowerShell Downgrade Attack |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Antivirus Exploitation Framework Detection |
elementary |
1116 |
Microsoft-Windows-Windows Defender |
| Msdt (Follina) File Browse Process Execution |
elementary |
1, 4104 |
Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Disable Task Manager Through Registry Key |
elementary |
1, 13 |
Microsoft-Windows-Sysmon |
| Active Directory Database Dump Via Ntdsutil |
elementary |
325 |
ESENT |
| Copying Sensitive Files With Credential Data |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus Signatures Removed With MpCmdRun |
elementary |
1 |
Microsoft-Windows-Sysmon |
| APT29 Fake Google Update Service Install |
elementary |
7045 |
Service Control Manager |
| Debugging Software Deactivation |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Entra ID Sign-In Via Known AiTM Phishing Kit (Rockstar 2FA) |
elementary |
15 |
|
| Active Directory Shadow Credentials |
elementary |
5136 |
Microsoft-Windows-Security-Auditing |
| Entra ID Sign-In Via Known AiTM Phishing Kit (Gabagool) |
elementary |
15 |
|
| Impacket Wmiexec Module |
elementary |
1, 4688 |
Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
| Tactical RMM Installation |
elementary |
5 |
Kernel-Process |
| ICacls Granting Access To All |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Office Startup Add-In |
elementary |
11 |
Microsoft-Windows-Sysmon |
| Suspicious Hangul Word Processor Child Process |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Meterpreter or Cobalt Strike Getsystem Service Installation |
elementary |
1, 13, 17, 4697, 7045 |
Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
| Turla Named Pipes |
elementary |
17 |
Microsoft-Windows-Sysmon |
| RedMimicry Winnti Playbook Dropped File |
elementary |
11 |
Microsoft-Windows-Sysmon |
| Suspicious Windows ANONYMOUS LOGON Local Account Created |
elementary |
4720 |
Microsoft-Windows-Security-Auditing |
| CVE-2019-0708 Scan |
elementary |
4625 |
Microsoft-Windows-Security-Auditing |
| Domain Trust Discovery Through LDAP |
elementary |
1, 4688 |
Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
| SysKey Registry Keys Access |
elementary |
4663 |
Microsoft-Windows-Security-Auditing |
| Office Application Startup Office Test |
elementary |
1, 13 |
Microsoft-Windows-Sysmon |
| Dumpert LSASS Process Dumper |
elementary |
7, 11 |
Microsoft-Windows-Sysmon |
| Leviathan Registry Key Activity |
elementary |
1, 13 |
Microsoft-Windows-Sysmon |
| Microsoft 365 Email Forwarding To Privacy Email Address |
elementary |
1 |
|
| Elise Backdoor |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Antivirus Web Shell Detection |
elementary |
1116 |
Microsoft-Windows-Windows Defender |
| Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA) |
elementary |
15 |
|
| Schtasks Persistence With High Privileges |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Entra ID Password Compromised Via Seamless SSO Credential Testing |
elementary |
15 |
|
| Phosphorus (APT35) Exchange Discovery |
elementary |
4104 |
Microsoft-Windows-PowerShell |
| Malicious Service Installations |
elementary |
7045 |
Service Control Manager |
| Windows Update LolBins |
elementary |
1 |
Microsoft-Windows-Sysmon |
| WMI Install Of Binary |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Cobalt Strike Default Service Creation Usage |
elementary |
4697, 7045 |
Microsoft-Windows-Security-Auditing, Service Control Manager |
| Microsoft Entra ID (Azure AD) Domain Trust Modification |
elementary |
8 |
|
| Process Memory Dump Using Createdump |
elementary |
1 |
Kernel-Process |
| Raccine Uninstall |
elementary |
1 |
Microsoft-Windows-Sysmon |
| AdFind Usage |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus History Directory Deleted |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Suspicious Netsh DLL Persistence |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Kerberos Pre-Auth Disabled in UAC |
elementary |
4738 |
Microsoft-Windows-Security-Auditing |
| Phorpiex Process Masquerading |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Windows Credential Editor Registry Key |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Invoke-TheHash Commandlets |
elementary |
4104 |
Microsoft-Windows-PowerShell |
| IcedID Execution Using Excel |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Enabling Restricted Admin Mode |
elementary |
1 |
Kernel-Process |
| Security Support Provider (SSP) Added to LSA Configuration |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Disable Workstation Lock |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Winword Document Droppers |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Equation Group DLL_U Load |
elementary |
1 |
Microsoft-Windows-Sysmon |
| Sticky Key Like Backdoor Usage |
elementary |
13 |
Microsoft-Windows-Sysmon |
| Active Directory Data Export Using Csvde |
elementary |
1 |
Kernel-Process |
| RedMimicry Winnti Playbook Registry Manipulation |
elementary |
1, 13 |
Microsoft-Windows-Sysmon |
| Suspicious Activity Using Quick Assist |
elementary |
25 |
|
| Windows Defender Logging Modification Via Registry |
elementary |
1, 13 |
Kernel-Process, Microsoft-Windows-Sysmon |
| Audit CVE Event |
elementary |
1 |
Microsoft-Windows-Audit-CVE |
| PasswordDump SecurityXploded Tool |
elementary |
1 |
Microsoft-Windows-Sysmon |