Detection rules
3297 catalog-relevant detection rules from Sigma, Elastic, and Splunk — 3297 parsed into the vendor-neutral intermediate representation, spanning 349 MITRE ATT&CK techniques. 9 equivalence classes group rules with identical canonical predicate form. Each rule page surfaces predicates, exclusions, and the indicators that other rules share with it.
3297 rules (counts update on filter)
Status:
Reconnaissance
Gather Victim Network Information T1590 4 rules
- Splunk Local LLM Framework DNS Query
- Kusto Query Language Network Port Sweep from External Network (ASIM Network Session schema)
- Kusto Query Language Rare client observed with high reverse DNS lookup count - Static threshold based (ASIM DNS Solution)
- Sigma Suspicious DNS Query for IP Lookup Service APIs
Gather Victim Host Information T1592 3 rules
- Splunk Recon AVProduct Through Pwh or WMI
- Splunk Recon Using WMI Class
- Splunk WMI Recon Running Process Or Services
Active Scanning T1595 2 rules
Resource Development
Compromise Infrastructure T1584 1 rule
- Sigma Windows Update Error
Obtain Capabilities: Tool T1588.002 10 rules
- Sigma Hacktool Execution - Imphash
- Sigma Hacktool Execution - PE Metadata
- Sigma Potential Execution of Sysinternals Tools
- Sigma PUA - Sysinternal Tool Execution - Registry
- Sigma PUA - Sysinternals Tools Execution - Registry
- Sigma Renamed SysInternals DebugView Execution
- Sigma Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Sigma Suspicious Keyboard Layout Load
- Sigma Usage of Renamed Sysinternals Tools - RegistrySet
- Splunk Windows NirSoft Tool Bundle File Created
Initial Access
Valid Accounts T1078 35 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Account Tampering - Suspicious Failed Logon Reasons
- Elastic AdminSDHolder Backdoor
- Kusto Query Language AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Kusto Query Language EatonForeseer - Unauthorized Logins
- Kusto Query Language Email access via active sync
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Sigma Failed Logon From Public IP
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Kusto Query Language New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE
- Elastic Potential Account Takeover - Logon from New Source IP
- Elastic Potential Account Takeover - Mixed Logon Types
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Kusto Query Language Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Suspicious Computer Machine Password by PowerShell
- Sigma Suspicious Remote Logon with Explicit Credentials
- Splunk Unusual Number of Computer Service Tickets Requested
- Splunk Unusual Number of Remote Endpoint Authentication Events
- Kusto Query Language User account added to built in domain local or global group
- Kusto Query Language User account created and deleted within 10 mins
- Kusto Query Language User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group
- Kusto Query Language User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Large Number of Computer Service Tickets Requested
- Splunk Windows Multiple Account Passwords Changed
- Splunk Windows Multiple Accounts Deleted
- Splunk Windows Multiple Accounts Disabled
Valid Accounts: Domain Accounts T1078.002 19 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Admin User Remote Logon
- Elastic AdminSDHolder Backdoor
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Sigma DMSA Link Attributes Modified
- Sigma DMSA Service Account Created in Specific OUs - PowerShell
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Sigma New DMSA Service Account Created in Specific OUs
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Splunk Suspicious Computer Account Name Change
- Splunk Suspicious Kerberos Service Ticket Request
- Splunk Suspicious Ticket Granting Ticket Request
- Splunk Windows Group Policy Object Created
- Splunk Windows PowerView AD Access Control List Enumeration
Valid Accounts: Local Accounts T1078.003 2 rules
- Sigma Admin User Remote Logon
- Splunk Short Lived Windows Accounts
External Remote Services T1133 17 rules
- Splunk Detect Exchange Web Shell
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Sigma Failed Logon From Public IP
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages
- Splunk Outbound Network Connection from Java Using Default Ports
- Sigma Remote Access Tool - ScreenConnect Installation Execution
- Sigma Remote Access Tool - Team Viewer Session Started On Windows Host
- Sigma Running Chrome VPN Extensions via the Registry 2 VPN Extension
- Sigma Suspicious File Created by ArcSOC.exe
- Sigma Unusual Child Process of dns.exe
- Sigma Unusual File Deletion by Dns.exe
- Sigma Unusual File Modification by dns.exe
- Sigma User Added to Remote Desktop Users Group
- Splunk Web or Application Server Spawning a Shell
- Splunk Windows MOVEit Transfer Writing ASPX
- Splunk Windows RDPClient Connection Sequence Events
Drive-by Compromise T1189 2 rules
- Splunk Detect hosts connecting to dynamic domain providers
- Kusto Query Language RecordedFuture Threat Hunting Hash All Actors
Exploit Public-Facing Application T1190 24 rules
- Kusto Query Language AV detections related to SpringShell Vulnerability
- Splunk ConnectWise ScreenConnect Path Traversal
- Splunk ConnectWise ScreenConnect Path Traversal Windows SACL
- Splunk Detect Exchange Web Shell
- Kusto Query Language Exchange OAB Virtual Directory Attribute Containing Potential Webshell
- Sigma Failed Logon From Public IP
- Kusto Query Language Identify SysAid Server web shell creation
- Kusto Query Language Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages
- Splunk Outbound Network Connection from Java Using Default Ports
- Sigma Remote Access Tool - ScreenConnect Server Web Shell Execution
- Kusto Query Language Silk Typhoon New UM Service Child Process
- Sigma Suspicious Child Process Of SQL Server
- Sigma Suspicious File Drop by Exchange
- Sigma Suspicious File Write to SharePoint Layouts Directory
- Sigma Suspicious File Write to Webapps Root Directory
- Sigma Suspicious MSExchangeMailboxReplication ASPX Write
- Sigma Suspicious Process By Web Server Process
- Sigma Suspicious Processes Spawned by WinRM
- Sigma Terminal Service Process Spawn
- Splunk Web or Application Server Spawning a Shell
- Splunk Windows Identify PowerShell Web Access IIS Pool
- Splunk Windows MOVEit Transfer Writing ASPX
- Splunk Windows SharePoint Spinstall0 Webshell File Creation
Supply Chain Compromise T1195 7 rules
- Splunk GitHub Workflow File Creation or Modification
- Sigma Octopus Scanner Malware
- Splunk Shai-Hulud Workflow File Creation or Modification
- Kusto Query Language Solorigate Defender Detections
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto Query Language SUNBURST network beacons
Supply Chain Compromise: Compromise Software Dependencies and Development Tools T1195.001 1 rule
- Sigma Octopus Scanner Malware
Supply Chain Compromise: Compromise Software Supply Chain T1195.002 6 rules
- Splunk 3CX Supply Chain Attack Network Indicators
- Sigma Notepad++ Updater DNS Query to Uncommon Domains
- Splunk Shai-Hulud 2 Exfiltration Artifact Files
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE
- Splunk Windows Vulnerable 3CX Software
Hardware Additions T1200 6 rules
Phishing T1566 8 rules
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma Phishing Pattern ISO in Archive
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Kusto Query Language RecordedFuture Threat Hunting Domain All Actors
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious Microsoft OneNote Child Process
- Splunk Windows InProcServer32 New Outlook Form
- Splunk Windows Phishing Outlook Drop Dll In FORM Dir
Phishing: Spearphishing Attachment T1566.001 30 rules
- Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms
- Splunk Detect Outlook exe writing a zip file
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma ISO File Created Within Temp Folders
- Sigma ISO Image Mounted
- Sigma ISO or Image Mount Indicator in Recent Files
- Sigma Office Macro File Creation
- Sigma Office Macro File Creation From Suspicious Process
- Sigma Office Macro File Download
- Sigma Password Protected ZIP File Opened (Email Attachment)
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Suspicious Double Extension File Execution
- Sigma Suspicious Execution From Outlook Temporary Folder
- Sigma Suspicious File Created in Outlook Temporary Directory
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious HWP Sub Processes
- Sigma Suspicious Microsoft OneNote Child Process
- Splunk Windows CAB File on Disk
- Splunk Windows Defender ASR Audit Events
- Splunk Windows Defender ASR Block Events
- Splunk Windows Defender ASR Rules Stacking
- Splunk Windows ISO LNK File Creation
- Splunk Windows Office Product Dropped Cab or Inf File
- Splunk Windows Office Product Dropped Uncommon File
- Splunk Windows Office Product Loaded MSHTML Module
- Splunk Windows Office Product Loading Taskschd DLL
- Splunk Windows Office Product Loading VBE7 DLL
- Splunk Windows Phishing Recent ISO Exec Registry
- Sigma Windows Registry Trust Record Modification
- Splunk Windows Spearphishing Attachment Connect To None MS Office Domain
Phishing: Spearphishing Link T1566.002 6 rules
- Kusto Query Language Office ASR rule triggered from browser spawned office process.
- Splunk Process Creating LNK file in Suspicious Location
- Kusto Query Language Suspicious parentprocess relationship - Office child processes.
- Splunk Windows Defender ASR Audit Events
- Splunk Windows Defender ASR Block Events
- Splunk Windows Defender ASR Rules Stacking
Execution
Windows Management Instrumentation T1047 48 rules
- Sigma Application Removed Via Wmic.EXE
- Sigma Application Terminated Via Wmic.EXE
- Sigma Computer System Reconnaissance Via Wmic.EXE
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - CrackMapExec Execution Patterns
- Sigma HackTool - Potential Impacket Lateral Movement Activity
- Sigma Hardware Model Reconnaissance Via Wmic.EXE
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma New Process Created Via Wmic.EXE
- Sigma Password Set to Never Expire via WMI
- Sigma Potential Product Class Reconnaissance Via Wmic.EXE
- Sigma Potential Product Reconnaissance Via Wmic.EXE
- Sigma Potential Remote SquiblyTwo Technique Execution
- Sigma Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Sigma Potential Windows Defender Tampering Via Wmic.EXE
- Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk PowerShell Invoke CIMMethod CIMSession
- Splunk PowerShell Invoke WmiExec Usage
- Sigma Process Reconnaissance Via Wmic.EXE
- Sigma PSExec and WMI Process Creations Block
- Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
- Sigma Registry Manipulation via WMI Stdregprov
- Splunk Remote Process Instantiation via WMI and PowerShell Script Block
- Sigma Script Event Consumer Spawning Process
- Sigma Service Reconnaissance Via Wmic.EXE
- Sigma Service Started/Stopped Via Wmic.EXE
- Sigma Successful Account Login Via WMI
- Sigma Suspicious Autorun Registry Modified via WMI
- Sigma Suspicious Encoded Scripts in a WMI Consumer
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious Microsoft Office Child Process
- Sigma Suspicious Process Created Via Wmic.EXE
- Sigma Suspicious WMIC Execution Via Office Process
- Sigma Suspicious WmiPrvSE Child Process
- Sigma System Disk And Volume Reconnaissance Via Wmic.EXE
- Sigma T1047 Wmiprvse Wbemcomn DLL Hijack
- Sigma Windows Hotfix Updates Reconnaissance Via Wmic.EXE
- Splunk Windows WMI Impersonate Token
- Sigma WMI Event Consumer Created Named Pipe
- Sigma WMIC Remote Command Execution
- Sigma WMIC Unquoted Services Path Lookup - PowerShell
- Sigma Wmiexec Default Output File
- Sigma WMImplant Hack Tool
- Sigma WmiPrvSE Spawned A Process
- Sigma Wmiprvse Wbemcomn DLL Hijack
- Sigma Wmiprvse Wbemcomn DLL Hijack - File
- Sigma XSL Script Execution Via WMIC.EXE
Scheduled Task/Job T1053 16 rules
- Elastic A scheduled task was created
- Kusto Query Language AV detections related to Tarrask malware
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - CrackMapExec Execution Patterns
- Sigma HackTool - SharPersist Execution
- Elastic Remote Scheduled Task Creation via RPC
- Splunk Schedule Task with HTTP Command Arguments
- Splunk Schedule Task with Rundll32 Command Trigger
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Scheduled TaskCache Change by Uncommon Program
- Sigma Suspicious Scheduled Task Write to System32 Tasks
- Elastic Temporarily Scheduled Task Creation
- Elastic Unusual Scheduled Task Update
- Splunk Windows Hidden Schedule Task Settings
- Splunk Windows Scheduled Task DLL Module Loaded
- Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
Scheduled Task/Job: At T1053.002 2 rules
Scheduled Task/Job: Scheduled Task T1053.005 48 rules
- Elastic A scheduled task was created
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Sigma Important Scheduled Task Deleted/Disabled
- Sigma Persistence and Execution at Scale via GPO Scheduled Task
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task
- Sigma Powershell Create Scheduled Task
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Randomly Generated Scheduled Task Name
- Elastic Remote Scheduled Task Creation via RPC
- Sigma Renamed Schtasks Execution
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Sigma Scheduled Task Creation Masquerading as System Processes
- Sigma Scheduled Task Creation Via Schtasks.EXE
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo
- Sigma Scheduled Task Executed From A Suspicious Location
- Sigma Scheduled Task Executed Uncommon LOLBIN
- Sigma Scheduled Task Executing Encoded Payload from Registry
- Sigma Scheduled Task Executing Payload from Registry
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Scheduled TaskCache Change by Uncommon Program
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges
- Sigma Schtasks From Suspicious Folders
- Splunk Short Lived Scheduled Task
- Sigma Suspicious Command Patterns In Scheduled Task Creation
- Sigma Suspicious Modification Of Scheduled Tasks
- Sigma Suspicious Scheduled Task Creation
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File
- Sigma Suspicious Scheduled Task Name As GUID
- Sigma Suspicious Scheduled Task Update
- Sigma Suspicious Schtasks Execution AppData Folder
- Sigma Suspicious Schtasks Schedule Type With High Privileges
- Sigma Suspicious Schtasks Schedule Types
- Elastic Temporarily Scheduled Task Creation
- Sigma Uncommon One Time Only Scheduled Task At 00:00
- Elastic Unusual Scheduled Task Update
- Splunk Windows Compatibility Telemetry Tampering Through Registry
- Splunk Windows Enable Win32 ScheduledJob via Registry
- Splunk Windows PowerShell ScheduleTask
- Splunk Windows Registry Delete Task SD
- Splunk Windows Scheduled Task with Suspicious Command
- Splunk Windows Scheduled Task with Suspicious Name
- Splunk WinEvent Scheduled Task Created to Spawn Shell
- Splunk WinEvent Scheduled Task Created Within Public Path
- Splunk WinEvent Windows Task Scheduler Event Action Started
Command and Scripting Interpreter T1059 94 rules
- Sigma Abusable DLL Potential Sideloading From Suspicious Location
- Sigma Add Insecure Download Source To Winget
- Sigma Add New Download Source To Winget
- Sigma Add Potential Suspicious New Download Source To Winget
- Kusto Query Language Base64 encoded Windows process command-lines (Normalized Process Events)
- Sigma Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
- Sigma Conhost Spawned By Uncommon Parent Process
- Kusto Query Language Deimos Component Execution
- Kusto Query Language Detect Suspicious Commands Initiated by Webserver Processes
- Kusto Query Language Doppelpaymer Stop Services
- Elastic Dynamic IEX Reconstruction via Method String Access
- Sigma Elevated System Shell Spawned From Uncommon Parent Location
- Sigma Forfiles Command Execution
- Kusto Query Language Google Threat Intelligence - Threat Hunting Hash
- Sigma HackTool - Sliver C2 Implant Activity Pattern
- Sigma HackTool - Stracciatella Execution
- Sigma Hacktool Ruler
- Sigma Install New Package Via Winget Local Manifest
- Sigma Installation of WSL Kali-Linux
- Kusto Query Language Java Executing cmd to run Powershell
- Kusto Query Language Midnight Blizzard - Script payload stored in Registry
- Kusto Query Language NRT Base64 Encoded Windows Process Command-lines
- Kusto Query Language NRT Process executed from binary hidden in Base64 encoded file
- Kusto Query Language Office Apps Launching Wscipt
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled
- Sigma PCRE.NET Package Image Load
- Sigma PCRE.NET Package Temp Files
- Sigma Perl Inline Command Execution
- Sigma Php Inline Command Execution
- Sigma Potential Arbitrary Command Execution Via FTP.EXE
- Sigma Potential CobaltStrike Process Patterns
- Sigma Potential Dosfuscation Activity
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables
- Sigma Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences
- Elastic Potential PowerShell Obfuscation via Reverse Keywords
- Elastic Potential PowerShell Obfuscation via Special Character Overuse
- Elastic Potential PowerShell Obfuscation via String Concatenation
- Elastic Potential PowerShell Obfuscation via String Reordering
- Sigma Potentially Suspicious Execution From Parent Process In Public Folder
- Sigma Potentially Suspicious NTFS Symlink Behavior Modification
- Sigma PowerShell Download and Execution Cradles
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic PowerShell Obfuscation via Negative Index String Reversal
- Splunk Process Writing DynamicWrapperX
- Sigma PUA - Wsudo Suspicious Execution
- Sigma Python Inline Command Execution
- Sigma Python Spawning Pretty TTY on Windows
- Kusto Query Language Qakbot Discovery Activies
- Kusto Query Language RecordedFuture Threat Hunting Hash All Actors
- Sigma Renamed CURL.EXE Execution
- Sigma Renamed FTP.EXE Execution
- Sigma Renamed NirCmd.EXE Execution
- Sigma Renamed PingCastle Binary Execution
- Sigma Ruby Inline Command Execution
- Sigma Run PowerShell Script from Redirected Input Stream
- Sigma Script Interpreter Execution From Suspicious Folder
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto Query Language SUNBURST network beacons
- Kusto Query Language SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Sigma Suspicious ArcSOC.exe Child Process
- Sigma Suspicious File Created In PerfLogs
- Sigma Suspicious Greedy Compression Using Rar.EXE
- Sigma Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Kusto Query Language Suspicious Powershell Commandlet Executed
- Sigma Suspicious Program Names
- Sigma Suspicious RASdial Activity
- Sigma Suspicious Remote Child Process From Outlook
- Sigma Suspicious Runscripthelper.exe
- Sigma Suspicious Scan Loop Network
- Sigma Suspicious Script Execution From Temp Folder
- Sigma Sysprep on AppData Folder
- Kusto Query Language TEARDROP memory-only dropper
- Sigma Unusual Parent Process For Cmd.EXE
- Sigma Use of FSharp Interpreters
- Sigma Use of OpenConsole
- Sigma Use of Pcalua For Execution
- Sigma VMToolsd Suspicious Child Process
- Kusto Query Language Windows Binaries Executed from Non-Default Directory
- Kusto Query Language Windows Binaries Lolbins Renamed
- Sigma Windows Defender AMSI Trigger Detected
- Splunk Windows Defender ASR Audit Events
- Splunk Windows Defender ASR Block Events
- Splunk Windows Defender ASR Rules Stacking
- Sigma Windows Defender Exclusions Added - PowerShell
- Sigma Windows Defender Threat Detected
- Sigma Windows Shell/Scripting Application File Write to Suspicious Folder
- Sigma Writing Of Malicious Files To The Fonts Folder
- Sigma Wscript Shell Run In CommandLine
Command and Scripting Interpreter: PowerShell T1059.001 229 rules
- Sigma Alternate PowerShell Hosts - PowerShell Module
- Sigma Alternate PowerShell Hosts Pipe
- Sigma AppLocker Prevented Application or Script from Running
- Sigma Bad Opsec Powershell Code Artifacts
- Sigma Base64 Encoded PowerShell Command Detected
- Sigma BloodHound Collection Files
- Sigma Certificate Exported Via PowerShell
- Sigma Change PowerShell Policies to an Insecure Level
- Sigma Change PowerShell Policies to an Insecure Level - PowerShell
- Sigma Cmd.EXE Missing Space Characters Execution Anomaly
- Sigma Command Line Execution with Suspicious URL and AppData Strings
- Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Splunk Detect Certify With PowerShell Script Block Logging
- Splunk Detect Empire with PowerShell Script Block Logging
- Splunk Detect Mimikatz With PowerShell Script Block Logging
- Sigma Detection of PowerShell Execution via Sqlps.exe
- Sigma DSInternals Suspicious PowerShell Cmdlets
- Sigma DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
- Elastic Dynamic IEX Reconstruction via Method String Access
- Splunk Exchange PowerShell Module Usage
- Sigma Exchange PowerShell Snap-Ins Usage
- Kusto Query Language Exchange Worker Process Making Remote Call
- Sigma Execute Code with Pester.bat
- Sigma Execute Code with Pester.bat as Parent
- Sigma Execution of Powershell Script in Public Folder
- Splunk Get-ForestTrust with PowerShell Script Block
- Splunk GetLocalUser with PowerShell Script Block
- Splunk GetWmiObject User Account with PowerShell Script Block
- Sigma HackTool - Bloodhound/Sharphound Execution
- Sigma HackTool - Covenant PowerShell Launcher
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - CrackMapExec Execution Patterns
- Sigma HackTool - CrackMapExec PowerShell Obfuscation
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Sigma HackTool - Empire PowerShell Launch Parameters
- Sigma Hidden Powershell in Link File Pattern
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma Import PowerShell Modules From Suspicious Directories
- Sigma Import PowerShell Modules From Suspicious Directories - ProcCreation
- Sigma Invoke-Obfuscation CLIP+ Launcher
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Sigma Invoke-Obfuscation CLIP+ Launcher - Security
- Sigma Invoke-Obfuscation CLIP+ Launcher - System
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System
- Sigma Invoke-Obfuscation STDIN+ Launcher
- Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell
- Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
- Sigma Invoke-Obfuscation STDIN+ Launcher - Security
- Sigma Invoke-Obfuscation STDIN+ Launcher - System
- Sigma Invoke-Obfuscation VAR+ Launcher
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module
- Sigma Invoke-Obfuscation VAR+ Launcher - Security
- Sigma Invoke-Obfuscation VAR+ Launcher - System
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
- Sigma Invoke-Obfuscation Via Stdin
- Sigma Invoke-Obfuscation Via Stdin - Powershell
- Sigma Invoke-Obfuscation Via Stdin - PowerShell Module
- Sigma Invoke-Obfuscation Via Stdin - Security
- Sigma Invoke-Obfuscation Via Stdin - System
- Sigma Invoke-Obfuscation Via Use Clip
- Sigma Invoke-Obfuscation Via Use Clip - Powershell
- Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module
- Sigma Invoke-Obfuscation Via Use Clip - Security
- Sigma Invoke-Obfuscation Via Use Clip - System
- Sigma Invoke-Obfuscation Via Use MSHTA
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Sigma Invoke-Obfuscation Via Use MSHTA - Security
- Sigma Invoke-Obfuscation Via Use MSHTA - System
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
- Sigma Invoke-Obfuscation Via Use Rundll32 - Security
- Sigma Invoke-Obfuscation Via Use Rundll32 - System
- Sigma Malicious Base64 Encoded PowerShell Keywords in Command Lines
- Sigma Malicious Nishang PowerShell Commandlets
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Sigma Malicious PowerShell Keywords
- Splunk Malicious PowerShell Process With Obfuscation Techniques
- Sigma Malicious PowerShell Scripts - FileCreation
- Sigma Malicious PowerShell Scripts - PoshModule
- Sigma Malicious ShellIntel PowerShell Commandlets
- Sigma Net WebClient Casing Anomalies
- Sigma New PowerShell Instance Created
- Sigma Non Interactive PowerShell Process Spawned
- Sigma Nslookup PowerShell Download Cradle
- Sigma NTFS Alternate Data Stream
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Sigma Obfuscated PowerShell OneLiner Execution
- Sigma Potential Data Exfiltration Activity Via CommandLine Tools
- Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables
- Sigma Potential Encoded PowerShell Patterns In CommandLine
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task
- Sigma Potential PowerShell Command Line Obfuscation
- Sigma Potential PowerShell Downgrade Attack
- Sigma Potential PowerShell Obfuscation Using Alias Cmdlets
- Sigma Potential PowerShell Obfuscation Using Character Join
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences
- Elastic Potential PowerShell Obfuscation via Reverse Keywords
- Sigma Potential PowerShell Obfuscation Via Reversed Commands
- Elastic Potential PowerShell Obfuscation via Special Character Overuse
- Elastic Potential PowerShell Obfuscation via String Concatenation
- Elastic Potential PowerShell Obfuscation via String Reordering
- Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR
- Sigma Potential Powershell ReverseShell Connection
- Sigma Potential Remote PowerShell Session Initiated
- Sigma Potential Suspicious PowerShell Keywords
- Sigma Potential WinAPI Calls Via PowerShell Scripts
- Sigma Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Sigma Potentially Suspicious Command Executed Via Run Dialog Box - Registry
- Sigma Potentially Suspicious WebDAV LNK Execution
- Splunk PowerShell 4104 Hunting
- Sigma PowerShell ADRecon Execution
- Sigma PowerShell Base64 Encoded FromBase64String Cmdlet
- Sigma PowerShell Base64 Encoded IEX Cmdlet
- Sigma PowerShell Base64 Encoded Invoke Keyword
- Sigma PowerShell Base64 Encoded Reflective Assembly Load
- Sigma PowerShell Base64 Encoded WMI Classes
- Sigma PowerShell Called from an Executable Version Mismatch
- Splunk Powershell COM Hijacking InprocServer32 Modification
- Sigma PowerShell Core DLL Loaded By Non PowerShell Process
- Sigma PowerShell Create Local User
- Splunk Powershell Creating Thread Mutex
- Sigma PowerShell Credential Prompt
- Splunk PowerShell Domain Enumeration
- Sigma PowerShell Downgrade Attack - PowerShell
- Sigma PowerShell Download Pattern
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk PowerShell Enable PowerShell Remoting
- Splunk Powershell Execute COM Object
- Sigma Powershell Executed From Headless ConHost Process
- Splunk Powershell Fileless Process Injection via GetProcAddress
- Splunk Powershell Fileless Script Contains Base64 Encoded Content
- Sigma Powershell Inline Execution From A File
- Splunk Powershell Load Module in Meterpreter
- Splunk PowerShell Loading DotNET into Memory via Reflection
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Sigma Powershell MsXml COM Object
- Elastic PowerShell Obfuscation via Negative Index String Reversal
- Splunk Powershell Processing Stream Of Data
- Sigma PowerShell PSAttack
- Sigma PowerShell Remote Session Creation
- Splunk PowerShell Script Block With URL Chain
- Sigma PowerShell Script Run in AppData
- Sigma PowerShell ShellCode
- Splunk PowerShell Start or Stop Service
- Splunk Powershell Using memory As Backing Store
- Sigma PowerShell Web Access Installation - PsScript
- Splunk PowerShell WebRequest Using Memory Stream
- Sigma Powershell XML Execute Command
- Sigma PowerView PowerShell Cmdlets - ScriptBlock
- Sigma PSAsyncShell - Asynchronous TCP Reverse Shell
- Splunk Recon Using WMI Class
- Sigma Remote LSASS Process Access Through Windows Remote Management
- Sigma Remote PowerShell Session (PS Classic)
- Sigma Remote PowerShell Session (PS Module)
- Sigma Remote PowerShell Session Host Process (WinRM)
- Sigma Remote PowerShell Sessions Network Connections (WinRM)
- Sigma Remote Thread Creation Via PowerShell In Uncommon Target
- Sigma Renamed Powershell Under Powershell Channel
- Sigma Scheduled Task Executing Encoded Payload from Registry
- Sigma Scheduled Task Executing Payload from Registry
- Splunk Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Sigma Silence.EDA Detection
- Sigma SQL Client Tools PowerShell Session Detection
- Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Sigma Suspicious Encoded PowerShell Command Line
- Sigma Suspicious Execution of Powershell with Base64
- Sigma Suspicious File Execution From Internet Hosted WebDav Share
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious Interactive PowerShell as SYSTEM
- Sigma Suspicious PowerShell Download
- Sigma Suspicious PowerShell Download - PoshModule
- Sigma Suspicious PowerShell Download - Powershell Script
- Sigma Suspicious PowerShell Download and Execute Pattern
- Sigma Suspicious PowerShell Encoded Command Patterns
- Sigma Suspicious PowerShell IEX Execution Patterns
- Sigma Suspicious PowerShell Invocation From Script Engines
- Sigma Suspicious PowerShell Invocations - Generic
- Sigma Suspicious PowerShell Invocations - Generic - PowerShell Module
- Sigma Suspicious PowerShell Invocations - Specific
- Sigma Suspicious PowerShell Invocations - Specific - PowerShell Module
- Sigma Suspicious PowerShell Parameter Substring
- Sigma Suspicious PowerShell Parent Process
- Sigma Suspicious Schtasks Execution AppData Folder
- Sigma Suspicious WSMAN Provider Image Loads
- Sigma Suspicious XOR Encoded PowerShell Command
- Splunk Unloading AMSI via Reflection
- Sigma Usage Of Web Request Commands And Cmdlets
- Sigma Usage Of Web Request Commands And Cmdlets - ScriptBlock
- Splunk Windows Account Access Removal via Logoff Exec
- Splunk Windows Enable PowerShell Web Access
- Splunk Windows Explorer LNK Exploit Process Launch With Padding
- Splunk Windows Explorer.exe Spawning PowerShell or Cmd
- Splunk Windows Powershell Cryptography Namespace
- Splunk Windows PowerShell Get CIMInstance Remote Computer
- Splunk Windows Powershell Import Applocker Policy
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection
- Splunk Windows PowerShell Invoke-Sqlcmd Execution
- Splunk Windows Powershell Logoff User via Quser
- Splunk Windows PowerShell MSIX Package Installation
- Splunk Windows PowerShell ScheduleTask
- Splunk Windows PowerShell Script Block With Malicious String
- Splunk Windows PowerShell WMI Win32 ScheduledJob
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs
- Sigma WMImplant Hack Tool
Command and Scripting Interpreter: Windows Command Shell T1059.003 31 rules
- Sigma AppLocker Prevented Application or Script from Running
- Sigma Command Line Execution with Suspicious URL and AppData Strings
- Sigma Conhost.exe CommandLine Path Traversal
- Sigma DNS Query by Finger Utility
- Kusto Query Language Exchange Worker Process Making Remote Call
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - CrackMapExec Execution Patterns
- Sigma HackTool - Jlaive In-Memory Assembly Execution
- Sigma HackTool - Koadic Execution
- Sigma HackTool - RedMimicry Winnti Playbook Execution
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma Network Connection Initiated via Finger.EXE
- Sigma OpenEDR Spawning Command Shell
- Sigma Operator Bloopers Cobalt Strike Commands
- Sigma Operator Bloopers Cobalt Strike Modules
- Sigma Potential CommandLine Path Traversal Via Cmd.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Powershell Execute Batch Script
- Sigma Powershell Executed From Headless ConHost Process
- Sigma PUA - AdvancedRun Execution
- Sigma Read Contents From Stdin Via Cmd.EXE
- Sigma Remote Access Tool - ScreenConnect Command Execution
- Sigma Remote Access Tool - ScreenConnect File Transfer
- Sigma Remote Access Tool - ScreenConnect Remote Command Execution
- Sigma Remote Access Tool - ScreenConnect Temporary File
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious HWP Sub Processes
- Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD
- Splunk Windows Powershell History File Deletion
- Splunk Windows PowerShell Invoke-Sqlcmd Execution
- Splunk Windows TinyCC Shellcode Execution
Command and Scripting Interpreter: Visual Basic T1059.005 26 rules
- Sigma Adwind RAT / JRAT File Artifact
- Sigma AppLocker Prevented Application or Script from Running
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent
- Sigma Cscript/Wscript Uncommon Script Extension Execution
- Sigma HackTool - CACTUSTORCH Remote Thread Creation
- Sigma HackTool - Koadic Execution
- Sigma HackTool - NetExec File Indicators
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma MMC Loading Script Engines DLLs
- Sigma Potential Dropper Script Execution Via WScript/CScript
- Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Sigma Potential Remote SquiblyTwo Technique Execution
- Sigma Registry Modification Attempt Via VBScript
- Sigma Registry Modification Attempt Via VBScript - PowerShell
- Sigma Registry Tampering by Potentially Suspicious Processes
- Sigma Suspicious Child Process Of BgInfo.EXE
- Sigma Suspicious HH.EXE Execution
- Splunk Suspicious Process DNS Query Known Abuse Web Services
- Splunk Suspicious Process With Discord DNS Query
- Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Sigma Suspicious Scripting in a WMI Consumer
- Sigma Uncommon Child Process Of BgInfo.EXE
- Splunk Windows Outlook Macro Created by Suspicious Process
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs
- Sigma WScript or CScript Dropper - File
- Sigma XSL Script Execution Via WMIC.EXE
Command and Scripting Interpreter: JavaScript T1059.007 20 rules
- Sigma Adwind RAT / JRAT File Artifact
- Sigma AppLocker Prevented Application or Script from Running
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent
- Sigma Cscript/Wscript Uncommon Script Extension Execution
- Sigma HackTool - CACTUSTORCH Remote Thread Creation
- Sigma HackTool - Koadic Execution
- Sigma HTML Help HH.EXE Suspicious Child Process
- Splunk MS Scripting Process Loading Ldap Module
- Splunk MS Scripting Process Loading WMI Module
- Sigma MSHTA Execution with Suspicious File Extensions
- Sigma Node Process Executions
- Sigma NodeJS Execution of JavaScript File
- Sigma Potential Dropper Script Execution Via WScript/CScript
- Sigma Potential Remote SquiblyTwo Technique Execution
- Sigma Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- Sigma Script Interpreter Spawning Credential Scanner - Windows
- Sigma Suspicious Deno File Written from Remote Source
- Sigma Suspicious HH.EXE Execution
- Sigma WScript or CScript Dropper - File
- Sigma XSL Script Execution Via WMIC.EXE
Software Deployment Tools T1072 6 rules
- Kusto Query Language New EXE deployed via Default Domain or Default Domain Controller Policies
- Kusto Query Language New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Sigma PDQ Deploy Remote Adminstartion Tool Execution
- Sigma PUA - Radmin Viewer Utility Execution
- Sigma Restricted Software Access By SRP
- Sigma Suspicious Csi.exe Usage
Native API T1106 13 rules
- Sigma HackTool - CobaltStrike BOF Injection Pattern
- Sigma HackTool - HandleKatz Duplicating LSASS Handle
- Sigma HackTool - RedMimicry Winnti Playbook Execution
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Sigma Potential Binary Proxy Execution Via Cdb.EXE
- Elastic Potential Credential Access via LSASS Memory Dump
- Sigma Potential Direct Syscall of NtOpenProcess
- Sigma Potential WinAPI Calls Via CommandLine
- Sigma Potential WinAPI Calls Via PowerShell Scripts
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Suspicious Mshta.EXE Execution Patterns
- Elastic Suspicious Process Access via Direct System Call
Shared Modules T1129 2 rules
Exploitation for Client Execution T1203 13 rules
- Sigma Audit CVE Event
- Kusto Query Language Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
- Sigma Java Running with Remote Debugging
- Sigma Network Connection Initiated By Eqnedt32.EXE
- Sigma Office Application Initiated Network Connection To Non-Local IP
- Kusto Query Language Office Apps Launching Wscipt
- Kusto Query Language PE file dropped in Color Profile Folder
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe
- Sigma Potentially Suspicious Child Process Of WinRAR.EXE
- Splunk Sunburst Correlation DLL and Network Event
- Sigma Suspicious ArcSOC.exe Child Process
- Sigma Suspicious HWP Sub Processes
- Sigma Suspicious Spool Service Child Process
User Execution T1204 8 rules
- Sigma Arbitrary Shell Command Execution Via Settingcontent-Ms
- Kusto Query Language Audit policy manipulation using auditpol utility
- Kusto Query Language Detect .NET runtime being loaded in JScript for code execution
- Sigma Potentially Suspicious WebDAV LNK Execution
- Sigma Suspicious Binaries and Scripts in Public Folder
- Sigma Suspicious Deno File Written from Remote Source
- Kusto Query Language Suspicious Process Injection from Office application
- Kusto Query Language VTI - High Severity SHA1 Collision Detection
User Execution: Malicious File T1204.002 34 rules
- Sigma AppLocker Prevented Application or Script from Running
- Splunk Batch File Write to System32
- Sigma CLR DLL Loaded Via Office Applications
- Sigma DotNET Assembly DLL Loaded Via Office Application
- Splunk Drop IcedID License dat
- Sigma File With Uncommon Extension Created By An Office Application
- Sigma GAC DLL Loaded Via Office Applications
- Sigma HackTool - LittleCorporal Generated Maldoc Injection
- Sigma Microsoft Excel Add-In Loaded From Uncommon Location
- Sigma Microsoft VBA For Outlook Addin Loaded Via Outlook
- Sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse
- Sigma New Application in AppCompat
- Sigma Potential Suspicious Browser Launch From Document Reader Process
- Sigma Remote DLL Load Via Rundll32.EXE
- Sigma Suspicious Binary In User Directory Spawned From Office Application
- Sigma Suspicious LNK Command-Line Padding with Whitespace Characters
- Sigma Suspicious Microsoft Office Child Process
- Sigma Suspicious Outlook Child Process
- Sigma Suspicious Startup Folder Persistence
- Sigma Suspicious WMIC Execution Via Office Process
- Sigma Suspicious WmiPrvSE Child Process
- Sigma VBA DLL Loaded Via Office Application
- Sigma Windows AppX Deployment Full Trust Package Installation
- Splunk Windows AppX Deployment Full Trust Package Installation
- Splunk Windows AppX Deployment Package Installation Success
- Sigma Windows AppX Deployment Unsigned Package Installation
- Splunk Windows AppX Deployment Unsigned Package Installation
- Splunk Windows Developer-Signed MSIX Package Installation
- Splunk Windows Explorer LNK Exploit Process Launch With Padding
- Splunk Windows Explorer.exe Spawning PowerShell or Cmd
- Splunk Windows MSIX Package Interaction
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution
- Splunk Windows Suspect Process With Authentication Traffic
- Splunk Windows User Execution Malicious URL Shortcut File
User Execution: Malicious Copy and Paste T1204.004 6 rules
- Sigma FileFix - Command Evidence in TypedPaths
- Sigma Suspicious ClickFix/FileFix Execution Pattern
- Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- Sigma Suspicious FileFix Execution Pattern
- Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix
- Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix
Inter-Process Communication T1559 6 rules
- Kusto Query Language Suspicious named pipes
- Splunk Windows Anonymous Pipe Activity
- Splunk Windows PUA Named Pipe
- Splunk Windows RMM Named Pipe
- Splunk Windows Suspicious C2 Named Pipe
- Splunk Windows Suspicious Named Pipe
System Services T1569 4 rules
- Kusto Query Language Dev-0228 File Path Hashes November 2021
- Kusto Query Language Dev-0228 File Path Hashes November 2021 (ASIM Version)
- Sigma Psexec Execution
- Elastic Remote Windows Service Installed
System Services: Service Execution T1569.002 45 rules
- Sigma CobaltStrike Service Installations - Security
- Sigma CobaltStrike Service Installations - System
- Sigma Credential Dumping Tools Service Execution - Security
- Sigma Credential Dumping Tools Service Execution - System
- Sigma CSExec Service File Creation
- Sigma CSExec Service Installation
- Splunk Excessive Usage Of SC Service Utility
- Splunk First Time Seen Running Windows Service
- Sigma HackTool - SharpUp PrivEsc Tool Execution
- Sigma HackTool Service Registration or Execution
- Splunk Malicious Powershell Executed As A Service
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec
- Sigma PAExec Service Installation
- Sigma Potential CobaltStrike Service Installations - Registry
- Sigma PowerShell as a Service in Registry
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell Scripts Installed as Services
- Sigma PowerShell Scripts Installed as Services - Security
- Sigma ProcessHacker Privilege Elevation
- Sigma PSExec and WMI Process Creations Block
- Sigma PsExec Service File Creation
- Sigma PsExec Service Installation
- Sigma PsExec Tool Execution From Suspicious Locations - PipeName
- Sigma PUA - CSExec Default Named Pipe
- Sigma PUA - CsExec Execution
- Sigma PUA - NirCmd Execution
- Sigma PUA - NirCmd Execution As LOCAL SYSTEM
- Sigma PUA - NSudo Execution
- Sigma PUA - PAExec Default Named Pipe
- Sigma PUA - RemCom Default Named Pipe
- Sigma PUA - RunXCmd Execution
- Sigma RemCom Service File Creation
- Sigma RemCom Service Installation
- Sigma Remote Access Tool Services Have Been Installed - Security
- Sigma Remote Access Tool Services Have Been Installed - System
- Elastic Remote Windows Service Installed
- Sigma Rundll32 Execution Without Parameters
- Sigma Sliver C2 Default Service Installation
- Sigma smbexec.py Service Installation
- Sigma Start Windows Service Via Net.EXE
- Sigma WFP Filter Added via Registry
- Splunk Windows Service Create SliverC2
- Splunk Windows Service Created with Suspicious Service Name
- Splunk Windows Service Created with Suspicious Service Path
- Splunk Windows Snake Malware Service Create
Persistence
Scheduled Task/Job T1053 16 rules
- Elastic A scheduled task was created
- Kusto Query Language AV detections related to Tarrask malware
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - CrackMapExec Execution Patterns
- Sigma HackTool - SharPersist Execution
- Elastic Remote Scheduled Task Creation via RPC
- Splunk Schedule Task with HTTP Command Arguments
- Splunk Schedule Task with Rundll32 Command Trigger
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Scheduled TaskCache Change by Uncommon Program
- Sigma Suspicious Scheduled Task Write to System32 Tasks
- Elastic Temporarily Scheduled Task Creation
- Elastic Unusual Scheduled Task Update
- Splunk Windows Hidden Schedule Task Settings
- Splunk Windows Scheduled Task DLL Module Loaded
- Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
Scheduled Task/Job: At T1053.002 2 rules
Scheduled Task/Job: Scheduled Task T1053.005 48 rules
- Elastic A scheduled task was created
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Sigma Important Scheduled Task Deleted/Disabled
- Sigma Persistence and Execution at Scale via GPO Scheduled Task
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task
- Sigma Powershell Create Scheduled Task
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Randomly Generated Scheduled Task Name
- Elastic Remote Scheduled Task Creation via RPC
- Sigma Renamed Schtasks Execution
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Sigma Scheduled Task Creation Masquerading as System Processes
- Sigma Scheduled Task Creation Via Schtasks.EXE
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo
- Sigma Scheduled Task Executed From A Suspicious Location
- Sigma Scheduled Task Executed Uncommon LOLBIN
- Sigma Scheduled Task Executing Encoded Payload from Registry
- Sigma Scheduled Task Executing Payload from Registry
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Scheduled TaskCache Change by Uncommon Program
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges
- Sigma Schtasks From Suspicious Folders
- Splunk Short Lived Scheduled Task
- Sigma Suspicious Command Patterns In Scheduled Task Creation
- Sigma Suspicious Modification Of Scheduled Tasks
- Sigma Suspicious Scheduled Task Creation
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File
- Sigma Suspicious Scheduled Task Name As GUID
- Sigma Suspicious Scheduled Task Update
- Sigma Suspicious Schtasks Execution AppData Folder
- Sigma Suspicious Schtasks Schedule Type With High Privileges
- Sigma Suspicious Schtasks Schedule Types
- Elastic Temporarily Scheduled Task Creation
- Sigma Uncommon One Time Only Scheduled Task At 00:00
- Elastic Unusual Scheduled Task Update
- Splunk Windows Compatibility Telemetry Tampering Through Registry
- Splunk Windows Enable Win32 ScheduledJob via Registry
- Splunk Windows PowerShell ScheduleTask
- Splunk Windows Registry Delete Task SD
- Splunk Windows Scheduled Task with Suspicious Command
- Splunk Windows Scheduled Task with Suspicious Name
- Splunk WinEvent Scheduled Task Created to Spawn Shell
- Splunk WinEvent Scheduled Task Created Within Public Path
- Splunk WinEvent Windows Task Scheduler Event Action Started
Valid Accounts T1078 35 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Account Tampering - Suspicious Failed Logon Reasons
- Elastic AdminSDHolder Backdoor
- Kusto Query Language AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Kusto Query Language EatonForeseer - Unauthorized Logins
- Kusto Query Language Email access via active sync
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Sigma Failed Logon From Public IP
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Kusto Query Language New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE
- Elastic Potential Account Takeover - Logon from New Source IP
- Elastic Potential Account Takeover - Mixed Logon Types
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Kusto Query Language Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Suspicious Computer Machine Password by PowerShell
- Sigma Suspicious Remote Logon with Explicit Credentials
- Splunk Unusual Number of Computer Service Tickets Requested
- Splunk Unusual Number of Remote Endpoint Authentication Events
- Kusto Query Language User account added to built in domain local or global group
- Kusto Query Language User account created and deleted within 10 mins
- Kusto Query Language User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group
- Kusto Query Language User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Large Number of Computer Service Tickets Requested
- Splunk Windows Multiple Account Passwords Changed
- Splunk Windows Multiple Accounts Deleted
- Splunk Windows Multiple Accounts Disabled
Valid Accounts: Domain Accounts T1078.002 19 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Admin User Remote Logon
- Elastic AdminSDHolder Backdoor
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Sigma DMSA Link Attributes Modified
- Sigma DMSA Service Account Created in Specific OUs - PowerShell
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Sigma New DMSA Service Account Created in Specific OUs
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Splunk Suspicious Computer Account Name Change
- Splunk Suspicious Kerberos Service Ticket Request
- Splunk Suspicious Ticket Granting Ticket Request
- Splunk Windows Group Policy Object Created
- Splunk Windows PowerView AD Access Control List Enumeration
Valid Accounts: Local Accounts T1078.003 2 rules
- Sigma Admin User Remote Logon
- Splunk Short Lived Windows Accounts
Account Manipulation T1098 55 rules
- Sigma A Member Was Added to a Security-Enabled Global Group
- Sigma A Member Was Removed From a Security-Enabled Global Group
- Sigma A New Trust Was Created To A Domain
- Sigma A Security-Enabled Global Group Was Deleted
- Elastic Account Configured with Never-Expiring Password
- Elastic Account Password Reset Remotely
- Elastic Active Directory Group Modification by SYSTEM
- Sigma Active Directory User Backdoors
- Kusto Query Language AD account with Don't Expire Password
- Elastic AdminSDHolder Backdoor
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Kusto Query Language DEV-0270 New User Creation
- Elastic dMSA Account Creation by an Unusual User
- Sigma DMSA Link Attributes Modified
- Sigma DMSA Service Account Created in Specific OUs - PowerShell
- Kusto Query Language DSRM Account Abuse
- Sigma Enabled User Right in AD to Control User Objects
- Elastic Kerberos Pre-authentication Disabled for User
- Elastic KRBTGT Delegation Backdoor
- Kusto Query Language Local Admin Group Changes
- Elastic Modification of the msPKIAccountCredentials
- Sigma New DMSA Service Account Created in Specific OUs
- Kusto Query Language New user created and added to the built-in administrators group
- Sigma Password Change on Directory Service Restore Mode (DSRM) Account
- Sigma Password Set to Never Expire via WMI
- Elastic Potential Active Directory Replication Account Backdoor
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Potential Shadow Credentials added to AD Object
- Sigma Powershell LocalAccount Manipulation
- Sigma Powerview Add-DomainObjectAcl DCSync AD Extend Right
- Elastic Remote Computer Account DnsHostName Update
- Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
- Kusto Query Language Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Kusto Query Language User account added to built in domain local or global group
- Kusto Query Language User account created and deleted within 10 mins
- Kusto Query Language User account enabled and disabled within 10 mins
- Elastic User account exposed to Kerberoasting
- Sigma User Added To Highly Privileged Group
- Sigma User Added to Local Administrator Group
- Sigma User Added to Local Administrators Group
- Elastic User Added to Privileged Group in Active Directory
- Splunk Windows AD add Self to Group
- Splunk Windows AD DSRM Account Changes
- Splunk Windows AD DSRM Password Reset
- Splunk Windows AD Privileged Group Modification
- Splunk Windows AD Self DACL Assignment
- Splunk Windows AD ServicePrincipalName Added To Domain Account
- Splunk Windows AD Short Lived Domain Account ServicePrincipalName
- Splunk Windows DnsAdmins New Member Added
- Splunk Windows Increase in Group or Object Modification Activity
- Splunk Windows Increase in User Modification Activity
- Splunk Windows Multiple Account Passwords Changed
- Splunk Windows Multiple Accounts Deleted
- Splunk Windows Multiple Accounts Disabled
Modify Registry T1112 149 rules
- Sigma Activate Suppression of Windows Security Center Notifications
- Sigma Add DisallowRun Execution to Registry
- Sigma Allow RDP Remote Assistance Feature
- Sigma Change the Fax Dll
- Sigma Change User Account Associated with the FAX Service
- Sigma ClickOnce Trust Prompt Tampering
- Sigma CrashControl CrashDump Disabled
- Sigma DHCP Callout DLL Installation
- Sigma Disable Internal Tools or Feature in Registry
- Splunk Disable Registry Tool
- Sigma Disable Security Events Logging Adding Reg Key MiniNt
- Splunk Disable Security Logs Using MiniNt Registry
- Splunk Disable Show Hidden Files
- Splunk Disable Windows App Hotkeys
- Sigma Disable Windows Security Center Notifications
- Splunk Disabling CMD Application
- Splunk Disabling ControlPanel
- Splunk Disabling NoRun Windows App
- Sigma DNS-over-HTTPS Enabled by Registry
- Sigma Enable LM Hash Storage
- Sigma Enable LM Hash Storage - ProcCreation
- Splunk Enable WDigest UseLogonCredential Registry
- Sigma ETW Logging Disabled For rpcrt4.dll
- Sigma ETW Logging Disabled For SCM
- Sigma ETW Logging Disabled In .NET Processes - Registry
- Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry
- Sigma Imports Registry Key From a File
- Sigma Imports Registry Key From an ADS
- Sigma Macro Enabled In A Potentially Suspicious Document
- Splunk Malicious InProcServer32 Modification
- Sigma Modification of IE Registry Settings
- Sigma NET NGenAssemblyUsageLog Registry Key Tamper
- Sigma NetNTLM Downgrade Attack
- Sigma NetNTLM Downgrade Attack - Registry
- Sigma New BgInfo.EXE Custom DB Path Registry Configuration
- Sigma New BgInfo.EXE Custom VBScript Registry Configuration
- Sigma New BgInfo.EXE Custom WMI Query Registry Configuration
- Sigma New DNS ServerLevelPluginDll Installed
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Sigma Non-privileged Usage of Reg or Powershell
- Sigma Office Macros Warning Disabled
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
- Sigma Potential Persistence Via Custom Protocol Handler
- Sigma Potential Persistence Via Event Viewer Events.asp
- Sigma Potential Persistence Via Outlook Home Page
- Sigma Potential Persistence Via Outlook Today Page
- Sigma Potential Qakbot Registry Activity
- Sigma Potential Suspicious Registry File Imported Via Reg.EXE
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE
- Sigma Potentially Suspicious Desktop Background Change Via Registry
- Sigma PowerShell Logging Disabled Via Registry Key Tampering
- Sigma RDP Sensitive Settings Changed
- Sigma RDP Sensitive Settings Changed to Zero
- Sigma RedMimicry Winnti Playbook Registry Manipulation
- Sigma Reg Add Suspicious Paths
- Sigma Registry Entries For Azorult Malware
- Sigma Registry Explorer Policy Modification
- Sigma Registry Hide Function from User
- Sigma Registry Manipulation via WMI Stdregprov
- Sigma Registry Modification Attempt Via VBScript
- Sigma Registry Modification Attempt Via VBScript - PowerShell
- Sigma Registry Modification for OCI DLL Redirection
- Sigma Registry Modification of MS-settings Protocol Handler
- Sigma Registry Modification Via Regini.EXE
- Sigma Registry Tampering by Potentially Suspicious Processes
- Splunk Remcos client registry install entry
- Sigma Removal of Potential COM Hijacking Registry Keys
- Sigma RestrictedAdminMode Registry Value Tampering
- Sigma RestrictedAdminMode Registry Value Tampering - ProcCreation
- Splunk Revil Registry Entry
- Sigma Run Once Task Configuration in Registry
- Sigma Run Once Task Execution as Configured in Registry
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Sigma Service Binary in Suspicious Folder
- Sigma ShimCache Flush
- Sigma Suspicious Registry Modification From ADS Via Regini.EXE
- Sigma Suspicious VBoxDrvInst.exe Parameters
- Sigma Sysmon Channel Reference Deletion
- Sigma Terminal Server Client Connection History Cleared - Registry
- Sigma Trust Access Disable For VBApplications
- Sigma Uncommon Microsoft Office Trusted Location Added
- Sigma User Shell Folders Registry Modification via CommandLine
- Sigma Wdigest CredGuard Registry Modification
- Sigma Wdigest Enable UseLogonCredential
- Splunk Windows Defender ASR Registry Modification
- Splunk Windows Defender ASR Rule Disabled
- Splunk Windows Deleted Registry By A Non Critical Process File Path
- Splunk Windows Disable Change Password Through Registry
- Splunk Windows Disable Lock Workstation Feature Through Registry
- Splunk Windows Disable LogOff Button Through Registry
- Splunk Windows Disable Notification Center
- Splunk Windows Disable Shutdown Button Through Registry
- Splunk Windows Disable Windows Group Policy Features Through Registry
- Sigma Windows Event Log Access Tampering Via Registry
- Splunk Windows Hide Notification Features Through Registry
- Splunk Windows Impair Defenses Disable AV AutoStart via Registry
- Splunk Windows InProcServer32 New Outlook Form
- Splunk Windows Modify Registry AuthenticationLevelOverride
- Splunk Windows Modify Registry Auto Minor Updates
- Splunk Windows Modify Registry Auto Update Notif
- Splunk Windows Modify Registry Configure BitLocker
- Splunk Windows Modify Registry Default Icon Setting
- Splunk Windows Modify Registry Delete Firewall Rules
- Splunk Windows Modify Registry Disable RDP
- Splunk Windows Modify Registry Disable Restricted Admin
- Splunk Windows Modify Registry Disable Toast Notifications
- Splunk Windows Modify Registry Disable Win Defender Raw Write Notif
- Splunk Windows Modify Registry Disable WinDefender Notifications
- Splunk Windows Modify Registry Disable Windows Security Center Notif
- Splunk Windows Modify Registry DisableRemoteDesktopAntiAlias
- Splunk Windows Modify Registry DisableSecuritySettings
- Splunk Windows Modify Registry Disabling WER Settings
- Splunk Windows Modify Registry DisAllow Windows App
- Splunk Windows Modify Registry Do Not Connect To Win Update
- Splunk Windows Modify Registry DontShowUI
- Splunk Windows Modify Registry EnableLinkedConnections
- Splunk Windows Modify Registry LongPathsEnabled
- Splunk Windows Modify Registry MaxConnectionPerServer
- Splunk Windows Modify Registry No Auto Reboot With Logon User
- Splunk Windows Modify Registry No Auto Update
- Splunk Windows Modify Registry NoChangingWallPaper
- Splunk Windows Modify Registry on Smart Card Group Policy
- Splunk Windows Modify Registry ProxyEnable
- Splunk Windows Modify Registry ProxyServer
- Splunk Windows Modify Registry Qakbot Binary Data Registry
- Splunk Windows Modify Registry Suppress Win Defender Notif
- Splunk Windows Modify Registry Tamper Protection
- Splunk Windows Modify Registry to Add or Modify Firewall Rule
- Splunk Windows Modify Registry UpdateServiceUrlAlternate
- Splunk Windows Modify Registry USeWuServer
- Splunk Windows Modify Registry Utilize ProgIDs
- Splunk Windows Modify Registry ValleyRAT C2 Config
- Splunk Windows Modify Registry ValleyRat PWN Reg Entry
- Splunk Windows Modify Registry With MD5 Reg Key Name
- Splunk Windows Modify Registry WuServer
- Splunk Windows Modify Registry wuStatusServer
- Splunk Windows Modify Show Compress Color And Info Tip Registry
- Splunk Windows New InProcServer32 Added
- Splunk Windows Outlook Dialogs Disabled from Unusual Process
- Splunk Windows Outlook LoadMacroProviderOnBoot Persistence
- Splunk Windows Outlook WebView Registry Modification
- Splunk Windows Routing and Remote Access Service Registry Key Change
- Splunk Windows RunMRU Registry Key or Value Deleted
- Splunk Windows Set Network Profile Category to Private via Registry
- Splunk Windows Snake Malware Registry Modification wav OpenWithProgIds
- Splunk Windows SnappyBee Create Test Registry
- Sigma Winlogon AllowMultipleTSSessions Enable
External Remote Services T1133 17 rules
- Splunk Detect Exchange Web Shell
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Sigma Failed Logon From Public IP
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages
- Splunk Outbound Network Connection from Java Using Default Ports
- Sigma Remote Access Tool - ScreenConnect Installation Execution
- Sigma Remote Access Tool - Team Viewer Session Started On Windows Host
- Sigma Running Chrome VPN Extensions via the Registry 2 VPN Extension
- Sigma Suspicious File Created by ArcSOC.exe
- Sigma Unusual Child Process of dns.exe
- Sigma Unusual File Deletion by Dns.exe
- Sigma Unusual File Modification by dns.exe
- Sigma User Added to Remote Desktop Users Group
- Splunk Web or Application Server Spawning a Shell
- Splunk Windows MOVEit Transfer Writing ASPX
- Splunk Windows RDPClient Connection Sequence Events
Create Account T1136 3 rules
- Kusto Query Language Account Creation
- Elastic dMSA Account Creation by an Unusual User
- Kusto Query Language Unusual identity creation using exchange powershell
Create Account: Local Account T1136.001 15 rules
- Sigma Creation of a Local Hidden User Account by Registry
- Splunk Detect New Local Admin account
- Sigma Hidden Local User Creation
- Sigma Local User Creation
- Sigma New User Created Via Net.EXE
- Sigma New User Created Via Net.EXE With Never Expire Option
- Sigma PowerShell Create Local User
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Short Lived Windows Accounts
- Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created
- Sigma User Added to Remote Desktop Users Group
- Splunk Windows Create Local Account
- Splunk Windows ESX Admins Group Creation Security Event
- Splunk Windows ESX Admins Group Creation via PowerShell
- Splunk Windows Privileged Group Modification
Create Account: Domain Account T1136.002 8 rules
- Elastic dMSA Account Creation by an Unusual User
- Sigma Manipulation of User Computer or Group Security Principals Across AD
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PSEXEC Remote Execution File Artefact
- Sigma Suspicious Windows ANONYMOUS LOGON Local Account Created
- Splunk Windows ESX Admins Group Creation Security Event
- Splunk Windows ESX Admins Group Creation via PowerShell
- Splunk Windows Privileged Group Modification
Office Application Startup T1137 11 rules
- Sigma IE Change Domain Zone
- Sigma New Outlook Macro Created
- Sigma Outlook Macro Execution Without Warning Setting Enabled
- Sigma Outlook Security Settings Updated - Registry
- Sigma Potential Persistence Via Microsoft Office Startup Folder
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Sigma Registry Modification to Hidden File Extension
- Sigma Suspicious Outlook Macro Created
- Splunk Windows Outlook LoadMacroProviderOnBoot Persistence
- Splunk Windows Outlook Macro Created by Suspicious Process
- Splunk Windows Outlook Macro Security Modified
BITS Jobs T1197 14 rules
- Sigma BITS Transfer Job Download From Direct IP
- Sigma BITS Transfer Job Download From File Sharing Domains
- Sigma BITS Transfer Job Download To Potential Suspicious Folder
- Sigma BITS Transfer Job Downloading File Potential Suspicious Extension
- Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- Kusto Query Language Bitsadmin Activity
- Sigma File Download Via Bitsadmin
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin
- Sigma Monitoring For Persistence Via BITS
- Sigma New BITS Job Created Via Bitsadmin
- Sigma New BITS Job Created Via PowerShell
- Sigma Suspicious Download From Direct IP Via Bitsadmin
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin
Server Software Component: Web Shell T1505.003 16 rules
- Sigma Chopper Webshell Process Pattern
- Splunk Detect Exchange Web Shell
- Sigma IIS Native-Code Module Command Line Installation
- Splunk MS Exchange Mailbox Replication service writing Active Server Pages
- Sigma Potential Webshell Creation On Static Website
- Sigma Suspicious ASPX File Drop by Exchange
- Sigma Suspicious Child Process Of SQL Server
- Sigma Suspicious File Drop by Exchange
- Sigma Suspicious File Write to SharePoint Layouts Directory
- Sigma Suspicious File Write to Webapps Root Directory
- Sigma Suspicious MSExchangeMailboxReplication ASPX Write
- Sigma Suspicious Process By Web Server Process
- Sigma Webshell Detection With Command Line Keywords
- Sigma Webshell Hacking Activity Patterns
- Sigma Webshell Tool Reconnaissance Activity
- Splunk Windows SharePoint Spinstall0 Webshell File Creation
Server Software Component: IIS Components T1505.004 9 rules
- Sigma ETW Logging/Processing Option Disabled On IIS Server
- Sigma HTTP Logging Disabled On IIS Server
- Sigma New Module Module Added To IIS Server
- Sigma Previously Installed IIS Module Was Removed
- Sigma Suspicious IIS Module Registration
- Splunk Windows IIS Components Module Failed to Load
- Splunk Windows PowerShell Add Module to Global Assembly Cache
- Splunk Windows PowerShell Disable HTTP Logging
- Splunk Windows PowerShell IIS Components WebGlobalModule Usage
Pre-OS Boot T1542 1 rule
Pre-OS Boot: Bootkit T1542.003 2 rules
Create or Modify System Process T1543 18 rules
- Splunk Clop Ransomware Known Service Name
- Sigma CodeIntegrity - Blocked Driver Load With Revoked Certificate
- Sigma CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Kusto Query Language COM Event System Loading New DLL
- Sigma KrbRelayUp Service Installation
- Splunk LLM Model File Creation
- Sigma PUA - Process Hacker Driver Load
- Sigma PUA - Process Hacker Execution
- Sigma PUA - System Informer Driver Load
- Sigma PUA - System Informer Execution
- Elastic Remote Windows Service Installed
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Service Installed By Unusual Client - Security
- Sigma Service Installed By Unusual Client - System
- Kusto Query Language SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Elastic Suspicious Service was Installed in the System
- Kusto Query Language TEARDROP memory-only dropper
- Elastic Windows Service Installed via an Unusual Client
Create or Modify System Process: Windows Service T1543.003 50 rules
- Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Sigma CobaltStrike Service Installations - Security
- Sigma CobaltStrike Service Installations - System
- Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Sigma Devcon Execution Disabling VMware VMCI Device
- Sigma Driver Load From A Temporary Directory
- Sigma Malicious Driver Load
- Sigma Malicious Driver Load By Name
- Sigma Moriya Rootkit - System
- Sigma New Kernel Driver Via SC.EXE
- Sigma New PDQDeploy Service - Client Side
- Sigma New PDQDeploy Service - Server Side
- Sigma New Service Creation Using PowerShell
- Sigma New Service Creation Using Sc.EXE
- Sigma Potential CobaltStrike Service Installations - Registry
- Sigma Potential Persistence Attempt Via Existing Service Tampering
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma ProcessHacker Privilege Elevation
- Sigma PSEXEC Remote Execution File Artefact
- Sigma PUA - Kernel Driver Utility (KDU) Execution
- Splunk Randomly Generated Windows Service Name
- Sigma Remote Access Tool Services Have Been Installed - Security
- Sigma Remote Access Tool Services Have Been Installed - System
- Elastic Remote Windows Service Installed
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Service Installation in Suspicious Folder
- Sigma Service Installation with Suspicious Folder Pattern
- Sigma ServiceDll Hijack
- Sigma Sliver C2 Default Service Installation
- Sigma Suspicious New Service Creation
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet
- Sigma Suspicious Service Installation
- Sigma Suspicious Service Installation Script
- Sigma Suspicious Service Path Modification
- Elastic Suspicious Service was Installed in the System
- Sigma Sysinternals PsService Execution
- Sigma Sysinternals PsSuspend Execution
- Sigma Uncommon Service Installation Image Path
- Sigma Vulnerable Driver Load
- Sigma Vulnerable Driver Load By Name
- Sigma Vulnerable HackSys Extreme Vulnerable Driver Load
- Sigma Vulnerable WinRing0 Driver Load
- Splunk Windows Bluetooth Service Installed From Uncommon Location
- Splunk Windows KrbRelayUp Service Creation
- Splunk Windows Service Create RemComSvc
- Elastic Windows Service Installed via an Unusual Client
- Splunk Windows Suspicious Driver Loaded Path
- Splunk Windows Vulnerable Driver Installed
- Splunk Windows Vulnerable Driver Loaded
- Splunk XMRIG Driver Loaded
Event Triggered Execution T1546 15 rules
- Kusto Query Language Caramel Tsunami Actor IOC - July 2021
- Sigma COM Hijack via Sdclt
- Sigma Control Panel Items
- Sigma New Outlook Macro Created
- Sigma Outlook Macro Execution Without Warning Setting Enabled
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto Query Language SUNBURST network beacons
- Sigma Suspicious Get-Variable.exe Creation
- Sigma Suspicious Outlook Macro Created
- Elastic Suspicious WMI Event Subscription Created
- Splunk Windows AD AdminSDHolder ACL Modified
- Splunk Windows Compatibility Telemetry Tampering Through Registry
- Kusto Query Language Zinc Actor IOCs files - October 2022
Event Triggered Execution: Change Default File Association T1546.001 6 rules
- Sigma Change Default File Association To Executable Via Assoc
- Sigma Change Default File Association Via Assoc
- Sigma Registry Modification of MS-settings Protocol Handler
- Sigma Shell Open Registry Keys Manipulation
- Sigma Suspicious Shell Open Command Registry Modification
- Splunk Windows New Default File Association Value Set
Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 14 rules
- Splunk Detect WMI Event Subscription Persistence
- Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE
- Sigma Powershell WMI Persistence
- Sigma Suspicious Encoded Scripts in a WMI Consumer
- Elastic Suspicious WMI Event Subscription Created
- Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- Sigma WMI Backdoor Exchange Transport Agent
- Sigma WMI Event Subscription
- Splunk WMI Permanent Event Subscription - Sysmon
- Sigma WMI Persistence
- Sigma WMI Persistence - Command Line Event Consumer
- Sigma WMI Persistence - Script Event Consumer
- Sigma WMI Persistence - Script Event Consumer File Write
- Sigma WMI Persistence - Security
Event Triggered Execution: Accessibility Features T1546.008 9 rules
- Kusto Query Language Modification of Accessibility Features
- Splunk Overwriting Accessibility Binaries
- Sigma Persistence Via Sticky Key Backdoor
- Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Sigma Potential Suspicious Activity Using SeCEdit
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Sticky Key Like Backdoor Execution
- Sigma Sticky Key Like Backdoor Usage - Registry
- Sigma Suspicious Debugger Registration Cmdline
Event Triggered Execution: AppCert DLLs T1546.009 3 rules
- Sigma New DLL Added to AppCertDlls Registry Key
- Kusto Query Language Registry Persistence via AppCert DLL Modification
- Sigma Session Manager Autorun Keys Modification
Event Triggered Execution: AppInit DLLs T1546.010 2 rules
- Sigma New DLL Added to AppInit_DLLs Registry Key
- Kusto Query Language Registry Persistence via AppInit DLLs Modification
Event Triggered Execution: Application Shimming T1546.011 8 rules
- Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer
- Sigma Potential Persistence Via Shim Database In Uncommon Location
- Sigma Potential Persistence Via Shim Database Modification
- Sigma Potential Shim Database Persistence via Sdbinst.EXE
- Splunk Registry Keys for Creating SHIM Databases
- Splunk Shim Database File Creation
- Sigma Suspicious Shim Database Patching Activity
- Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE
Event Triggered Execution: Component Object Model Hijacking T1546.015 11 rules
- Sigma COM Hijacking via TreatAs
- Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Kusto Query Language Component Object Model Hijacking - Vault7 trick
- Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Sigma Potential Persistence Using DebugPath
- Sigma Potential Persistence Via Scrobj.dll COM Hijacking
- Sigma Potential PSFactoryBuffer COM Hijacking
- Splunk Powershell COM Hijacking InprocServer32 Modification
- Splunk Powershell Execute COM Object
- Sigma Rundll32 Registered COM Objects
- Sigma Suspicious GetTypeFromCLSID ShellExecute
Boot or Logon Autostart Execution T1547 11 rules
- Sigma Atbroker Registry Change
- Kusto Query Language Midnight Blizzard - suspicious rundll32.exe execution of vbscript
- Kusto Query Language Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Sigma Potential RipZip Attack on Startup Folder
- Sigma Registry Persistence Mechanisms in Recycle Bin
- Sigma Startup/Logon Script Added to Group Policy Object
- Elastic Startup/Logon Script added to Group Policy Object
- Sigma Suspicious Driver Install by pnputil.exe
- Sigma Suspicious GrpConv Execution
- Splunk Windows Unsigned MS DLL Side-Loading
- Sigma WINEKEY Registry Modification
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 37 rules
- Sigma Classes Autorun Keys Modification
- Sigma Common Autorun Keys Modification
- Sigma CurrentControlSet Autorun Keys Modification
- Sigma CurrentVersion Autorun Keys Modification
- Sigma CurrentVersion NT Autorun Keys Modification
- Sigma Direct Autorun Keys Modification
- Sigma File Creation In Suspicious Directory By Msdt.EXE
- Sigma Internet Explorer Autorun Keys Modification
- Sigma Modify User Shell Folders Startup Value
- Sigma Narrator's Feedback-Hub Persistence
- Sigma New RUN Key Pointing to Suspicious Folder
- Sigma Office Autorun Keys Modification
- Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE
- Sigma Potential Suspicious Activity Using SeCEdit
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Registry Keys Used For Persistence
- Sigma Registry Persistence via Explorer Run Key
- Sigma Session Manager Autorun Keys Modification
- Sigma Startup Folder File Write
- Sigma Suspicious Autorun Registry Modified via WMI
- Sigma Suspicious PowerShell In Registry Run Keys
- Sigma Suspicious Run Key from Download
- Sigma Suspicious Startup Folder Persistence
- Sigma System Scripts Autorun Keys Modification
- Sigma User Shell Folders Registry Modification via CommandLine
- Sigma VBScript Payload Stored in Registry
- Splunk Windows Boot or Logon Autostart Execution In Startup Folder
- Sigma Windows Event Log Access Tampering Via Registry
- Splunk Windows PowerShell MSIX Package Installation
- Splunk Windows Registry BootExecute Modification
- Splunk Windows Registry Modification for Safe Mode Persistence
- Sigma WinRAR Creating Files in Startup Locations
- Sigma WinSock2 Autorun Keys Modification
- Sigma Wow6432Node Classes Autorun Keys Modification
- Sigma Wow6432Node CurrentVersion Autorun Keys Modification
- Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Boot or Logon Autostart Execution: Security Support Provider T1547.005 2 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Security Support Provider (SSP) Added to LSA Configuration
Compromise Host Software Binary T1554 8 rules
- Sigma DNS HybridConnectionManager Service Bus
- Splunk GitHub Workflow File Creation or Modification
- Sigma HybridConnectionManager Service Installation
- Kusto Query Language Potential Build Process Compromise
- Kusto Query Language Potential Build Process Compromise - MDE
- Kusto Query Language RecordedFuture Threat Hunting Hash All Actors
- Splunk Shai-Hulud Workflow File Creation or Modification
- Kusto Query Language SUNSPOT malware hashes
Hijack Execution Flow T1574 7 rules
- Kusto Query Language Detect Suspicious Commands Initiated by Webserver Processes
- Sigma DLL Execution Via Register-cimprovider.exe
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger
- Sigma Regsvr32 DLL Execution With Uncommon Extension
- Sigma Suspicious Printer Driver Empty Manufacturer
- Splunk Windows BitDefender Submission Wizard DLL Sideloading
Hijack Execution Flow: DLL T1574.001 91 rules
- Sigma Aruba Network Service Potential DLL Sideloading
- Sigma Creation Of Non-Existent System DLL
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder
- Sigma DHCP Callout DLL Installation
- Sigma DHCP Server Error Failed Loading the CallOut DLL
- Sigma DHCP Server Loaded the CallOut DLL
- Sigma DLL Search Order Hijackig Via Additional Space in Path
- Sigma DLL Sideloading by VMware Xfer Utility
- Sigma DLL Sideloading Of ShellChromeAPI.DLL
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL
- Sigma Fax Service DLL Search Order Hijack
- Sigma HackTool - Powerup Write Hijack DLL
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL
- Sigma Microsoft Office DLL Sideload
- Splunk MSI Module Loaded by Non-System Binary
- Splunk Msmpeng Application DLL Side Loading
- Sigma New DNS ServerLevelPluginDll Installed
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Sigma Potential 7za.DLL Sideloading
- Sigma Potential Antivirus Software DLL Sideloading
- Sigma Potential appverifUI.DLL Sideloading
- Sigma Potential AVKkid.DLL Sideloading
- Sigma Potential Azure Browser SSO Abuse
- Sigma Potential CCleanerDU.DLL Sideloading
- Sigma Potential CCleanerReactivator.DLL Sideloading
- Sigma Potential Chrome Frame Helper DLL Sideloading
- Sigma Potential DLL Sideloading Of DBGCORE.DLL
- Sigma Potential DLL Sideloading Of DBGHELP.DLL
- Sigma Potential DLL Sideloading Of DbgModel.DLL
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Sigma Potential DLL Sideloading Of MpSvc.DLL
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll
- Sigma Potential DLL Sideloading Via comctl32.dll
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE
- Sigma Potential DLL Sideloading Via JsSchHlp
- Sigma Potential DLL Sideloading Via VMware Xfer
- Sigma Potential EACore.DLL Sideloading
- Sigma Potential Edputil.DLL Sideloading
- Sigma Potential Goopdate.DLL Sideloading
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Potential Iviewers.DLL Sideloading
- Sigma Potential JLI.dll Side-Loading
- Sigma Potential Libvlc.DLL Sideloading
- Sigma Potential Mfdetours.DLL Sideloading
- Sigma Potential Mpclient.DLL Sideloading
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries
- Sigma Potential Python DLL SideLoading
- Sigma Potential Rcdll.DLL Sideloading
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Sigma Potential RoboForm.DLL Sideloading
- Sigma Potential ShellDispatch.DLL Sideloading
- Sigma Potential SmadHook.DLL Sideloading
- Sigma Potential SolidPDFCreator.DLL Sideloading
- Sigma Potential System DLL Sideloading From Non System Locations
- Sigma Potential Vivaldi_elf.DLL Sideloading
- Sigma Potential Waveedit.DLL Sideloading
- Sigma Potential Wazuh Security Platform DLL Sideloading
- Sigma Potential WWlib.DLL Sideloading
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Registry Modification for OCI DLL Redirection
- Sigma Renamed Vmnat.exe Execution
- Sigma Suspicious GUP Usage
- Sigma Suspicious Unsigned Thor Scanner Execution
- Sigma System Control Panel Item Loaded From Uncommon Location
- Sigma Tasks Folder Evasion
- Sigma Third Party Software DLL Sideloading
- Sigma UAC Bypass With Fake DLL
- Sigma Unsigned .node File Loaded
- Sigma Unsigned Binary Loaded From Suspicious Location
- Sigma Unsigned Mfdetours.DLL Sideloading
- Sigma Unsigned Module Loaded by ClickOnce Application
- Sigma VMGuestLib DLL Sideload
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon
- Splunk Windows DLL Side-Loading In Calc
- Splunk Windows Hijack Execution Flow Version Dll Side Load
- Splunk Windows Known Abused DLL Created
- Splunk Windows Known Abused DLL Loaded Suspiciously
- Splunk Windows Known GraphicalProton Loaded Modules
- Splunk Windows SqlWriter SQLDumper DLL Sideload
- Splunk Windows Unsigned DLL Side-Loading
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path
- Splunk Windows Unsigned MS DLL Side-Loading
- Sigma Xwizard.EXE Execution From Non-Default Location
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 2 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Using SettingSyncHost.exe as LOLBin
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 12 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE
- Sigma Possible Privilege Escalation via Weak Service Permissions
- Sigma Potential Persistence Attempt Via Existing Service Tampering
- Sigma Potential Privilege Escalation via Service Permissions Weakness
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE
- Sigma Service Registry Key Read Access Request
- Sigma Service Registry Permissions Weakness Check
- Sigma Service Security Descriptor Tampering Via Sc.EXE
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- Splunk Windows Service Creation Using Registry Entry
Privilege Escalation
Scheduled Task/Job T1053 16 rules
- Elastic A scheduled task was created
- Kusto Query Language AV detections related to Tarrask malware
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - CrackMapExec Execution Patterns
- Sigma HackTool - SharPersist Execution
- Elastic Remote Scheduled Task Creation via RPC
- Splunk Schedule Task with HTTP Command Arguments
- Splunk Schedule Task with Rundll32 Command Trigger
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Scheduled TaskCache Change by Uncommon Program
- Sigma Suspicious Scheduled Task Write to System32 Tasks
- Elastic Temporarily Scheduled Task Creation
- Elastic Unusual Scheduled Task Update
- Splunk Windows Hidden Schedule Task Settings
- Splunk Windows Scheduled Task DLL Module Loaded
- Splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
Scheduled Task/Job: At T1053.002 2 rules
Scheduled Task/Job: Scheduled Task T1053.005 48 rules
- Elastic A scheduled task was created
- Sigma HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Sigma Important Scheduled Task Deleted/Disabled
- Sigma Persistence and Execution at Scale via GPO Scheduled Task
- Sigma Potential Persistence Via Microsoft Compatibility Appraiser
- Sigma Potential Persistence Via Powershell Search Order Hijacking - Task
- Sigma Potential Registry Persistence Attempt Via Windows Telemetry
- Sigma Potential SSH Tunnel Persistence Install Using A Scheduled Task
- Sigma Powershell Create Scheduled Task
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Randomly Generated Scheduled Task Name
- Elastic Remote Scheduled Task Creation via RPC
- Sigma Renamed Schtasks Execution
- Sigma Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Sigma Scheduled Task Creation Masquerading as System Processes
- Sigma Scheduled Task Creation Via Schtasks.EXE
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo
- Sigma Scheduled Task Executed From A Suspicious Location
- Sigma Scheduled Task Executed Uncommon LOLBIN
- Sigma Scheduled Task Executing Encoded Payload from Registry
- Sigma Scheduled Task Executing Payload from Registry
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Scheduled TaskCache Change by Uncommon Program
- Sigma Schtasks Creation Or Modification With SYSTEM Privileges
- Sigma Schtasks From Suspicious Folders
- Splunk Short Lived Scheduled Task
- Sigma Suspicious Command Patterns In Scheduled Task Creation
- Sigma Suspicious Modification Of Scheduled Tasks
- Sigma Suspicious Scheduled Task Creation
- Sigma Suspicious Scheduled Task Creation Involving Temp Folder
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File
- Sigma Suspicious Scheduled Task Name As GUID
- Sigma Suspicious Scheduled Task Update
- Sigma Suspicious Schtasks Execution AppData Folder
- Sigma Suspicious Schtasks Schedule Type With High Privileges
- Sigma Suspicious Schtasks Schedule Types
- Elastic Temporarily Scheduled Task Creation
- Sigma Uncommon One Time Only Scheduled Task At 00:00
- Elastic Unusual Scheduled Task Update
- Splunk Windows Compatibility Telemetry Tampering Through Registry
- Splunk Windows Enable Win32 ScheduledJob via Registry
- Splunk Windows PowerShell ScheduleTask
- Splunk Windows Registry Delete Task SD
- Splunk Windows Scheduled Task with Suspicious Command
- Splunk Windows Scheduled Task with Suspicious Name
- Splunk WinEvent Scheduled Task Created to Spawn Shell
- Splunk WinEvent Scheduled Task Created Within Public Path
- Splunk WinEvent Windows Task Scheduler Event Action Started
Process Injection T1055 43 rules
- Sigma CobaltStrike Named Pipe
- Sigma CobaltStrike Named Pipe Pattern Regex
- Sigma CobaltStrike Named Pipe Patterns
- Splunk Create Remote Thread In Shell Application
- Sigma Created Files by Microsoft Sync Center
- Splunk DLLHost with no Command Line Arguments with Network
- Sigma Dllhost.EXE Execution Anomaly
- Sigma DotNet CLR DLL Loaded By Scripting Applications
- Splunk GPUpdate with no Command Line Arguments with Network
- Sigma HackTool - CoercedPotato Execution
- Sigma HackTool - CoercedPotato Named Pipe Creation
- Sigma HackTool - DInjector PowerShell Cradle Execution
- Sigma HackTool - EfsPotato Named Pipe Creation
- Sigma Malicious Named Pipe Created
- Sigma Microsoft Sync Center Suspicious Network Connections
- Sigma Network Connection Initiated Via Notepad.EXE
- Sigma Potential DLL Sideloading Using Coregen.exe
- Sigma Potential Process Injection Via Msra.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Powershell Fileless Process Injection via GetProcAddress
- Splunk Powershell Remote Thread To Known Windows Process
- Sigma PowerShell ShellCode
- Sigma Process Creation Using Sysnative Folder
- Elastic Process Injection by the Microsoft Build Engine
- Sigma Rare Remote Thread Creation By Uncommon Source Image
- Sigma Remote Thread Creation By Uncommon Source Image
- Splunk Rundll32 Create Remote Thread To A Process
- Splunk Rundll32 CreateRemoteThread In Browser
- Splunk SearchProtocolHost with no Command Line with Network
- Kusto Query Language Solorigate Named Pipe
- Sigma Suspect Svchost Activity
- Sigma Suspicious Child Process Of Wermgr.EXE
- Kusto Query Language Suspicious named pipes
- Elastic Suspicious Process Access via Direct System Call
- Elastic Suspicious Process Creation CallTrace
- Sigma Suspicious Rundll32 Invoking Inline VBScript
- Sigma Suspicious Userinit Child Process
- Splunk Trickbot Named Pipe
- Sigma Uncommon Svchost Command Line Parameter
- Splunk Windows PUA Named Pipe
- Splunk Windows RMM Named Pipe
- Splunk Windows Suspicious C2 Named Pipe
- Splunk Windows Suspicious Named Pipe
Process Injection: Dynamic-link Library Injection T1055.001 8 rules
- Sigma HackTool - Potential CobaltStrike Process Injection
- Splunk Loading Of Dynwrapx Module
- Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Sigma Mavinject Inject DLL Into Running Process
- Sigma Potential DLL Injection Or Execution Using Tracker.exe
- Sigma Renamed Mavinject.EXE Execution
- Sigma Renamed ZOHO Dctask64 Execution
- Splunk Windows Process Injection Of Wermgr to Known Browser
Exploitation for Privilege Escalation T1068 22 rules
- Sigma Audit CVE Event
- Kusto Query Language Email access via active sync
- Sigma HackTool - SysmonEOP Execution
- Sigma HKTL - SharpSuccessor Privilege Escalation Tool Execution
- Sigma Malicious Driver Load
- Sigma Malicious Driver Load By Name
- Elastic Modification of the msPKIAccountCredentials
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Process Explorer Driver Creation By Non-Sysinternals Binary
- Sigma Process Monitor Driver Creation By Non-Sysinternals Binary
- Elastic Remote Computer Account DnsHostName Update
- Splunk Spoolsv Suspicious Process Access
- Sigma Suspicious Spool Service Child Process
- Sigma Vulnerable Driver Load
- Sigma Vulnerable Driver Load By Name
- Splunk Windows Driver Load Non-Standard Path
- Splunk Windows Drivers Loaded by Signature
- Splunk Windows Privilege Escalation Suspicious Process Elevation
- Splunk Windows Privilege Escalation System Process Without System Parent
- Splunk Windows Privilege Escalation User Process Spawn System Process
- Splunk Windows System File on Disk
Valid Accounts T1078 35 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Account Tampering - Suspicious Failed Logon Reasons
- Elastic AdminSDHolder Backdoor
- Kusto Query Language AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Kusto Query Language EatonForeseer - Unauthorized Logins
- Kusto Query Language Email access via active sync
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Sigma Failed Logon From Public IP
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Kusto Query Language New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE
- Elastic Potential Account Takeover - Logon from New Source IP
- Elastic Potential Account Takeover - Mixed Logon Types
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Kusto Query Language Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Suspicious Computer Machine Password by PowerShell
- Sigma Suspicious Remote Logon with Explicit Credentials
- Splunk Unusual Number of Computer Service Tickets Requested
- Splunk Unusual Number of Remote Endpoint Authentication Events
- Kusto Query Language User account added to built in domain local or global group
- Kusto Query Language User account created and deleted within 10 mins
- Kusto Query Language User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group
- Kusto Query Language User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Large Number of Computer Service Tickets Requested
- Splunk Windows Multiple Account Passwords Changed
- Splunk Windows Multiple Accounts Deleted
- Splunk Windows Multiple Accounts Disabled
Valid Accounts: Domain Accounts T1078.002 19 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Admin User Remote Logon
- Elastic AdminSDHolder Backdoor
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Sigma DMSA Link Attributes Modified
- Sigma DMSA Service Account Created in Specific OUs - PowerShell
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Sigma New DMSA Service Account Created in Specific OUs
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Splunk Suspicious Computer Account Name Change
- Splunk Suspicious Kerberos Service Ticket Request
- Splunk Suspicious Ticket Granting Ticket Request
- Splunk Windows Group Policy Object Created
- Splunk Windows PowerView AD Access Control List Enumeration
Valid Accounts: Local Accounts T1078.003 2 rules
- Sigma Admin User Remote Logon
- Splunk Short Lived Windows Accounts
Account Manipulation T1098 55 rules
- Sigma A Member Was Added to a Security-Enabled Global Group
- Sigma A Member Was Removed From a Security-Enabled Global Group
- Sigma A New Trust Was Created To A Domain
- Sigma A Security-Enabled Global Group Was Deleted
- Elastic Account Configured with Never-Expiring Password
- Elastic Account Password Reset Remotely
- Elastic Active Directory Group Modification by SYSTEM
- Sigma Active Directory User Backdoors
- Kusto Query Language AD account with Don't Expire Password
- Elastic AdminSDHolder Backdoor
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Kusto Query Language DEV-0270 New User Creation
- Elastic dMSA Account Creation by an Unusual User
- Sigma DMSA Link Attributes Modified
- Sigma DMSA Service Account Created in Specific OUs - PowerShell
- Kusto Query Language DSRM Account Abuse
- Sigma Enabled User Right in AD to Control User Objects
- Elastic Kerberos Pre-authentication Disabled for User
- Elastic KRBTGT Delegation Backdoor
- Kusto Query Language Local Admin Group Changes
- Elastic Modification of the msPKIAccountCredentials
- Sigma New DMSA Service Account Created in Specific OUs
- Kusto Query Language New user created and added to the built-in administrators group
- Sigma Password Change on Directory Service Restore Mode (DSRM) Account
- Sigma Password Set to Never Expire via WMI
- Elastic Potential Active Directory Replication Account Backdoor
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Potential Shadow Credentials added to AD Object
- Sigma Powershell LocalAccount Manipulation
- Sigma Powerview Add-DomainObjectAcl DCSync AD Extend Right
- Elastic Remote Computer Account DnsHostName Update
- Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
- Kusto Query Language Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Kusto Query Language User account added to built in domain local or global group
- Kusto Query Language User account created and deleted within 10 mins
- Kusto Query Language User account enabled and disabled within 10 mins
- Elastic User account exposed to Kerberoasting
- Sigma User Added To Highly Privileged Group
- Sigma User Added to Local Administrator Group
- Sigma User Added to Local Administrators Group
- Elastic User Added to Privileged Group in Active Directory
- Splunk Windows AD add Self to Group
- Splunk Windows AD DSRM Account Changes
- Splunk Windows AD DSRM Password Reset
- Splunk Windows AD Privileged Group Modification
- Splunk Windows AD Self DACL Assignment
- Splunk Windows AD ServicePrincipalName Added To Domain Account
- Splunk Windows AD Short Lived Domain Account ServicePrincipalName
- Splunk Windows DnsAdmins New Member Added
- Splunk Windows Increase in Group or Object Modification Activity
- Splunk Windows Increase in User Modification Activity
- Splunk Windows Multiple Account Passwords Changed
- Splunk Windows Multiple Accounts Deleted
- Splunk Windows Multiple Accounts Disabled
Access Token Manipulation T1134 12 rules
- Sigma HackTool - NoFilter Execution
- Kusto Query Language Possible Resource-Based Constrained Delegation Abuse
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation
- Elastic Process Creation via Secondary Logon
- Elastic SeDebugPrivilege Enabled by a Suspicious Process
- Kusto Query Language Service Principal Name (SPN) Assigned to User Account
- Elastic Suspicious SeIncreaseBasePriorityPrivilege Use
- Sigma Suspicious SYSTEM User Process Creation
- Splunk Windows Privilege Escalation Suspicious Process Elevation
- Splunk Windows Privilege Escalation System Process Without System Parent
- Splunk Windows Privilege Escalation User Process Spawn System Process
Access Token Manipulation: Token Impersonation/Theft T1134.001 13 rules
- Sigma HackTool - Impersonate Execution
- Sigma HackTool - Koh Default Named Pipe
- Sigma HackTool - NoFilter Execution
- Sigma HackTool - SharpDPAPI Execution
- Sigma HackTool - SharpImpersonation Execution
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System
- Sigma Potential Access Token Abuse
- Sigma Potential Meterpreter/CobaltStrike Activity
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation
- Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Splunk Windows Handle Duplication in Known UAC-Bypass Binaries
Access Token Manipulation: Create Process with Token T1134.002 9 rules
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System
- Sigma Potential Meterpreter/CobaltStrike Activity
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Process Creation via Secondary Logon
- Sigma PUA - AdvancedRun Execution
- Sigma PUA - AdvancedRun Suspicious Execution
- Sigma Suspicious Child Process Created as System
- Splunk Windows Access Token Manipulation SeDebugPrivilege
Access Token Manipulation: SID-History Injection T1134.005 6 rules
- Sigma Addition of SID History to Active Directory Object
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Windows AD Cross Domain SID History Addition
- Splunk Windows AD Privileged Account SID History Addition
- Splunk Windows AD Same Domain SID History Addition
- Splunk Windows AD SID History Attribute Modified
Domain or Tenant Policy Modification T1484 14 rules
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Group Policy Abuse for Privilege Addition
- Elastic Scheduled Task Execution at Scale via GPO
- Elastic Startup/Logon Script added to Group Policy Object
- Splunk Windows AD Dangerous Deny ACL Modification
- Splunk Windows AD Dangerous Group ACL Modification
- Splunk Windows AD Dangerous User ACL Modification
- Splunk Windows AD DCShadow Privileges ACL Addition
- Splunk Windows AD Domain Replication ACL Addition
- Splunk Windows AD Domain Root ACL Deletion
- Splunk Windows AD Domain Root ACL Modification
- Splunk Windows AD Hidden OU Creation
- Splunk Windows AD Object Owner Updated
- Splunk Windows AD Self DACL Assignment
Domain or Tenant Policy Modification: Group Policy Modification T1484.001 15 rules
- Sigma Group Policy Abuse for Privilege Addition
- Elastic Group Policy Abuse for Privilege Addition
- Sigma Modify Group Policy Settings
- Sigma Modify Group Policy Settings - ScriptBlockLogging
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Startup/Logon Script Added to Group Policy Object
- Elastic Startup/Logon Script added to Group Policy Object
- Splunk Windows AD GPO Deleted
- Splunk Windows AD GPO Disabled
- Splunk Windows AD GPO New CSE Addition
- Sigma Windows Default Domain GPO Modification
- Sigma Windows Default Domain GPO Modification via GPME
- Splunk Windows Default Group Policy Object Modified
- Splunk Windows Group Policy Object Created
Create or Modify System Process T1543 18 rules
- Splunk Clop Ransomware Known Service Name
- Sigma CodeIntegrity - Blocked Driver Load With Revoked Certificate
- Sigma CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Kusto Query Language COM Event System Loading New DLL
- Sigma KrbRelayUp Service Installation
- Splunk LLM Model File Creation
- Sigma PUA - Process Hacker Driver Load
- Sigma PUA - Process Hacker Execution
- Sigma PUA - System Informer Driver Load
- Sigma PUA - System Informer Execution
- Elastic Remote Windows Service Installed
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Service Installed By Unusual Client - Security
- Sigma Service Installed By Unusual Client - System
- Kusto Query Language SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Elastic Suspicious Service was Installed in the System
- Kusto Query Language TEARDROP memory-only dropper
- Elastic Windows Service Installed via an Unusual Client
Create or Modify System Process: Windows Service T1543.003 50 rules
- Sigma Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Sigma CobaltStrike Service Installations - Security
- Sigma CobaltStrike Service Installations - System
- Sigma Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Sigma Devcon Execution Disabling VMware VMCI Device
- Sigma Driver Load From A Temporary Directory
- Sigma Malicious Driver Load
- Sigma Malicious Driver Load By Name
- Sigma Moriya Rootkit - System
- Sigma New Kernel Driver Via SC.EXE
- Sigma New PDQDeploy Service - Client Side
- Sigma New PDQDeploy Service - Server Side
- Sigma New Service Creation Using PowerShell
- Sigma New Service Creation Using Sc.EXE
- Sigma Potential CobaltStrike Service Installations - Registry
- Sigma Potential Persistence Attempt Via Existing Service Tampering
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma ProcessHacker Privilege Elevation
- Sigma PSEXEC Remote Execution File Artefact
- Sigma PUA - Kernel Driver Utility (KDU) Execution
- Splunk Randomly Generated Windows Service Name
- Sigma Remote Access Tool Services Have Been Installed - Security
- Sigma Remote Access Tool Services Have Been Installed - System
- Elastic Remote Windows Service Installed
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Service Installation in Suspicious Folder
- Sigma Service Installation with Suspicious Folder Pattern
- Sigma ServiceDll Hijack
- Sigma Sliver C2 Default Service Installation
- Sigma Suspicious New Service Creation
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet
- Sigma Suspicious Service Installation
- Sigma Suspicious Service Installation Script
- Sigma Suspicious Service Path Modification
- Elastic Suspicious Service was Installed in the System
- Sigma Sysinternals PsService Execution
- Sigma Sysinternals PsSuspend Execution
- Sigma Uncommon Service Installation Image Path
- Sigma Vulnerable Driver Load
- Sigma Vulnerable Driver Load By Name
- Sigma Vulnerable HackSys Extreme Vulnerable Driver Load
- Sigma Vulnerable WinRing0 Driver Load
- Splunk Windows Bluetooth Service Installed From Uncommon Location
- Splunk Windows KrbRelayUp Service Creation
- Splunk Windows Service Create RemComSvc
- Elastic Windows Service Installed via an Unusual Client
- Splunk Windows Suspicious Driver Loaded Path
- Splunk Windows Vulnerable Driver Installed
- Splunk Windows Vulnerable Driver Loaded
- Splunk XMRIG Driver Loaded
Event Triggered Execution T1546 15 rules
- Kusto Query Language Caramel Tsunami Actor IOC - July 2021
- Sigma COM Hijack via Sdclt
- Sigma Control Panel Items
- Sigma New Outlook Macro Created
- Sigma Outlook Macro Execution Without Warning Setting Enabled
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes
- Kusto Query Language SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- Kusto Query Language SUNBURST network beacons
- Sigma Suspicious Get-Variable.exe Creation
- Sigma Suspicious Outlook Macro Created
- Elastic Suspicious WMI Event Subscription Created
- Splunk Windows AD AdminSDHolder ACL Modified
- Splunk Windows Compatibility Telemetry Tampering Through Registry
- Kusto Query Language Zinc Actor IOCs files - October 2022
Event Triggered Execution: Change Default File Association T1546.001 6 rules
- Sigma Change Default File Association To Executable Via Assoc
- Sigma Change Default File Association Via Assoc
- Sigma Registry Modification of MS-settings Protocol Handler
- Sigma Shell Open Registry Keys Manipulation
- Sigma Suspicious Shell Open Command Registry Modification
- Splunk Windows New Default File Association Value Set
Event Triggered Execution: Windows Management Instrumentation Event Subscription T1546.003 14 rules
- Splunk Detect WMI Event Subscription Persistence
- Sigma New ActiveScriptEventConsumer Created Via Wmic.EXE
- Sigma Powershell WMI Persistence
- Sigma Suspicious Encoded Scripts in a WMI Consumer
- Elastic Suspicious WMI Event Subscription Created
- Sigma WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- Sigma WMI Backdoor Exchange Transport Agent
- Sigma WMI Event Subscription
- Splunk WMI Permanent Event Subscription - Sysmon
- Sigma WMI Persistence
- Sigma WMI Persistence - Command Line Event Consumer
- Sigma WMI Persistence - Script Event Consumer
- Sigma WMI Persistence - Script Event Consumer File Write
- Sigma WMI Persistence - Security
Event Triggered Execution: Accessibility Features T1546.008 9 rules
- Kusto Query Language Modification of Accessibility Features
- Splunk Overwriting Accessibility Binaries
- Sigma Persistence Via Sticky Key Backdoor
- Sigma Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Sigma Potential Suspicious Activity Using SeCEdit
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Sticky Key Like Backdoor Execution
- Sigma Sticky Key Like Backdoor Usage - Registry
- Sigma Suspicious Debugger Registration Cmdline
Event Triggered Execution: AppCert DLLs T1546.009 3 rules
- Sigma New DLL Added to AppCertDlls Registry Key
- Kusto Query Language Registry Persistence via AppCert DLL Modification
- Sigma Session Manager Autorun Keys Modification
Event Triggered Execution: AppInit DLLs T1546.010 2 rules
- Sigma New DLL Added to AppInit_DLLs Registry Key
- Kusto Query Language Registry Persistence via AppInit DLLs Modification
Event Triggered Execution: Application Shimming T1546.011 8 rules
- Sigma Potential Persistence Via AppCompat RegisterAppRestart Layer
- Sigma Potential Persistence Via Shim Database In Uncommon Location
- Sigma Potential Persistence Via Shim Database Modification
- Sigma Potential Shim Database Persistence via Sdbinst.EXE
- Splunk Registry Keys for Creating SHIM Databases
- Splunk Shim Database File Creation
- Sigma Suspicious Shim Database Patching Activity
- Sigma Uncommon Extension Shim Database Installation Via Sdbinst.EXE
Event Triggered Execution: Component Object Model Hijacking T1546.015 11 rules
- Sigma COM Hijacking via TreatAs
- Sigma COM Object Hijacking Via Modification Of Default System CLSID Default Value
- Kusto Query Language Component Object Model Hijacking - Vault7 trick
- Sigma Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Sigma Potential Persistence Using DebugPath
- Sigma Potential Persistence Via Scrobj.dll COM Hijacking
- Sigma Potential PSFactoryBuffer COM Hijacking
- Splunk Powershell COM Hijacking InprocServer32 Modification
- Splunk Powershell Execute COM Object
- Sigma Rundll32 Registered COM Objects
- Sigma Suspicious GetTypeFromCLSID ShellExecute
Boot or Logon Autostart Execution T1547 11 rules
- Sigma Atbroker Registry Change
- Kusto Query Language Midnight Blizzard - suspicious rundll32.exe execution of vbscript
- Kusto Query Language Midnight Blizzard - suspicious rundll32.exe execution of vbscript (Normalized Process Events)
- Sigma Potential RipZip Attack on Startup Folder
- Sigma Registry Persistence Mechanisms in Recycle Bin
- Sigma Startup/Logon Script Added to Group Policy Object
- Elastic Startup/Logon Script added to Group Policy Object
- Sigma Suspicious Driver Install by pnputil.exe
- Sigma Suspicious GrpConv Execution
- Splunk Windows Unsigned MS DLL Side-Loading
- Sigma WINEKEY Registry Modification
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 37 rules
- Sigma Classes Autorun Keys Modification
- Sigma Common Autorun Keys Modification
- Sigma CurrentControlSet Autorun Keys Modification
- Sigma CurrentVersion Autorun Keys Modification
- Sigma CurrentVersion NT Autorun Keys Modification
- Sigma Direct Autorun Keys Modification
- Sigma File Creation In Suspicious Directory By Msdt.EXE
- Sigma Internet Explorer Autorun Keys Modification
- Sigma Modify User Shell Folders Startup Value
- Sigma Narrator's Feedback-Hub Persistence
- Sigma New RUN Key Pointing to Suspicious Folder
- Sigma Office Autorun Keys Modification
- Sigma Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Sigma Potential Startup Shortcut Persistence Via PowerShell.EXE
- Sigma Potential Suspicious Activity Using SeCEdit
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Registry Keys Used For Persistence
- Sigma Registry Persistence via Explorer Run Key
- Sigma Session Manager Autorun Keys Modification
- Sigma Startup Folder File Write
- Sigma Suspicious Autorun Registry Modified via WMI
- Sigma Suspicious PowerShell In Registry Run Keys
- Sigma Suspicious Run Key from Download
- Sigma Suspicious Startup Folder Persistence
- Sigma System Scripts Autorun Keys Modification
- Sigma User Shell Folders Registry Modification via CommandLine
- Sigma VBScript Payload Stored in Registry
- Splunk Windows Boot or Logon Autostart Execution In Startup Folder
- Sigma Windows Event Log Access Tampering Via Registry
- Splunk Windows PowerShell MSIX Package Installation
- Splunk Windows Registry BootExecute Modification
- Splunk Windows Registry Modification for Safe Mode Persistence
- Sigma WinRAR Creating Files in Startup Locations
- Sigma WinSock2 Autorun Keys Modification
- Sigma Wow6432Node Classes Autorun Keys Modification
- Sigma Wow6432Node CurrentVersion Autorun Keys Modification
- Sigma Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Boot or Logon Autostart Execution: Security Support Provider T1547.005 2 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Security Support Provider (SSP) Added to LSA Configuration
Abuse Elevation Control Mechanism T1548 11 rules
- Sigma Abused Debug Privilege by Arbitrary Parent Processes
- Splunk Allow Operation with Consent Admin
- Sigma COM Hijack via Sdclt
- Sigma Credential Dumping Attempt Via Svchost
- Sigma Potential Privilege Escalation via Local Kerberos Relay over LDAP
- Sigma Regedit as Trusted Installer
- Sigma SCM Database Privileged Operation
- Sigma UAC Bypass via Windows Firewall Snap-In Hijack
- Splunk Windows Privilege Escalation Suspicious Process Elevation
- Splunk Windows Privilege Escalation System Process Without System Parent
- Splunk Windows Privilege Escalation User Process Spawn System Process
Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 70 rules
- Sigma Always Install Elevated MSI Spawned Cmd And Powershell
- Sigma Always Install Elevated Windows Installer
- Sigma Bypass UAC Using DelegateExecute
- Sigma Bypass UAC Using SilentCleanup Task
- Sigma Bypass UAC via CMSTP
- Sigma Bypass UAC via Fodhelper.exe
- Sigma Bypass UAC via WSReset.exe
- Sigma CMSTP UAC Bypass via COM Object Access
- Splunk Disable UAC Remote Restriction
- Splunk Disabling Remote User Account Control
- Splunk Eventvwr UAC Bypass
- Sigma Explorer NOUACCHECK Flag
- Sigma Function Call From Undocumented COM Interface EditionUpgradeManager
- Sigma HackTool - Empire PowerShell UAC Bypass
- Sigma HackTool - UACMe Akagi Execution
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Splunk NET Profiler UAC bypass
- Kusto Query Language Potential Fodhelper UAC Bypass
- Kusto Query Language Potential Fodhelper UAC Bypass (ASIM Version)
- Sigma Potential UAC Bypass Via Sdclt.EXE
- Sigma Potentially Suspicious Event Viewer Child Process
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell Web Access Feature Enabled Via DISM
- Sigma Registry Modification of MS-settings Protocol Handler
- Sigma Sdclt Child Processes
- Splunk Sdclt UAC Bypass
- Sigma Shell Open Registry Keys Manipulation
- Splunk SilentCleanup UAC Bypass
- Sigma Suspicious Shell Open Command Registry Modification
- Sigma Trusted Path Bypass via Windows Directory Spoofing
- Sigma TrustedPath UAC Bypass Pattern
- Sigma UAC Bypass Abusing Winsat Path Parsing - File
- Sigma UAC Bypass Abusing Winsat Path Parsing - Process
- Sigma UAC Bypass Abusing Winsat Path Parsing - Registry
- Splunk UAC Bypass MMC Load Unsigned Dll
- Sigma UAC Bypass Tools Using ComputerDefaults
- Sigma UAC Bypass Using .NET Code Profiler on MMC
- Sigma UAC Bypass Using ChangePK and SLUI
- Sigma UAC Bypass Using Consent and Comctl32 - File
- Sigma UAC Bypass Using Consent and Comctl32 - Process
- Sigma UAC Bypass Using Disk Cleanup
- Sigma UAC Bypass Using DismHost
- Sigma UAC Bypass Using IDiagnostic Profile
- Sigma UAC Bypass Using IDiagnostic Profile - File
- Sigma UAC Bypass Using IEInstal - File
- Sigma UAC Bypass Using IEInstal - Process
- Sigma UAC Bypass Using Iscsicpl - ImageLoad
- Sigma UAC Bypass Using MSConfig Token Modification - File
- Sigma UAC Bypass Using MSConfig Token Modification - Process
- Sigma UAC Bypass Using NTFS Reparse Point - File
- Sigma UAC Bypass Using NTFS Reparse Point - Process
- Sigma UAC Bypass Using PkgMgr and DISM
- Sigma UAC Bypass Using Windows Media Player - File
- Sigma UAC Bypass Using Windows Media Player - Process
- Sigma UAC Bypass Using Windows Media Player - Registry
- Sigma UAC Bypass Using WOW64 Logger DLL Hijack
- Sigma UAC Bypass via Event Viewer
- Sigma UAC Bypass via ICMLuaUtil
- Sigma UAC Bypass via Sdclt
- Sigma UAC Bypass Via Wsreset
- Sigma UAC Bypass With Fake DLL
- Sigma UAC Bypass WSReset
- Sigma UAC Disabled
- Sigma UAC Notification Disabled
- Sigma UAC Secure Desktop Prompt Disabled
- Splunk Windows ComputerDefaults Spawning a Process
- Splunk Windows DISM Install PowerShell Web Access
- Splunk Windows UAC Bypass Suspicious Escalation Behavior
- Splunk WSReset UAC Bypass
Hijack Execution Flow T1574 7 rules
- Kusto Query Language Detect Suspicious Commands Initiated by Webserver Processes
- Sigma DLL Execution Via Register-cimprovider.exe
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger
- Sigma Regsvr32 DLL Execution With Uncommon Extension
- Sigma Suspicious Printer Driver Empty Manufacturer
- Splunk Windows BitDefender Submission Wizard DLL Sideloading
Hijack Execution Flow: DLL T1574.001 91 rules
- Sigma Aruba Network Service Potential DLL Sideloading
- Sigma Creation Of Non-Existent System DLL
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder
- Sigma DHCP Callout DLL Installation
- Sigma DHCP Server Error Failed Loading the CallOut DLL
- Sigma DHCP Server Loaded the CallOut DLL
- Sigma DLL Search Order Hijackig Via Additional Space in Path
- Sigma DLL Sideloading by VMware Xfer Utility
- Sigma DLL Sideloading Of ShellChromeAPI.DLL
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL
- Sigma Fax Service DLL Search Order Hijack
- Sigma HackTool - Powerup Write Hijack DLL
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL
- Sigma Microsoft Office DLL Sideload
- Splunk MSI Module Loaded by Non-System Binary
- Splunk Msmpeng Application DLL Side Loading
- Sigma New DNS ServerLevelPluginDll Installed
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Sigma Potential 7za.DLL Sideloading
- Sigma Potential Antivirus Software DLL Sideloading
- Sigma Potential appverifUI.DLL Sideloading
- Sigma Potential AVKkid.DLL Sideloading
- Sigma Potential Azure Browser SSO Abuse
- Sigma Potential CCleanerDU.DLL Sideloading
- Sigma Potential CCleanerReactivator.DLL Sideloading
- Sigma Potential Chrome Frame Helper DLL Sideloading
- Sigma Potential DLL Sideloading Of DBGCORE.DLL
- Sigma Potential DLL Sideloading Of DBGHELP.DLL
- Sigma Potential DLL Sideloading Of DbgModel.DLL
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Sigma Potential DLL Sideloading Of MpSvc.DLL
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll
- Sigma Potential DLL Sideloading Via comctl32.dll
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE
- Sigma Potential DLL Sideloading Via JsSchHlp
- Sigma Potential DLL Sideloading Via VMware Xfer
- Sigma Potential EACore.DLL Sideloading
- Sigma Potential Edputil.DLL Sideloading
- Sigma Potential Goopdate.DLL Sideloading
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Potential Iviewers.DLL Sideloading
- Sigma Potential JLI.dll Side-Loading
- Sigma Potential Libvlc.DLL Sideloading
- Sigma Potential Mfdetours.DLL Sideloading
- Sigma Potential Mpclient.DLL Sideloading
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries
- Sigma Potential Python DLL SideLoading
- Sigma Potential Rcdll.DLL Sideloading
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Sigma Potential RoboForm.DLL Sideloading
- Sigma Potential ShellDispatch.DLL Sideloading
- Sigma Potential SmadHook.DLL Sideloading
- Sigma Potential SolidPDFCreator.DLL Sideloading
- Sigma Potential System DLL Sideloading From Non System Locations
- Sigma Potential Vivaldi_elf.DLL Sideloading
- Sigma Potential Waveedit.DLL Sideloading
- Sigma Potential Wazuh Security Platform DLL Sideloading
- Sigma Potential WWlib.DLL Sideloading
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Registry Modification for OCI DLL Redirection
- Sigma Renamed Vmnat.exe Execution
- Sigma Suspicious GUP Usage
- Sigma Suspicious Unsigned Thor Scanner Execution
- Sigma System Control Panel Item Loaded From Uncommon Location
- Sigma Tasks Folder Evasion
- Sigma Third Party Software DLL Sideloading
- Sigma UAC Bypass With Fake DLL
- Sigma Unsigned .node File Loaded
- Sigma Unsigned Binary Loaded From Suspicious Location
- Sigma Unsigned Mfdetours.DLL Sideloading
- Sigma Unsigned Module Loaded by ClickOnce Application
- Sigma VMGuestLib DLL Sideload
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon
- Splunk Windows DLL Side-Loading In Calc
- Splunk Windows Hijack Execution Flow Version Dll Side Load
- Splunk Windows Known Abused DLL Created
- Splunk Windows Known Abused DLL Loaded Suspiciously
- Splunk Windows Known GraphicalProton Loaded Modules
- Splunk Windows SqlWriter SQLDumper DLL Sideload
- Splunk Windows Unsigned DLL Side-Loading
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path
- Splunk Windows Unsigned MS DLL Side-Loading
- Sigma Xwizard.EXE Execution From Non-Default Location
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 2 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Using SettingSyncHost.exe as LOLBin
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 12 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE
- Sigma Possible Privilege Escalation via Weak Service Permissions
- Sigma Potential Persistence Attempt Via Existing Service Tampering
- Sigma Potential Privilege Escalation via Service Permissions Weakness
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE
- Sigma Service Registry Key Read Access Request
- Sigma Service Registry Permissions Weakness Check
- Sigma Service Security Descriptor Tampering Via Sc.EXE
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- Splunk Windows Service Creation Using Registry Entry
Escape to Host T1611 1 rule
- Kusto Query Language Oracle suspicious command execution
Defense Evasion
Direct Volume Access T1006 1 rule
Rootkit T1014 2 rules
Obfuscated Files or Information T1027 106 rules
- Sigma Base64 Encoded PowerShell Command Detected
- Kusto Query Language Base64 encoded Windows process command-lines (Normalized Process Events)
- Sigma Certificate Exported Via Certutil.EXE
- Sigma ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Elastic Dynamic IEX Reconstruction via Method String Access
- Sigma File Decoded From Base64/Hex Via Certutil.EXE
- Sigma File Encoded To Base64 Via Certutil.EXE
- Sigma File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- Kusto Query Language Ingress Tool Transfer - Certutil
- Sigma Invoke-Obfuscation CLIP+ Launcher
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Sigma Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Sigma Invoke-Obfuscation CLIP+ Launcher - Security
- Sigma Invoke-Obfuscation CLIP+ Launcher - System
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - Security
- Sigma Invoke-Obfuscation COMPRESS OBFUSCATION - System
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - Security
- Sigma Invoke-Obfuscation Obfuscated IEX Invocation - System
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - Security
- Sigma Invoke-Obfuscation RUNDLL LAUNCHER - System
- Sigma Invoke-Obfuscation STDIN+ Launcher
- Sigma Invoke-Obfuscation STDIN+ Launcher - Powershell
- Sigma Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
- Sigma Invoke-Obfuscation STDIN+ Launcher - Security
- Sigma Invoke-Obfuscation STDIN+ Launcher - System
- Sigma Invoke-Obfuscation VAR+ Launcher
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell
- Sigma Invoke-Obfuscation VAR+ Launcher - PowerShell Module
- Sigma Invoke-Obfuscation VAR+ Launcher - Security
- Sigma Invoke-Obfuscation VAR+ Launcher - System
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
- Sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
- Sigma Invoke-Obfuscation Via Stdin
- Sigma Invoke-Obfuscation Via Stdin - Powershell
- Sigma Invoke-Obfuscation Via Stdin - PowerShell Module
- Sigma Invoke-Obfuscation Via Stdin - Security
- Sigma Invoke-Obfuscation Via Stdin - System
- Sigma Invoke-Obfuscation Via Use Clip
- Sigma Invoke-Obfuscation Via Use Clip - Powershell
- Sigma Invoke-Obfuscation Via Use Clip - PowerShell Module
- Sigma Invoke-Obfuscation Via Use Clip - Security
- Sigma Invoke-Obfuscation Via Use Clip - System
- Sigma Invoke-Obfuscation Via Use MSHTA
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell
- Sigma Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Sigma Invoke-Obfuscation Via Use MSHTA - Security
- Sigma Invoke-Obfuscation Via Use MSHTA - System
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell
- Sigma Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
- Sigma Invoke-Obfuscation Via Use Rundll32 - Security
- Sigma Invoke-Obfuscation Via Use Rundll32 - System
- Kusto Query Language NRT Base64 Encoded Windows Process Command-lines
- Kusto Query Language NRT Process executed from binary hidden in Base64 encoded file
- Sigma Password Protected ZIP File Opened
- Sigma Password Protected ZIP File Opened (Email Attachment)
- Sigma Password Protected ZIP File Opened (Suspicious Filenames)
- Sigma Ping Hex IP
- Sigma Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables
- Sigma Potential Encoded PowerShell Patterns In CommandLine
- Sigma Potential PowerShell Command Line Obfuscation
- Sigma Potential PowerShell Obfuscation Using Alias Cmdlets
- Sigma Potential PowerShell Obfuscation Using Character Join
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences
- Elastic Potential PowerShell Obfuscation via Reverse Keywords
- Sigma Potential PowerShell Obfuscation Via Reversed Commands
- Elastic Potential PowerShell Obfuscation via Special Character Overuse
- Elastic Potential PowerShell Obfuscation via String Concatenation
- Elastic Potential PowerShell Obfuscation via String Reordering
- Sigma Potential PowerShell Obfuscation Via WCHAR/CHAR
- Sigma Potential Winnti Dropper Activity
- Sigma PowerShell Base64 Encoded Invoke Keyword
- Sigma PowerShell Base64 Encoded Reflective Assembly Load
- Sigma PowerShell Base64 Encoded WMI Classes
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Powershell Fileless Script Contains Base64 Encoded Content
- Elastic PowerShell Obfuscation via Negative Index String Reversal
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit
- Sigma Renamed AutoIt Execution
- Sigma Suspicious Download Via Certutil.EXE
- Sigma Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Sigma Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Sigma Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Sigma Suspicious File Encoded To Base64 Via Certutil.EXE
- Sigma Suspicious Get-Variable.exe Creation
- Sigma Suspicious SYSTEM User Process Creation
- Sigma Suspicious XOR Encoded PowerShell Command
- Kusto Query Language TEARDROP memory-only dropper
- Splunk Wermgr Process Create Executable File
- Splunk Windows Snake Malware File Modification Crmlog
- Splunk Windows TinyCC Shellcode Execution
Obfuscated Files or Information: Command Obfuscation T1027.010 19 rules
- Elastic Dynamic IEX Reconstruction via Method String Access
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables
- Sigma Potential Obfuscated Ordinal Call Via Rundll32
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences
- Elastic Potential PowerShell Obfuscation via Reverse Keywords
- Elastic Potential PowerShell Obfuscation via Special Character Overuse
- Elastic Potential PowerShell Obfuscation via String Concatenation
- Elastic Potential PowerShell Obfuscation via String Reordering
- Elastic PowerShell Obfuscation via Negative Index String Reversal
- Sigma Python One-Liners with Base64 Decoding
- Sigma Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- Sigma Suspicious Space Characters in RunMRU Registry Path - ClickFix
- Sigma Suspicious Space Characters in TypedPaths Registry Path - FileFix
- Sigma Suspicious Usage of For Loop with Recursive Directory Search in CMD
Masquerading T1036 49 rules
- Kusto Query Language Certified Pre-Owned - backup of CA private key - rule 1
- Kusto Query Language Certified Pre-Owned - backup of CA private key - rule 2
- Kusto Query Language Certified Pre-Owned - TGTs requested with certificate authentication
- Sigma CodePage Modification Via MODE.COM To Russian Language
- Sigma CreateDump Process Dump
- Sigma DumpMinitool Execution
- Splunk Executables Or Script Creation In Suspicious Path
- Splunk Executables Or Script Creation In Temp Path
- Sigma Explorer Process Tree Break
- Sigma Findstr Launching .lnk File
- Sigma Forfiles.EXE Child Process Masquerading
- Sigma HackTool - XORDump Execution
- Sigma New or Renamed User Account with '$' Character
- Sigma New Process Created Via Taskmgr.EXE
- Sigma Password Protected ZIP File Opened (Suspicious Filenames)
- Sigma Potential Command Line Path Traversal Evasion Attempt
- Elastic Potential Credential Access via Renamed COM+ Services DLL
- Sigma Potential Fake Instance Of Hxtsr.EXE Executed
- Sigma Potential Homoglyph Attack Using Lookalike Characters
- Sigma Potential Homoglyph Attack Using Lookalike Characters in Filename
- Sigma Potential LSASS Process Dump Via Procdump
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Kusto Query Language Potential re-named sdelete usage
- Kusto Query Language Potential re-named sdelete usage (ASIM Version)
- Sigma Potential ReflectDebugger Content Execution Via WerFault.EXE
- Sigma Potential SysInternals ProcDump Evasion
- Sigma Procdump Execution
- Sigma Process Execution From A Potentially Suspicious Folder
- Sigma Process Memory Dump Via Comsvcs.DLL
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit
- Sigma Renamed CreateDump Utility Execution
- Sigma Renamed Plink Execution
- Sigma Renamed ZOHO Dctask64 Execution
- Sigma Sdiagnhost Calling Suspicious Child Process
- Sigma Suspicious Calculator Usage
- Sigma Suspicious Child Process Of Wermgr.EXE
- Sigma Suspicious CodePage Switch Via CHCP
- Sigma Suspicious DumpMinitool Execution
- Sigma Suspicious MSDT Parent Process
- Sigma Suspicious Process Parents
- Sigma Suspicious Process Start Locations
- Sigma Suspicious Windows Update Agent Empty Cmdline
- Splunk Suspicious writes to windows Recycle Bin
- Sigma System File Execution Location Anomaly
- Sigma Taskmgr as LOCAL_SYSTEM
- Sigma Windows Binaries Write Suspicious Extensions
- Splunk Windows Bluetooth Service Installed From Uncommon Location
- Splunk Windows NetSupport RMM DLL Loaded By Uncommon Process
- Splunk Windows TinyCC Shellcode Execution
Masquerading: Rename Legitimate Utilities T1036.003 26 rules
- Sigma File Download Via Bitsadmin
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin
- Sigma LOL-Binary Copied From System Directory
- Elastic Potential Credential Access via Renamed COM+ Services DLL
- Sigma Potential Defense Evasion Via Binary Rename
- Sigma Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Sigma Potential Homoglyph Attack Using Lookalike Characters
- Sigma Potential Homoglyph Attack Using Lookalike Characters in Filename
- Sigma Potential PendingFileRenameOperations Tampering
- Sigma Potential WerFault ReflectDebugger Registry Value Abuse
- Sigma PUA - Potential PE Metadata Tamper Using Rcedit
- Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows
- Sigma Renamed BrowserCore.EXE Execution
- Sigma Renamed Jusched.EXE Execution
- Sigma Renamed Msdt.EXE Execution
- Sigma Renamed Office Binary Execution
- Sigma Renamed Powershell Under Powershell Channel
- Sigma Renamed ProcDump Execution
- Sigma Renamed Schtasks Execution
- Sigma Suspicious Copy From or To System Directory
- Sigma Suspicious Download From Direct IP Via Bitsadmin
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin
- Sigma Suspicious Start-Process PassThru
- Sigma Windows Processes Suspicious Parent Directory
- Splunk Windows Renamed Powershell Execution
Masquerading: Match Legitimate Resource Name or Location T1036.005 14 rules
- Sigma Files With System DLL Name In Unsuspected Locations
- Sigma Files With System Process Name In Unsuspected Locations
- Kusto Query Language Match Legitimate Name or Location - 2
- Sigma Potential Binary Impersonating Sysinternals Tools
- Sigma Potential MsiExec Masquerading
- Sigma Scheduled Task Creation Masquerading as System Processes
- Sigma Suspicious Files in Default GPO Folder
- Sigma Suspicious Process Masquerading As SvcHost.EXE
- Sigma Suspicious Scheduled Task Creation via Masqueraded XML File
- Sigma Uncommon Svchost Command Line Parameter
- Sigma Uncommon Svchost Parent Process
- Sigma Unsigned .node File Loaded
- Splunk Windows LOLBAS Executed Outside Expected Path
- Sigma Windows Processes Suspicious Parent Directory
Process Injection T1055 43 rules
- Sigma CobaltStrike Named Pipe
- Sigma CobaltStrike Named Pipe Pattern Regex
- Sigma CobaltStrike Named Pipe Patterns
- Splunk Create Remote Thread In Shell Application
- Sigma Created Files by Microsoft Sync Center
- Splunk DLLHost with no Command Line Arguments with Network
- Sigma Dllhost.EXE Execution Anomaly
- Sigma DotNet CLR DLL Loaded By Scripting Applications
- Splunk GPUpdate with no Command Line Arguments with Network
- Sigma HackTool - CoercedPotato Execution
- Sigma HackTool - CoercedPotato Named Pipe Creation
- Sigma HackTool - DInjector PowerShell Cradle Execution
- Sigma HackTool - EfsPotato Named Pipe Creation
- Sigma Malicious Named Pipe Created
- Sigma Microsoft Sync Center Suspicious Network Connections
- Sigma Network Connection Initiated Via Notepad.EXE
- Sigma Potential DLL Sideloading Using Coregen.exe
- Sigma Potential Process Injection Via Msra.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Powershell Fileless Process Injection via GetProcAddress
- Splunk Powershell Remote Thread To Known Windows Process
- Sigma PowerShell ShellCode
- Sigma Process Creation Using Sysnative Folder
- Elastic Process Injection by the Microsoft Build Engine
- Sigma Rare Remote Thread Creation By Uncommon Source Image
- Sigma Remote Thread Creation By Uncommon Source Image
- Splunk Rundll32 Create Remote Thread To A Process
- Splunk Rundll32 CreateRemoteThread In Browser
- Splunk SearchProtocolHost with no Command Line with Network
- Kusto Query Language Solorigate Named Pipe
- Sigma Suspect Svchost Activity
- Sigma Suspicious Child Process Of Wermgr.EXE
- Kusto Query Language Suspicious named pipes
- Elastic Suspicious Process Access via Direct System Call
- Elastic Suspicious Process Creation CallTrace
- Sigma Suspicious Rundll32 Invoking Inline VBScript
- Sigma Suspicious Userinit Child Process
- Splunk Trickbot Named Pipe
- Sigma Uncommon Svchost Command Line Parameter
- Splunk Windows PUA Named Pipe
- Splunk Windows RMM Named Pipe
- Splunk Windows Suspicious C2 Named Pipe
- Splunk Windows Suspicious Named Pipe
Process Injection: Dynamic-link Library Injection T1055.001 8 rules
- Sigma HackTool - Potential CobaltStrike Process Injection
- Splunk Loading Of Dynwrapx Module
- Sigma ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Sigma Mavinject Inject DLL Into Running Process
- Sigma Potential DLL Injection Or Execution Using Tracker.exe
- Sigma Renamed Mavinject.EXE Execution
- Sigma Renamed ZOHO Dctask64 Execution
- Splunk Windows Process Injection Of Wermgr to Known Browser
Indicator Removal T1070 24 rules
- Kusto Query Language Clearing of forensic evidence from event logs using wevtutil
- Sigma Clearing Windows Console History
- Sigma Disable of ETW Trace - Powershell
- Sigma DLL Load By System Process From Suspicious Locations
- Sigma ETW Trace Evasion Activity
- Sigma EventLog EVTX File Deleted
- Sigma Exchange PowerShell Cmdlet History Deleted
- Sigma Filter Driver Unloaded Via Fltmc.EXE
- Sigma Fsutil Suspicious Invocation
- Sigma IIS WebServer Access Logs Deleted
- Sigma IIS WebServer Log Deletion via CommandLine Utilities
- Kusto Query Language NRT Security Event log cleared
- Sigma Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Elastic Potential Timestomp in Executable Files
- Sigma PowerShell Console History Logs Deleted
- Splunk Process Deleting Its Process File Path
- Kusto Query Language Qakbot Campaign Self Deletion
- Kusto Query Language Security Event log cleared
- Elastic Sensitive Audit Policy Sub-Category Disabled
- Sigma Shadow Copies Deletion Using Operating Systems Utilities
- Sigma Sysmon Driver Unloaded Via Fltmc.EXE
- Sigma Terminal Server Client Connection History Cleared - Registry
- Sigma Tomcat WebServer Logs Deleted
- Elastic Windows Event Logs Cleared
Indicator Removal: Clear Windows Event Logs T1070.001 10 rules
- Sigma Eventlog Cleared
- Sigma Important Windows Eventlog Cleared
- Sigma Security Eventlog Cleared
- Elastic Sensitive Audit Policy Sub-Category Disabled
- Sigma Suspicious Eventlog Clear
- Sigma Suspicious Eventlog Clearing or Configuration Change Activity
- Sigma Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- Splunk Windows Event Log Cleared
- Splunk Windows Event Logging Service Has Shutdown
- Elastic Windows Event Logs Cleared
Indicator Removal: Clear Command History T1070.003 9 rules
- Sigma Clear PowerShell History - PowerShell
- Sigma Clear PowerShell History - PowerShell Module
- Sigma Clearing Windows Console History
- Sigma Disable Powershell Command History
- Sigma RunMRU Registry Key Deletion
- Sigma RunMRU Registry Key Deletion - Registry
- Sigma Suspicious IO.FileStream
- Splunk Windows ConsoleHost History File Deletion
- Splunk Windows Powershell History File Deletion
Indicator Removal: File Deletion T1070.004 15 rules
- Sigma ADS Zone.Identifier Deleted By Uncommon Application
- Sigma Backup Catalog Deleted
- Sigma Directory Removal Via Rmdir
- Sigma File Deleted Via Sysinternals SDelete
- Sigma File Deletion Via Del
- Sigma Greedy File Deletion Using Del
- Sigma Potential Secure Deletion with SDelete
- Sigma Potentially Suspicious Ping/Copy Command Combination
- Sigma Prefetch File Deleted
- Sigma Suspicious Ping/Del Command Combination
- Sigma TeamViewer Log File Deleted
- Splunk Windows Default Rdp File Deletion
- Splunk Windows Rdp AutomaticDestinations Deletion
- Splunk Windows RDP Cache File Deletion
- Splunk Windows RDP Server Registry Deletion
Indicator Removal: Timestomp T1070.006 4 rules
- Elastic Potential Timestomp in Executable Files
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Powershell Timestomp
- Sigma Unauthorized System Time Modification
Valid Accounts T1078 35 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Account Tampering - Suspicious Failed Logon Reasons
- Elastic AdminSDHolder Backdoor
- Kusto Query Language AdminSDHolder Modifications
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Kusto Query Language EatonForeseer - Unauthorized Logins
- Kusto Query Language Email access via active sync
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Sigma Failed Logon From Public IP
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Kusto Query Language New user created and added to the built-in administrators group
- Sigma Password Provided In Command Line Of Net.EXE
- Elastic Potential Account Takeover - Logon from New Source IP
- Elastic Potential Account Takeover - Mixed Logon Types
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Kusto Query Language Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- Sigma Suspicious Computer Machine Password by PowerShell
- Sigma Suspicious Remote Logon with Explicit Credentials
- Splunk Unusual Number of Computer Service Tickets Requested
- Splunk Unusual Number of Remote Endpoint Authentication Events
- Kusto Query Language User account added to built in domain local or global group
- Kusto Query Language User account created and deleted within 10 mins
- Kusto Query Language User account enabled and disabled within 10 mins
- Sigma User Added to Local Administrator Group
- Kusto Query Language User login from different countries within 3 hours (Uses Authentication Normalization)
- Splunk Windows Large Number of Computer Service Tickets Requested
- Splunk Windows Multiple Account Passwords Changed
- Splunk Windows Multiple Accounts Deleted
- Splunk Windows Multiple Accounts Disabled
Valid Accounts: Domain Accounts T1078.002 19 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Admin User Remote Logon
- Elastic AdminSDHolder Backdoor
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Delegated Managed Service Account Modification by an Unusual User
- Elastic dMSA Account Creation by an Unusual User
- Sigma DMSA Link Attributes Modified
- Sigma DMSA Service Account Created in Specific OUs - PowerShell
- Elastic FirstTime Seen Account Performing DCSync
- Elastic Kerberos Pre-authentication Disabled for User
- Sigma New DMSA Service Account Created in Specific OUs
- Elastic Potential Credential Access via DCSync
- Elastic Potential Privileged Escalation via SamAccountName Spoofing
- Elastic Remote Computer Account DnsHostName Update
- Splunk Suspicious Computer Account Name Change
- Splunk Suspicious Kerberos Service Ticket Request
- Splunk Suspicious Ticket Granting Ticket Request
- Splunk Windows Group Policy Object Created
- Splunk Windows PowerView AD Access Control List Enumeration
Valid Accounts: Local Accounts T1078.003 2 rules
- Sigma Admin User Remote Logon
- Splunk Short Lived Windows Accounts
Modify Registry T1112 149 rules
- Sigma Activate Suppression of Windows Security Center Notifications
- Sigma Add DisallowRun Execution to Registry
- Sigma Allow RDP Remote Assistance Feature
- Sigma Change the Fax Dll
- Sigma Change User Account Associated with the FAX Service
- Sigma ClickOnce Trust Prompt Tampering
- Sigma CrashControl CrashDump Disabled
- Sigma DHCP Callout DLL Installation
- Sigma Disable Internal Tools or Feature in Registry
- Splunk Disable Registry Tool
- Sigma Disable Security Events Logging Adding Reg Key MiniNt
- Splunk Disable Security Logs Using MiniNt Registry
- Splunk Disable Show Hidden Files
- Splunk Disable Windows App Hotkeys
- Sigma Disable Windows Security Center Notifications
- Splunk Disabling CMD Application
- Splunk Disabling ControlPanel
- Splunk Disabling NoRun Windows App
- Sigma DNS-over-HTTPS Enabled by Registry
- Sigma Enable LM Hash Storage
- Sigma Enable LM Hash Storage - ProcCreation
- Splunk Enable WDigest UseLogonCredential Registry
- Sigma ETW Logging Disabled For rpcrt4.dll
- Sigma ETW Logging Disabled For SCM
- Sigma ETW Logging Disabled In .NET Processes - Registry
- Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry
- Sigma Imports Registry Key From a File
- Sigma Imports Registry Key From an ADS
- Sigma Macro Enabled In A Potentially Suspicious Document
- Splunk Malicious InProcServer32 Modification
- Sigma Modification of IE Registry Settings
- Sigma NET NGenAssemblyUsageLog Registry Key Tamper
- Sigma NetNTLM Downgrade Attack
- Sigma NetNTLM Downgrade Attack - Registry
- Sigma New BgInfo.EXE Custom DB Path Registry Configuration
- Sigma New BgInfo.EXE Custom VBScript Registry Configuration
- Sigma New BgInfo.EXE Custom WMI Query Registry Configuration
- Sigma New DNS ServerLevelPluginDll Installed
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Sigma Non-privileged Usage of Reg or Powershell
- Sigma Office Macros Warning Disabled
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
- Sigma Potential Persistence Via Custom Protocol Handler
- Sigma Potential Persistence Via Event Viewer Events.asp
- Sigma Potential Persistence Via Outlook Home Page
- Sigma Potential Persistence Via Outlook Today Page
- Sigma Potential Qakbot Registry Activity
- Sigma Potential Suspicious Registry File Imported Via Reg.EXE
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Sigma Potentially Suspicious Desktop Background Change Using Reg.EXE
- Sigma Potentially Suspicious Desktop Background Change Via Registry
- Sigma PowerShell Logging Disabled Via Registry Key Tampering
- Sigma RDP Sensitive Settings Changed
- Sigma RDP Sensitive Settings Changed to Zero
- Sigma RedMimicry Winnti Playbook Registry Manipulation
- Sigma Reg Add Suspicious Paths
- Sigma Registry Entries For Azorult Malware
- Sigma Registry Explorer Policy Modification
- Sigma Registry Hide Function from User
- Sigma Registry Manipulation via WMI Stdregprov
- Sigma Registry Modification Attempt Via VBScript
- Sigma Registry Modification Attempt Via VBScript - PowerShell
- Sigma Registry Modification for OCI DLL Redirection
- Sigma Registry Modification of MS-settings Protocol Handler
- Sigma Registry Modification Via Regini.EXE
- Sigma Registry Tampering by Potentially Suspicious Processes
- Splunk Remcos client registry install entry
- Sigma Removal of Potential COM Hijacking Registry Keys
- Sigma RestrictedAdminMode Registry Value Tampering
- Sigma RestrictedAdminMode Registry Value Tampering - ProcCreation
- Splunk Revil Registry Entry
- Sigma Run Once Task Configuration in Registry
- Sigma Run Once Task Execution as Configured in Registry
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Sigma Service Binary in Suspicious Folder
- Sigma ShimCache Flush
- Sigma Suspicious Registry Modification From ADS Via Regini.EXE
- Sigma Suspicious VBoxDrvInst.exe Parameters
- Sigma Sysmon Channel Reference Deletion
- Sigma Terminal Server Client Connection History Cleared - Registry
- Sigma Trust Access Disable For VBApplications
- Sigma Uncommon Microsoft Office Trusted Location Added
- Sigma User Shell Folders Registry Modification via CommandLine
- Sigma Wdigest CredGuard Registry Modification
- Sigma Wdigest Enable UseLogonCredential
- Splunk Windows Defender ASR Registry Modification
- Splunk Windows Defender ASR Rule Disabled
- Splunk Windows Deleted Registry By A Non Critical Process File Path
- Splunk Windows Disable Change Password Through Registry
- Splunk Windows Disable Lock Workstation Feature Through Registry
- Splunk Windows Disable LogOff Button Through Registry
- Splunk Windows Disable Notification Center
- Splunk Windows Disable Shutdown Button Through Registry
- Splunk Windows Disable Windows Group Policy Features Through Registry
- Sigma Windows Event Log Access Tampering Via Registry
- Splunk Windows Hide Notification Features Through Registry
- Splunk Windows Impair Defenses Disable AV AutoStart via Registry
- Splunk Windows InProcServer32 New Outlook Form
- Splunk Windows Modify Registry AuthenticationLevelOverride
- Splunk Windows Modify Registry Auto Minor Updates
- Splunk Windows Modify Registry Auto Update Notif
- Splunk Windows Modify Registry Configure BitLocker
- Splunk Windows Modify Registry Default Icon Setting
- Splunk Windows Modify Registry Delete Firewall Rules
- Splunk Windows Modify Registry Disable RDP
- Splunk Windows Modify Registry Disable Restricted Admin
- Splunk Windows Modify Registry Disable Toast Notifications
- Splunk Windows Modify Registry Disable Win Defender Raw Write Notif
- Splunk Windows Modify Registry Disable WinDefender Notifications
- Splunk Windows Modify Registry Disable Windows Security Center Notif
- Splunk Windows Modify Registry DisableRemoteDesktopAntiAlias
- Splunk Windows Modify Registry DisableSecuritySettings
- Splunk Windows Modify Registry Disabling WER Settings
- Splunk Windows Modify Registry DisAllow Windows App
- Splunk Windows Modify Registry Do Not Connect To Win Update
- Splunk Windows Modify Registry DontShowUI
- Splunk Windows Modify Registry EnableLinkedConnections
- Splunk Windows Modify Registry LongPathsEnabled
- Splunk Windows Modify Registry MaxConnectionPerServer
- Splunk Windows Modify Registry No Auto Reboot With Logon User
- Splunk Windows Modify Registry No Auto Update
- Splunk Windows Modify Registry NoChangingWallPaper
- Splunk Windows Modify Registry on Smart Card Group Policy
- Splunk Windows Modify Registry ProxyEnable
- Splunk Windows Modify Registry ProxyServer
- Splunk Windows Modify Registry Qakbot Binary Data Registry
- Splunk Windows Modify Registry Suppress Win Defender Notif
- Splunk Windows Modify Registry Tamper Protection
- Splunk Windows Modify Registry to Add or Modify Firewall Rule
- Splunk Windows Modify Registry UpdateServiceUrlAlternate
- Splunk Windows Modify Registry USeWuServer
- Splunk Windows Modify Registry Utilize ProgIDs
- Splunk Windows Modify Registry ValleyRAT C2 Config
- Splunk Windows Modify Registry ValleyRat PWN Reg Entry
- Splunk Windows Modify Registry With MD5 Reg Key Name
- Splunk Windows Modify Registry WuServer
- Splunk Windows Modify Registry wuStatusServer
- Splunk Windows Modify Show Compress Color And Info Tip Registry
- Splunk Windows New InProcServer32 Added
- Splunk Windows Outlook Dialogs Disabled from Unusual Process
- Splunk Windows Outlook LoadMacroProviderOnBoot Persistence
- Splunk Windows Outlook WebView Registry Modification
- Splunk Windows Routing and Remote Access Service Registry Key Change
- Splunk Windows RunMRU Registry Key or Value Deleted
- Splunk Windows Set Network Profile Category to Private via Registry
- Splunk Windows Snake Malware Registry Modification wav OpenWithProgIds
- Splunk Windows SnappyBee Create Test Registry
- Sigma Winlogon AllowMultipleTSSessions Enable
Trusted Developer Utilities Proxy Execution T1127 22 rules
- Sigma AspNetCompiler Execution
- Sigma C# IL Code Compilation Via Ilasm.EXE
- Sigma Detection of PowerShell Execution via Sqlps.exe
- Splunk ETW Registry Disabled
- Sigma JScript Compiler Execution
- Sigma Kavremover Dropped Binary LOLBIN Usage
- Sigma Node Process Executions
- Sigma Potential Arbitrary Code Execution Via Node.EXE
- Sigma Potential Binary Proxy Execution Via Cdb.EXE
- Sigma Potential Mftrace.EXE Abuse
- Sigma Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- Elastic Process Injection by the Microsoft Build Engine
- Sigma Remote Thread Creation Ttdinject.exe Proxy
- Sigma SQL Client Tools PowerShell Session Detection
- Sigma Suspicious Child Process of AspNetCompiler
- Sigma Suspicious File Created by ArcSOC.exe
- Sigma Suspicious Use of CSharp Interactive Console
- Kusto Query Language Trusted Developer Utilities Proxy Execution
- Sigma Use of Remote.exe
- Sigma Use of TTDInject.exe
- Sigma Use of VSIISExeLauncher.exe
- Sigma Use of Wfc.exe
Trusted Developer Utilities Proxy Execution: MSBuild T1127.001 3 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Process Injection by the Microsoft Build Engine
- Sigma Silenttrinity Stager Msbuild Activity
Access Token Manipulation T1134 12 rules
- Sigma HackTool - NoFilter Execution
- Kusto Query Language Possible Resource-Based Constrained Delegation Abuse
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation
- Elastic Process Creation via Secondary Logon
- Elastic SeDebugPrivilege Enabled by a Suspicious Process
- Kusto Query Language Service Principal Name (SPN) Assigned to User Account
- Elastic Suspicious SeIncreaseBasePriorityPrivilege Use
- Sigma Suspicious SYSTEM User Process Creation
- Splunk Windows Privilege Escalation Suspicious Process Elevation
- Splunk Windows Privilege Escalation System Process Without System Parent
- Splunk Windows Privilege Escalation User Process Spawn System Process
Access Token Manipulation: Token Impersonation/Theft T1134.001 13 rules
- Sigma HackTool - Impersonate Execution
- Sigma HackTool - Koh Default Named Pipe
- Sigma HackTool - NoFilter Execution
- Sigma HackTool - SharpDPAPI Execution
- Sigma HackTool - SharpImpersonation Execution
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System
- Sigma Potential Access Token Abuse
- Sigma Potential Meterpreter/CobaltStrike Activity
- Elastic Privilege Escalation via Rogue Named Pipe Impersonation
- Splunk Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Splunk Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Splunk Windows Handle Duplication in Known UAC-Bypass Binaries
Access Token Manipulation: Create Process with Token T1134.002 9 rules
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Sigma Meterpreter or Cobalt Strike Getsystem Service Installation - System
- Sigma Potential Meterpreter/CobaltStrike Activity
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Process Creation via Secondary Logon
- Sigma PUA - AdvancedRun Execution
- Sigma PUA - AdvancedRun Suspicious Execution
- Sigma Suspicious Child Process Created as System
- Splunk Windows Access Token Manipulation SeDebugPrivilege
Access Token Manipulation: SID-History Injection T1134.005 6 rules
- Sigma Addition of SID History to Active Directory Object
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Windows AD Cross Domain SID History Addition
- Splunk Windows AD Privileged Account SID History Addition
- Splunk Windows AD Same Domain SID History Addition
- Splunk Windows AD SID History Attribute Modified
Deobfuscate/Decode Files or Information T1140 25 rules
- Sigma Base64 Encoded PowerShell Command Detected
- Kusto Query Language Base64 encoded Windows process command-lines (Normalized Process Events)
- Sigma DNS-over-HTTPS Enabled by Registry
- Elastic Dynamic IEX Reconstruction via Method String Access
- Kusto Query Language Ingress Tool Transfer - Certutil
- Sigma MSHTA Execution with Suspicious File Extensions
- Kusto Query Language NRT Base64 Encoded Windows Process Command-lines
- Kusto Query Language NRT Process executed from binary hidden in Base64 encoded file
- Sigma Ping Hex IP
- Sigma Potential Commandline Obfuscation Using Escape Characters
- Elastic Potential Dynamic IEX Reconstruction via Environment Variables
- Elastic Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Elastic Potential PowerShell Obfuscation via Character Array Reconstruction
- Elastic Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Elastic Potential PowerShell Obfuscation via High Numeric Character Proportion
- Elastic Potential PowerShell Obfuscation via Invalid Escape Sequences
- Elastic Potential PowerShell Obfuscation via Reverse Keywords
- Elastic Potential PowerShell Obfuscation via Special Character Overuse
- Elastic Potential PowerShell Obfuscation via String Concatenation
- Elastic Potential PowerShell Obfuscation via String Reordering
- Sigma PowerShell Base64 Encoded FromBase64String Cmdlet
- Sigma PowerShell Decompress Commands
- Elastic PowerShell Obfuscation via Negative Index String Reversal
- Kusto Query Language Qakbot Discovery Activies
- Sigma Suspicious XOR Encoded PowerShell Command
BITS Jobs T1197 14 rules
- Sigma BITS Transfer Job Download From Direct IP
- Sigma BITS Transfer Job Download From File Sharing Domains
- Sigma BITS Transfer Job Download To Potential Suspicious Folder
- Sigma BITS Transfer Job Downloading File Potential Suspicious Extension
- Sigma BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- Kusto Query Language Bitsadmin Activity
- Sigma File Download Via Bitsadmin
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin
- Sigma Monitoring For Persistence Via BITS
- Sigma New BITS Job Created Via Bitsadmin
- Sigma New BITS Job Created Via PowerShell
- Sigma Suspicious Download From Direct IP Via Bitsadmin
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin
Indirect Command Execution T1202 39 rules
- Sigma Custom File Open Handler Executes PowerShell
- Sigma Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Sigma Findstr Launching .lnk File
- Sigma Indirect Command Execution From Script File Via Bash.EXE
- Sigma Indirect Inline Command Execution Via Bash.EXE
- Sigma Outlook EnableUnsafeClientMailRules Setting Enabled
- Sigma Potential Arbitrary Command Execution Using Msdt.EXE
- Sigma Potential Arbitrary Command Execution Via FTP.EXE
- Sigma Potential Arbitrary DLL Load Using Winword
- Sigma Potential Arbitrary File Download Using Office Application
- Sigma Potential Arbitrary File Download Via Cmdl32.EXE
- Sigma Potential Binary Impersonating Sysinternals Tools
- Sigma Potentially Suspicious Child Process Of VsCode
- Sigma Potentially Suspicious Child Processes Spawned by ConHost
- Sigma Potentially Suspicious Office Document Executed From Trusted Location
- Sigma Proxy Execution via Vshadow
- Sigma Renamed CURL.EXE Execution
- Sigma Renamed FTP.EXE Execution
- Sigma Renamed NirCmd.EXE Execution
- Sigma Renamed PAExec Execution
- Sigma Renamed PingCastle Binary Execution
- Sigma Renamed ZOHO Dctask64 Execution
- Sigma Rundll32 Execution Without CommandLine Parameters
- Sigma Suspicious Cabinet File Execution Via Msdt.EXE
- Sigma Suspicious Child Process Of BgInfo.EXE
- Sigma Suspicious High IntegrityLevel Conhost Legacy Option
- Sigma Suspicious Remote Child Process From Outlook
- Sigma Suspicious Runscripthelper.exe
- Sigma Suspicious Service Binary Directory
- Sigma Suspicious Splwow64 Without Params
- Sigma Suspicious ZipExec Execution
- Sigma Troubleshooting Pack Cmdlet Execution
- Sigma Uncommon Child Process Of BgInfo.EXE
- Sigma Uncommon Child Process Of Conhost.EXE
- Sigma Uncommon Child Process Of Setres.EXE
- Sigma Windows Binary Executed From WSL
- Splunk Windows RunMRU Command Execution
- Sigma WSL Child Process Anomaly
- Sigma WSL Kali-Linux Usage
Rogue Domain Controller T1207 6 rules
Exploitation for Defense Evasion T1211 5 rules
- Kusto Query Language ASR Bypassing Writing Executable Content
- Sigma Audit CVE Event
- Sigma Microsoft Malware Protection Engine Crash
- Sigma Microsoft Malware Protection Engine Crash - WER
- Sigma Writing Of Malicious Files To The Fonts Folder
System Script Proxy Execution T1216 13 rules
- Sigma Assembly Loading Via CL_LoadAssembly.ps1
- Sigma AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Sigma AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Sigma Execute Code with Pester.bat
- Sigma Execute Code with Pester.bat as Parent
- Sigma Potential Manage-bde.wsf Abuse To Proxy Execution
- Sigma Potential Process Execution Proxy Via CL_Invocation.ps1
- Sigma Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- Sigma Remote Code Execute via Winrm.vbs
- Sigma Suspicious CustomShellHost Execution
- Sigma SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Sigma Uncommon Sigverif.EXE Child Process
- Sigma UtilityFunctions.ps1 Proxy Dll
System Binary Proxy Execution T1218 136 rules
- Sigma Abusing Print Executable
- Sigma AddinUtil.EXE Execution From Uncommon Directory
- Sigma AgentExecutor PowerShell Execution
- Sigma Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Sigma Arbitrary File Download Via IMEWDBLD.EXE
- Sigma Arbitrary File Download Via MSEDGE_PROXY.EXE
- Sigma Arbitrary File Download Via MSOHTMED.EXE
- Sigma Arbitrary File Download Via MSPUB.EXE
- Sigma Arbitrary File Download Via PresentationHost.EXE
- Sigma Arbitrary File Download Via Squirrel.EXE
- Sigma Arbitrary MSI Download Via Devinit.EXE
- Sigma Atbroker Registry Change
- Sigma BaaUpdate.exe Suspicious DLL Load
- Sigma Binary Proxy Execution Via Dotnet-Trace.EXE
- Sigma BitLockerTogo.EXE Execution
- Sigma COM Object Execution via Xwizard.EXE
- Sigma Created Files by Microsoft Sync Center
- Sigma Curl Download And Execute Combination
- Sigma DeviceCredentialDeployment Execution
- Sigma Devtoolslauncher.exe Executes Specified Binary
- Sigma Diskshadow Script Mode - Execution From Potential Suspicious Location
- Sigma Diskshadow Script Mode - Uncommon Script Extension Execution
- Sigma DLL Execution via Rasautou.exe
- Sigma DLL Loaded via CertOC.EXE
- Sigma Execute Files with Msdeploy.exe
- Sigma Execute Pcwrun.EXE To Leverage Follina
- Sigma Execution DLL of Choice Using WAB.EXE
- Sigma Execution via stordiag.exe
- Sigma Execution via WorkFolders.exe
- Sigma File Download Using ProtocolHandler.exe
- Sigma File Download Via InstallUtil.EXE
- Sigma File Download Via Windows Defender MpCmpRun.EXE
- Sigma Gpscript Execution
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma Ie4uinit Lolbin Use From Invalid Path
- Sigma Import LDAP Data Interchange Format File Via Ldifde.EXE
- Sigma Indirect Command Execution By Program Compatibility Wizard
- Sigma InfDefaultInstall.exe .inf Execution
- Sigma Insensitive Subfolder Search Via Findstr.EXE
- Sigma Legitimate Application Dropped Archive
- Sigma Legitimate Application Dropped Executable
- Sigma Legitimate Application Dropped Script
- Sigma Legitimate Application Writing Files In Uncommon Location
- Splunk LOLBAS With Network Traffic
- Sigma Lolbin Runexehelper Use As Proxy
- Sigma Lolbin Unregmp2.exe Use As Proxy
- Sigma Malicious PE Execution by Microsoft Visual Studio Debugger
- Sigma Malicious Windows Script Components File Execution by TAEF Detection
- Sigma Microsoft Sync Center Suspicious Network Connections
- Sigma MpiExec Lolbin
- Sigma MSDT Execution Via Answer File
- Sigma MSI Installation From Web
- Sigma Network Connection Initiated By AddinUtil.EXE
- Sigma New Capture Session Launched Via DXCap.EXE
- Sigma OpenWith.exe Executes Specified Binary
- Sigma Potential Application Whitelisting Bypass via Dnx.EXE
- Sigma Potential Arbitrary File Download Via Cmdl32.EXE
- Sigma Potential Binary Impersonating Sysinternals Tools
- Sigma Potential Binary Proxy Execution Via Cdb.EXE
- Sigma Potential Binary Proxy Execution Via VSDiagnostics.EXE
- Elastic Potential Credential Access via Renamed COM+ Services DLL
- Sigma Potential DLL Sideloading Using Coregen.exe
- Sigma Potential File Download Via MS-AppInstaller Protocol Handler
- Sigma Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- Sigma Potential NTLM Coercion Via Certutil.EXE
- Sigma Potential Password Spraying Attempt Using Dsacls.EXE
- Sigma Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Sigma Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- Sigma Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Sigma Potential Register_App.Vbs LOLScript Abuse
- Sigma Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
- Sigma Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
- Sigma Potential Suspicious Mofcomp Execution
- Sigma Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Sigma Potentially Suspicious Cabinet File Expansion
- Sigma Potentially Suspicious Child Process Of DiskShadow.EXE
- Sigma Potentially Suspicious Child Process Of VsCode
- Sigma Potentially Suspicious Child Processes Spawned by ConHost
- Sigma Potentially Suspicious CMD Shell Output Redirect
- Sigma Potentially Suspicious Self Extraction Directive File Created
- Sigma Potentially Suspicious Wuauclt Network Connection
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Sigma Process Memory Dump Via Dotnet-Dump
- Sigma Process Proxy Execution Via Squirrel.EXE
- Sigma Program Executed Using Proxy/Local Command Via SSH.EXE
- Sigma Proxy Execution Via Wuauclt.EXE
- Sigma REGISTER_APP.VBS Proxy Execution
- Sigma Remote File Download Via Findstr.EXE
- Sigma RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Sigma Renamed MegaSync Execution
- Sigma Renamed ZOHO Dctask64 Execution
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo
- Sigma Sdiagnhost Calling Suspicious Child Process
- Sigma Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Sigma Self Extraction Directive File Created In Potentially Suspicious Location
- Sigma Suspicious AddinUtil.EXE CommandLine Execution
- Sigma Suspicious AgentExecutor PowerShell Execution
- Sigma Suspicious BitLocker Access Agent Update Utility Execution
- Sigma Suspicious Child Process Of BgInfo.EXE
- Sigma Suspicious Csi.exe Usage
- Sigma Suspicious DLL Loaded via CertOC.EXE
- Sigma Suspicious DotNET CLR Usage Log Artifact
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious MSDT Parent Process
- Sigma Suspicious Provlaunch.EXE Child Process
- Sigma Suspicious Speech Runtime Binary Child Process
- Sigma Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Sigma Suspicious ZipExec Execution
- Sigma SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
- Sigma SyncAppvPublishingServer Execute Arbitrary PowerShell Code
- Sigma SyncAppvPublishingServer Execution to Bypass Powershell Restriction
- Sigma SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Sigma Time Travel Debugging Utility Usage
- Sigma Time Travel Debugging Utility Usage - Image
- Sigma Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- Sigma Uncommon AddinUtil.EXE CommandLine Execution
- Sigma Uncommon Child Process Of AddinUtil.EXE
- Sigma Uncommon Child Process Of Appvlp.EXE
- Sigma Uncommon Child Process Of BgInfo.EXE
- Sigma Uncommon Child Process Of Defaultpack.EXE
- Sigma Uncommon Child Process Of Setres.EXE
- Sigma Uncommon Link.EXE Parent Process
- Sigma Use of Scriptrunner.exe
- Sigma Use Of The SFTP.EXE Binary As A LOLBIN
- Sigma Use of VisualUiaVerifyNative.exe
- Sigma Verclsid.exe Runs COM Object
- Sigma Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- Sigma Visual Studio NodejsTools PressAnyKey Renamed Execution
- Splunk Windows BitLockerToGo Process Execution
- Splunk Windows BitLockerToGo with Network Activity
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution
- Sigma Windows Shell/Scripting Processes Spawning Suspicious Programs
- Sigma Winrs Local Command Execution
- Sigma Wlrmdr.EXE Uncommon Argument Or Child Process
- Sigma WSL Child Process Anomaly
- Sigma XBAP Execution From Uncommon Locations Via PresentationHost.EXE
System Binary Proxy Execution: CMSTP T1218.003 11 rules
- Sigma Bypass UAC via CMSTP
- Splunk CMLUA Or CMSTPLUA UAC Bypass
- Sigma CMSTP Execution Process Access
- Sigma CMSTP Execution Process Creation
- Sigma CMSTP Execution Registry Event
- Sigma CMSTP UAC Bypass via COM Object Access
- Sigma DLL Loaded From Suspicious Location Via Cmspt.EXE
- Sigma Outbound Network Connection Initiated By Cmstp.EXE
- Splunk UAC Bypass With Colorui COM Object
- Splunk Wbemprox COM Object Execution
- Splunk Windows Unusual Process Load Mozilla NSS-Mozglue Module
System Binary Proxy Execution: Mshta T1218.005 10 rules
- Sigma Csc.EXE Execution Form Potentially Suspicious Parent
- Sigma HackTool - CACTUSTORCH Remote Thread Creation
- Sigma MSHTA Execution with Suspicious File Extensions
- Sigma Potential LethalHTA Technique Execution
- Sigma Remotely Hosted HTA File Executed Via Mshta.EXE
- Sigma Suspicious JavaScript Execution Via Mshta.EXE
- Sigma Suspicious MSHTA Child Process
- Splunk Windows Mshta Execution In Registry
- Splunk Windows MSHTA Writing to World Writable Path
- Splunk Windows Process Writing File to World Writable Path
System Binary Proxy Execution: Msiexec T1218.007 9 rules
- Sigma DllUnregisterServer Function Call Via Msiexec.EXE
- Sigma MSI Installation From Web
- Sigma Msiexec Quiet Installation
- Sigma MsiExec Web Install
- Sigma Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Sigma PowerShell WMI Win32_Product Install MSI
- Sigma Suspicious MsiExec Embedding Parent
- Sigma Suspicious Msiexec Execute Arbitrary DLL
- Sigma Suspicious Msiexec Quiet Install From Remote Location
System Binary Proxy Execution: Odbcconf T1218.008 8 rules
- Sigma Driver/DLL Installation Via Odbcconf.EXE
- Sigma New DLL Registered Via Odbcconf.EXE
- Sigma Odbcconf.EXE Suspicious DLL Location
- Sigma Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Sigma Response File Execution Via Odbcconf.EXE
- Sigma Suspicious Driver/DLL Installation Via Odbcconf.EXE
- Sigma Suspicious Response File Execution Via Odbcconf.EXE
- Sigma Uncommon Child Process Spawned By Odbcconf.EXE
System Binary Proxy Execution: Regsvcs/Regasm T1218.009 6 rules
- Splunk Detect Regasm with Network Connection
- Splunk Detect Regsvcs with Network Connection
- Sigma Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- Sigma Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- Sigma RegAsm.EXE Execution Without CommandLine Flags or Files
- Sigma RegAsm.EXE Initiating Network Connection To Public IP
System Binary Proxy Execution: Regsvr32 T1218.010 20 rules
- Sigma DNS Query Request By Regsvr32.EXE
- Sigma HTML Help HH.EXE Suspicious Child Process
- Splunk Malicious InProcServer32 Modification
- Sigma Network Connection Initiated By Regsvr32.EXE
- Sigma Potential Regsvr32 Commandline Flag Anomaly
- Sigma Potentially Suspicious Child Process Of Regsvr32
- Sigma Potentially Suspicious Regsvr32 HTTP IP Pattern
- Sigma Potentially Suspicious Regsvr32 HTTP/FTP Pattern
- Sigma Regsvr32 DLL Execution With Suspicious File Extension
- Sigma Regsvr32 Execution From Highly Suspicious Location
- Sigma Regsvr32 Execution From Potential Suspicious Location
- Kusto Query Language Regsvr32 Rundll32 Image Loads Abnormal Extension
- Kusto Query Language Regsvr32 Rundll32 with Anomalous Parent Process
- Sigma Scripting/CommandLine Process Spawned Regsvr32
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious Microsoft Office Child Process
- Sigma Suspicious Regsvr32 Execution From Remote Share
- Sigma Suspicious WMIC Execution Via Office Process
- Sigma Suspicious WmiPrvSE Child Process
- Sigma Unsigned DLL Loaded by Windows Utility
System Binary Proxy Execution: Rundll32 T1218.011 35 rules
- Sigma Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Sigma CobaltStrike Load by Rundll32
- Sigma Code Execution via Pcwutl.dll
- Sigma HackTool - F-Secure C3 Load by Rundll32
- Sigma HackTool - RedMimicry Winnti Playbook Execution
- Sigma HTML Help HH.EXE Suspicious Child Process
- Sigma Outbound Network Connection To Public IP Via Winlogon
- Elastic Potential Credential Access via Renamed COM+ Services DLL
- Sigma Potential PowerShell Execution Via DLL
- Sigma Potentially Suspicious Rundll32 Activity
- Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File
- Sigma Process Access via TrolleyExpress Exclusion
- Kusto Query Language Regsvr32 Rundll32 Image Loads Abnormal Extension
- Kusto Query Language Regsvr32 Rundll32 with Anomalous Parent Process
- Sigma Remote Thread Creation Via PowerShell In Uncommon Target
- Splunk Rundll32 DNSQuery
- Sigma Rundll32 Execution With Uncommon DLL Extension
- Sigma Rundll32 InstallScreenSaver Execution
- Sigma Rundll32 Internet Connection
- Splunk Rundll32 Process Creating Exe Dll Files
- Sigma RunDLL32 Spawning Explorer
- Sigma Rundll32 UNC Path Execution
- Splunk Rundll32 with no Command Line Arguments with Network
- Sigma SCR File Write Event
- Sigma ScreenSaver Registry Key Set
- Sigma Shell32 DLL Execution in Suspicious Directory
- Sigma Suspicious Control Panel DLL Load
- Sigma Suspicious HH.EXE Execution
- Sigma Suspicious Rundll32 Activity Invoking Sys File
- Sigma Suspicious Rundll32 Execution With Image Extension
- Sigma Suspicious Rundll32 Setupapi.dll Activity
- Sigma Suspicious ShellExec_RunDLL Call Via Ordinal
- Sigma Unsigned DLL Loaded by Windows Utility
- Splunk Windows LOLBAS Executed Outside Expected Path
- Splunk Windows Rundll32 Load DLL in Temp Dir
XSL Script Processing T1220 5 rules
File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1222.001 16 rules
- Sigma AD Object WriteDAC Access
- Sigma Potentially Suspicious NTFS Symlink Behavior Modification
- Sigma Suspicious Recursive Takeown
- Splunk Windows AD Dangerous Deny ACL Modification
- Splunk Windows AD Dangerous Group ACL Modification
- Splunk Windows AD Dangerous User ACL Modification
- Splunk Windows AD DCShadow Privileges ACL Addition
- Splunk Windows AD Domain Root ACL Deletion
- Splunk Windows AD Domain Root ACL Modification
- Splunk Windows AD GPO New CSE Addition
- Splunk Windows AD Hidden OU Creation
- Splunk Windows AD Object Owner Updated
- Splunk Windows AD Suspicious Attribute Modification
- Splunk Windows File and Directory Enable ReadOnly Permissions
- Splunk Windows File and Directory Permissions Enable Inheritance
- Splunk Windows File and Directory Permissions Remove Inheritance
Domain or Tenant Policy Modification T1484 14 rules
- Elastic AdminSDHolder SDProp Exclusion Added
- Elastic Group Policy Abuse for Privilege Addition
- Elastic Scheduled Task Execution at Scale via GPO
- Elastic Startup/Logon Script added to Group Policy Object
- Splunk Windows AD Dangerous Deny ACL Modification
- Splunk Windows AD Dangerous Group ACL Modification
- Splunk Windows AD Dangerous User ACL Modification
- Splunk Windows AD DCShadow Privileges ACL Addition
- Splunk Windows AD Domain Replication ACL Addition
- Splunk Windows AD Domain Root ACL Deletion
- Splunk Windows AD Domain Root ACL Modification
- Splunk Windows AD Hidden OU Creation
- Splunk Windows AD Object Owner Updated
- Splunk Windows AD Self DACL Assignment
Domain or Tenant Policy Modification: Group Policy Modification T1484.001 15 rules
- Sigma Group Policy Abuse for Privilege Addition
- Elastic Group Policy Abuse for Privilege Addition
- Sigma Modify Group Policy Settings
- Sigma Modify Group Policy Settings - ScriptBlockLogging
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Elastic Scheduled Task Execution at Scale via GPO
- Sigma Startup/Logon Script Added to Group Policy Object
- Elastic Startup/Logon Script added to Group Policy Object
- Splunk Windows AD GPO Deleted
- Splunk Windows AD GPO Disabled
- Splunk Windows AD GPO New CSE Addition
- Sigma Windows Default Domain GPO Modification
- Sigma Windows Default Domain GPO Modification via GPME
- Splunk Windows Default Group Policy Object Modified
- Splunk Windows Group Policy Object Created
Pre-OS Boot T1542 1 rule
Pre-OS Boot: Bootkit T1542.003 2 rules
Abuse Elevation Control Mechanism T1548 11 rules
- Sigma Abused Debug Privilege by Arbitrary Parent Processes
- Splunk Allow Operation with Consent Admin
- Sigma COM Hijack via Sdclt
- Sigma Credential Dumping Attempt Via Svchost
- Sigma Potential Privilege Escalation via Local Kerberos Relay over LDAP
- Sigma Regedit as Trusted Installer
- Sigma SCM Database Privileged Operation
- Sigma UAC Bypass via Windows Firewall Snap-In Hijack
- Splunk Windows Privilege Escalation Suspicious Process Elevation
- Splunk Windows Privilege Escalation System Process Without System Parent
- Splunk Windows Privilege Escalation User Process Spawn System Process
Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 70 rules
- Sigma Always Install Elevated MSI Spawned Cmd And Powershell
- Sigma Always Install Elevated Windows Installer
- Sigma Bypass UAC Using DelegateExecute
- Sigma Bypass UAC Using SilentCleanup Task
- Sigma Bypass UAC via CMSTP
- Sigma Bypass UAC via Fodhelper.exe
- Sigma Bypass UAC via WSReset.exe
- Sigma CMSTP UAC Bypass via COM Object Access
- Splunk Disable UAC Remote Restriction
- Splunk Disabling Remote User Account Control
- Splunk Eventvwr UAC Bypass
- Sigma Explorer NOUACCHECK Flag
- Sigma Function Call From Undocumented COM Interface EditionUpgradeManager
- Sigma HackTool - Empire PowerShell UAC Bypass
- Sigma HackTool - UACMe Akagi Execution
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Splunk NET Profiler UAC bypass
- Kusto Query Language Potential Fodhelper UAC Bypass
- Kusto Query Language Potential Fodhelper UAC Bypass (ASIM Version)
- Sigma Potential UAC Bypass Via Sdclt.EXE
- Sigma Potentially Suspicious Event Viewer Child Process
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell Web Access Feature Enabled Via DISM
- Sigma Registry Modification of MS-settings Protocol Handler
- Sigma Sdclt Child Processes
- Splunk Sdclt UAC Bypass
- Sigma Shell Open Registry Keys Manipulation
- Splunk SilentCleanup UAC Bypass
- Sigma Suspicious Shell Open Command Registry Modification
- Sigma Trusted Path Bypass via Windows Directory Spoofing
- Sigma TrustedPath UAC Bypass Pattern
- Sigma UAC Bypass Abusing Winsat Path Parsing - File
- Sigma UAC Bypass Abusing Winsat Path Parsing - Process
- Sigma UAC Bypass Abusing Winsat Path Parsing - Registry
- Splunk UAC Bypass MMC Load Unsigned Dll
- Sigma UAC Bypass Tools Using ComputerDefaults
- Sigma UAC Bypass Using .NET Code Profiler on MMC
- Sigma UAC Bypass Using ChangePK and SLUI
- Sigma UAC Bypass Using Consent and Comctl32 - File
- Sigma UAC Bypass Using Consent and Comctl32 - Process
- Sigma UAC Bypass Using Disk Cleanup
- Sigma UAC Bypass Using DismHost
- Sigma UAC Bypass Using IDiagnostic Profile
- Sigma UAC Bypass Using IDiagnostic Profile - File
- Sigma UAC Bypass Using IEInstal - File
- Sigma UAC Bypass Using IEInstal - Process
- Sigma UAC Bypass Using Iscsicpl - ImageLoad
- Sigma UAC Bypass Using MSConfig Token Modification - File
- Sigma UAC Bypass Using MSConfig Token Modification - Process
- Sigma UAC Bypass Using NTFS Reparse Point - File
- Sigma UAC Bypass Using NTFS Reparse Point - Process
- Sigma UAC Bypass Using PkgMgr and DISM
- Sigma UAC Bypass Using Windows Media Player - File
- Sigma UAC Bypass Using Windows Media Player - Process
- Sigma UAC Bypass Using Windows Media Player - Registry
- Sigma UAC Bypass Using WOW64 Logger DLL Hijack
- Sigma UAC Bypass via Event Viewer
- Sigma UAC Bypass via ICMLuaUtil
- Sigma UAC Bypass via Sdclt
- Sigma UAC Bypass Via Wsreset
- Sigma UAC Bypass With Fake DLL
- Sigma UAC Bypass WSReset
- Sigma UAC Disabled
- Sigma UAC Notification Disabled
- Sigma UAC Secure Desktop Prompt Disabled
- Splunk Windows ComputerDefaults Spawning a Process
- Splunk Windows DISM Install PowerShell Web Access
- Splunk Windows UAC Bypass Suspicious Escalation Behavior
- Splunk WSReset UAC Bypass
Use Alternate Authentication Material T1550 7 rules
- Splunk Kerberos TGT Request Using RC4 Encryption
- Sigma Outgoing Logon with New Credentials
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Pass-the-Hash (PtH) Attempt
- Splunk Unknown Process Using The Kerberos Protocol
- Splunk Windows AD Suspicious Attribute Modification
- Splunk Windows Steal Authentication Certificates - ESC1 Authentication
Use Alternate Authentication Material: Pass the Hash T1550.002 7 rules
- Sigma Hacktool Ruler
- Sigma NTLM Logon
- Sigma NTLMv1 Logon Between Client and Server
- Sigma Pass the Hash Activity 2
- Elastic Potential Pass-the-Hash (PtH) Attempt
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Successful Overpass the Hash Attempt
Subvert Trust Controls: Install Root Certificate T1553.004 8 rules
- Sigma Active Directory Certificate Services Denied Certificate Enrollment Request
- Sigma New Root Certificate Installed Via CertMgr.EXE
- Sigma New Root Certificate Installed Via Certutil.EXE
- Sigma Root Certificate Installed - PowerShell
- Sigma Root Certificate Installed From Susp Locations
- Sigma Suspicious X509Enrollment - Process Creation
- Sigma Suspicious X509Enrollment - Ps Script
- Splunk Windows Registry Certificate Added
Subvert Trust Controls: Mark-of-the-Web Bypass T1553.005 10 rules
- Sigma Suspicious Invoke-Item From Mount-DiskImage
- Sigma Suspicious Mount-DiskImage
- Sigma Suspicious Unblock-File
- Sigma Windows AppX Deployment Full Trust Package Installation
- Splunk Windows AppX Deployment Full Trust Package Installation
- Sigma Windows AppX Deployment Unsigned Package Installation
- Splunk Windows AppX Deployment Unsigned Package Installation
- Splunk Windows Developer-Signed MSIX Package Installation
- Splunk Windows Mark Of The Web Bypass
- Sigma Windows MSIX Package Support Framework AI_STUBS Execution
Impair Defenses T1562 35 rules
- Kusto Query Language Dev-0270 Malicious Powershell usage
- Kusto Query Language Disabling Security Services via Registry
- Kusto Query Language Doppelpaymer Stop Services
- Sigma ETW Logging Disabled For rpcrt4.dll
- Sigma ETW Logging Disabled For SCM
- Sigma ETW Logging Disabled In .NET Processes - Registry
- Sigma ETW Logging Disabled In .NET Processes - Sysmon Registry
- Sigma ETW Logging Tamper In .NET Processes Via CommandLine
- Sigma Filter Driver Unloaded Via Fltmc.EXE
- Sigma HackTool - EDRSilencer Execution
- Sigma HackTool - EDRSilencer Execution - Filter Added
- Sigma Hide Schedule Task Via Index Value Tamper
- Elastic Kerberos Pre-authentication Disabled for User
- Kusto Query Language MosaicLoader
- Elastic Potential Evasion via Windows Filtering Platform
- Sigma Potential Suspicious Activity Using SeCEdit
- Sigma Potential Windows Defender Tampering Via Wmic.EXE
- Sigma Removal Of Index Value to Hide Schedule Task - Registry
- Sigma Removal Of SD Value to Hide Schedule Task - Registry
- Kusto Query Language Scheduled Task Hide
- Kusto Query Language Security Service Registry ACL Modification
- Elastic Sensitive Audit Policy Sub-Category Disabled
- Kusto Query Language Stopping multiple processes using taskkill
- Sigma Sysmon Application Crashed
- Sigma Sysmon Driver Unloaded Via Fltmc.EXE
- Splunk Unloading AMSI via Reflection
- Sigma WFP Filter Added via Registry
- Sigma Windows Defender Exclusions Added - PowerShell
- Sigma Windows Filtering Platform Blocked Connection From EDR Agent Binary
- Sigma Windows Firewall Disabled via PowerShell
- Splunk Windows Increase in Group or Object Modification Activity
- Splunk Windows Increase in User Modification Activity
- Splunk Windows Outlook Dialogs Disabled from Unusual Process
- Splunk Windows Registry Delete Task SD
- Sigma Write Protect For Storage Disabled
Impair Defenses: Disable or Modify Tools T1562.001 171 rules
- Sigma Add SafeBoot Keys Via Reg Utility
- Sigma AMSI Bypass Pattern Assembly GetType
- Sigma AMSI Disabled via Registry Modification
- Sigma Antivirus Filter Driver Disallowed On Dev Drive - Registry
- Sigma Devcon Execution Disabling VMware VMCI Device
- Splunk Disable AMSI Through Registry
- Splunk Disable Defender AntiVirus Registry
- Splunk Disable Defender BlockAtFirstSeen Feature
- Splunk Disable Defender Enhanced Notification
- Splunk Disable Defender MpEngine Registry
- Splunk Disable Defender Spynet Reporting
- Splunk Disable Defender Submit Samples Consent Feature
- Splunk Disable ETW Through Registry
- Sigma Disable Exploit Guard Network Protection on Windows Defender
- Kusto Query Language Disable or Modify Windows Defender
- Sigma Disable Privacy Settings Experience in Registry
- Sigma Disable PUA Protection on Windows Defender
- Splunk Disable Registry Tool
- Splunk Disable Show Hidden Files
- Sigma Disable Tamper Protection on Windows Defender
- Splunk Disable Windows App Hotkeys
- Splunk Disable Windows Behavior Monitoring
- Sigma Disable Windows Defender AV Security Monitoring
- Sigma Disable Windows Defender Functionalities Via Registry Keys
- Splunk Disable Windows SmartScreen Protection
- Sigma Disable-WindowsOptionalFeature Command PowerShell
- Sigma Disabled IE Security Features
- Sigma Disabled Volume Snapshots
- Sigma Disabled Windows Defender Eventlog
- Splunk Disabling CMD Application
- Splunk Disabling ControlPanel
- Splunk Disabling Defender Services
- Splunk Disabling FolderOptions Windows Feature
- Splunk Disabling NoRun Windows App
- Splunk Disabling Task Manager
- Sigma Disabling Windows Defender WMI Autologger Session via Reg.exe
- Sigma Dism Remove Online Package
- Sigma Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- Sigma Folder Removed From Exploit Guard ProtectedFolders List - Registry
- Sigma HackTool - CobaltStrike BOF Injection Pattern
- Sigma Hacktool - EDR-Freeze Execution
- Sigma HackTool - PowerTool Execution
- Sigma HackTool - Stracciatella Execution
- Splunk Hide User Account From Sign-In Screen
- Sigma Hypervisor Enforced Paging Translation Disabled
- Sigma Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- Sigma Load Of RstrtMgr.DLL By A Suspicious Process
- Sigma Load Of RstrtMgr.DLL By An Uncommon Process
- Sigma Microsoft Defender Tamper Protection Trigger
- Sigma Microsoft Malware Protection Engine Crash
- Sigma Microsoft Malware Protection Engine Crash - WER
- Sigma Microsoft Office Protected View Disabled
- Sigma NetNTLM Downgrade Attack
- Sigma NetNTLM Downgrade Attack - Registry
- Sigma Obfuscated PowerShell OneLiner Execution
- Sigma Potential AMSI Bypass Script Using NULL Bits
- Sigma Potential AMSI Bypass Using NULL Bits
- Sigma Potential AMSI Bypass Via .NET Reflection
- Sigma Potential AMSI COM Server Hijacking
- Elastic Potential Evasion via Windows Filtering Platform
- Sigma Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Sigma Potential Tampering With Security Products Via WMIC
- Sigma Powershell Base64 Encoded MpPreference Cmdlet
- Sigma Powershell Defender Disable Scan Feature
- Sigma Powershell Defender Exclusion
- Sigma PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- Splunk Powershell Remove Windows Defender Directory
- Splunk Powershell Windows Defender Exclusion Commands
- Sigma PPL Tampering Via WerFaultSecure
- Sigma PUA - CleanWipe Execution
- Sigma Python Function Execution Security Warning Disabled In Excel
- Sigma Python Function Execution Security Warning Disabled In Excel - Registry
- Sigma Raccine Uninstall
- Sigma Reg Add Suspicious Paths
- Sigma Removal Of AMSI Provider Registry Keys
- Sigma SafeBoot Registry Key Deleted Via Reg.EXE
- Sigma Scripted Diagnostics Turn Off Check Enabled - Registry
- Sigma Security Service Disabled Via Reg.EXE
- Sigma Service Registry Key Deleted Via Reg.EXE
- Sigma Service StartupType Change Via PowerShell Set-Service
- Sigma Service StartupType Change Via Sc.EXE
- Kusto Query Language Starting or Stopping HealthService to Avoid Detection
- Sigma Suspicious Application Allowed Through Exploit Guard
- Sigma Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Sigma Suspicious Path In Keyboard Layout IME File Registry Value
- Sigma Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
- Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Sigma Suspicious PROCEXP152.sys File Created In TMP
- Sigma Suspicious Service Installed
- Sigma Suspicious Uninstall of Windows Defender Feature via PowerShell
- Sigma Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Sigma Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Sigma Suspicious Windows Service Tampering
- Sigma Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- Sigma Sysinternals PsSuspend Suspicious Execution
- Sigma Sysmon Configuration Update
- Sigma Sysmon Driver Altitude Change
- Sigma Tamper Windows Defender - PSClassic
- Sigma Tamper Windows Defender - ScriptBlockLogging
- Sigma Tamper Windows Defender Remove-MpPreference
- Sigma Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
- Sigma Tamper With Sophos AV Registry Keys
- Sigma Taskkill Symantec Endpoint Protection
- Sigma Uncommon Extension In Keyboard Layout IME File Registry Value
- Sigma Uninstall Crowdstrike Falcon Sensor
- Sigma Uninstall Sysinternals Sysmon
- Sigma Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- Sigma Weak Encryption Enabled and Kerberoast
- Sigma Win Defender Restored Quarantine File
- Splunk Windows AD Domain Controller Audit Policy Disabled
- Splunk Windows AD GPO Deleted
- Splunk Windows AD GPO Disabled
- Sigma Windows AMSI Related Registry Tampering Via CommandLine
- Sigma Windows Credential Guard Disabled - Registry
- Sigma Windows Credential Guard Registry Tampering Via CommandLine
- Sigma Windows Credential Guard Related Registry Value Deleted - Registry
- Sigma Windows Defender Configuration Changes
- Sigma Windows Defender Context Menu Removed
- Sigma Windows Defender Definition Files Removed
- Sigma Windows Defender Exclusion List Modified
- Splunk Windows Defender Exclusion Registry Entry
- Sigma Windows Defender Exclusion Registry Key - Write Access Requested
- Sigma Windows Defender Exclusions Added
- Sigma Windows Defender Exclusions Added - Registry
- Sigma Windows Defender Exploit Guard Tamper
- Sigma Windows Defender Grace Period Expired
- Sigma Windows Defender Malware And PUA Scanning Disabled
- Sigma Windows Defender Real-time Protection Disabled
- Sigma Windows Defender Real-Time Protection Failure/Restart
- Sigma Windows Defender Service Disabled - Registry
- Sigma Windows Defender Submit Sample Feature Disabled
- Sigma Windows Defender Threat Detection Service Disabled
- Sigma Windows Defender Threat Severity Default Action Modified
- Sigma Windows Defender Virus Scanning Feature Disabled
- Splunk Windows Disable or Stop Browser Process
- Splunk Windows DisableAntiSpyware Registry
- Splunk Windows Event For Service Disabled
- Splunk Windows Excessive Disabled Services Event
- Sigma Windows Hypervisor Enforced Code Integrity Disabled
- Splunk Windows Impair Defense Change Win Defender Health Check Intervals
- Splunk Windows Impair Defense Change Win Defender Quick Scan Interval
- Splunk Windows Impair Defense Change Win Defender Throttle Rate
- Splunk Windows Impair Defense Change Win Defender Tracing Level
- Splunk Windows Impair Defense Configure App Install Control
- Splunk Windows Impair Defense Define Win Defender Threat Action
- Splunk Windows Impair Defense Delete Win Defender Context Menu
- Splunk Windows Impair Defense Delete Win Defender Profile Registry
- Splunk Windows Impair Defense Deny Security Software With Applocker
- Splunk Windows Impair Defense Disable Controlled Folder Access
- Splunk Windows Impair Defense Disable Defender Firewall And Network
- Splunk Windows Impair Defense Disable Defender Protocol Recognition
- Splunk Windows Impair Defense Disable PUA Protection
- Splunk Windows Impair Defense Disable Realtime Signature Delivery
- Splunk Windows Impair Defense Disable Web Evaluation
- Splunk Windows Impair Defense Disable Win Defender App Guard
- Splunk Windows Impair Defense Disable Win Defender Compute File Hashes
- Splunk Windows Impair Defense Disable Win Defender Gen reports
- Splunk Windows Impair Defense Disable Win Defender Network Protection
- Splunk Windows Impair Defense Disable Win Defender Report Infection
- Splunk Windows Impair Defense Disable Win Defender Scan On Update
- Splunk Windows Impair Defense Disable Win Defender Signature Retirement
- Splunk Windows Impair Defense Overide Win Defender Phishing Filter
- Splunk Windows Impair Defense Override SmartScreen Prompt
- Splunk Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Splunk Windows Impair Defenses Disable Auto Logger Session
- Splunk Windows Impair Defenses Disable HVCI
- Splunk Windows Impair Defenses Disable Win Defender Auto Logging
- Splunk Windows Important Audit Policy Disabled
- Splunk Windows Powershell Import Applocker Policy
- Splunk Windows Terminating Lsass Process
- Sigma Windows Vulnerable Driver Blocklist Disabled
Impair Defenses: Disable Windows Event Logging T1562.002 28 rules
- Sigma Audit Policy Tampering Via Auditpol
- Sigma Audit Policy Tampering Via NT Resource Kit Auditpol
- Sigma Change Winevt Channel Access Permission Via Registry
- Sigma Disable Security Events Logging Adding Reg Key MiniNt
- Sigma Disable Windows Event Logging Via Registry
- Sigma Disable Windows IIS HTTP Logging
- Sigma ETW Logging/Processing Option Disabled On IIS Server
- Sigma EVTX Created In Uncommon Location
- Sigma Filter Driver Unloaded Via Fltmc.EXE
- Sigma HackTool - SharpEvtMute DLL Load
- Sigma HackTool - SharpEvtMute Execution
- Sigma HackTool - SysmonEnte Execution
- Sigma HTTP Logging Disabled On IIS Server
- Sigma Important Windows Event Auditing Disabled
- Sigma New Module Module Added To IIS Server
- Sigma Potential EventLog File Location Tampering
- Sigma Potential Suspicious Activity Using SeCEdit
- Sigma Previously Installed IIS Module Was Removed
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Process
- Sigma Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Elastic Sensitive Audit Policy Sub-Category Disabled
- Sigma Suspicious Eventlog Clearing or Configuration Change Activity
- Sigma Suspicious Svchost Process Access
- Sigma Sysmon Driver Unloaded Via Fltmc.EXE
- Sigma Windows Event Auditing Disabled
- Splunk Windows New Custom Security Descriptor Set On EventLog Channel
- Splunk Windows New EventLog ChannelAccess Registry Value Set
- Splunk Windows PowerShell Disable HTTP Logging
Impair Defenses: Disable or Modify System Firewall T1562.004 21 rules
- Sigma A Rule Has Been Deleted From The Windows Firewall Exception List
- Sigma All Rules Have Been Deleted From The Windows Firewall Configuration
- Sigma Disable Microsoft Defender Firewall via Registry
- Sigma Disable Windows Firewall by Registry
- Sigma Firewall Disabled via Netsh.EXE
- Sigma Firewall Rule Deleted Via Netsh.EXE
- Sigma Netsh Allow Group Policy on Microsoft Defender Firewall
- Sigma New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- Sigma New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- Sigma New Firewall Rule Added Via Netsh.EXE
- Elastic Potential Evasion via Windows Filtering Platform
- Sigma RDP Connection Allowed Via Netsh.EXE
- Sigma Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Sigma The Windows Defender Firewall Service Failed To Load Group Policy
- Sigma Uncommon New Firewall Rule Added In Windows Firewall Exception List
- Sigma Windows Defender Firewall Has Been Reset To Its Default Configuration
- Sigma Windows Firewall Profile Disabled
- Splunk Windows Firewall Rule Added
- Splunk Windows Firewall Rule Deletion
- Splunk Windows Firewall Rule Modification
- Sigma Windows Firewall Settings Have Been Changed
Impair Defenses: Indicator Blocking T1562.006 7 rules
- Sigma AMSI Disabled via Registry Modification
- Sigma Disable of ETW Trace - Powershell
- Splunk ETW Registry Disabled
- Sigma ETW Trace Evasion Activity
- Elastic Sensitive Audit Policy Sub-Category Disabled
- Sigma Windows AMSI Related Registry Tampering Via CommandLine
- Splunk Windows Registry Dotnet ETW Disabled Via ENV Variable
Hide Artifacts T1564 11 rules
- Sigma CrashControl CrashDump Disabled
- Kusto Query Language Fake computer account created
- Kusto Query Language Malware in the recycle bin (Normalized Process Events)
- Sigma Potentially Suspicious Execution From Parent Process In Public Folder
- Sigma PUA - Process Hacker Execution
- Sigma PUA - System Informer Execution
- Sigma Suspicious Creation with Colorcpl
- Sigma Suspicious Executable File Creation
- Sigma Sysmon Configuration Error
- Sigma Sysmon Configuration Modification
- Sigma Virtualbox Driver Installation or Starting of VMs
Hide Artifacts: Hidden Files and Directories T1564.001 7 rules
- Splunk Disable Show Hidden Files
- Sigma Displaying Hidden Files Feature Disabled
- Sigma Hiding Files with Attrib.exe
- Sigma PowerShell Logging Disabled Via Registry Key Tampering
- Sigma Registry Persistence via Service in Safe Mode
- Sigma Set Suspicious Files as System Files Using Attrib.EXE
- Sigma Use Icacls to Hide File to Everyone
Hide Artifacts: Hidden Window T1564.003 8 rules
- Sigma Browser Execution In Headless Mode
- Sigma Cmd Launched with Hidden Start Flags to Suspicious Targets
- Sigma File Download with Headless Browser
- Sigma HackTool - Covenant PowerShell Launcher
- Sigma Potential Data Stealing Via Chromium Headless Debugging
- Sigma Powershell Executed From Headless ConHost Process
- Sigma PUA - AdvancedRun Execution
- Sigma Suspicious PowerShell WindowStyle Option
Hide Artifacts: NTFS File Attributes T1564.004 25 rules
- Sigma Execute From Alternate Data Streams
- Sigma Exports Registry Key To an Alternate Data Stream
- Sigma HackTool Named File Stream Created
- Sigma Hidden Executable In NTFS Alternate Data Stream
- Kusto Query Language Ingress Tool Transfer - Certutil
- Sigma Insensitive Subfolder Search Via Findstr.EXE
- Sigma NTFS Alternate Data Stream
- Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Sigma Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Sigma Potential Rundll32 Execution With DLL Stored In ADS
- Sigma Powershell Store File In Alternate Data Stream
- Sigma PrintBrm ZIP Creation of Extraction
- Sigma Remote File Download Via Findstr.EXE
- Sigma Run PowerShell Script from ADS
- Sigma Suspicious Diantz Alternate Data Stream Execution
- Sigma Suspicious Extrac32 Alternate Data Stream Execution
- Sigma Suspicious File Download From File Sharing Websites - File Stream
- Sigma Unusual File Download from Direct IP Address
- Sigma Unusual File Download From File Sharing Websites - File Stream
- Sigma Use NTFS Short Name in Command Line
- Sigma Use NTFS Short Name in Image
- Sigma Use Short Name Path in Image
- Splunk Windows Alternate DataStream - Base64 Content
- Splunk Windows Alternate DataStream - Executable Content
- Splunk Windows Alternate DataStream - Process Execution
Hijack Execution Flow T1574 7 rules
- Kusto Query Language Detect Suspicious Commands Initiated by Webserver Processes
- Sigma DLL Execution Via Register-cimprovider.exe
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Potential Registry Persistence Attempt Via DbgManagedDebugger
- Sigma Regsvr32 DLL Execution With Uncommon Extension
- Sigma Suspicious Printer Driver Empty Manufacturer
- Splunk Windows BitDefender Submission Wizard DLL Sideloading
Hijack Execution Flow: DLL T1574.001 91 rules
- Sigma Aruba Network Service Potential DLL Sideloading
- Sigma Creation Of Non-Existent System DLL
- Sigma Creation of WerFault.exe/Wer.dll in Unusual Folder
- Sigma DHCP Callout DLL Installation
- Sigma DHCP Server Error Failed Loading the CallOut DLL
- Sigma DHCP Server Loaded the CallOut DLL
- Sigma DLL Search Order Hijackig Via Additional Space in Path
- Sigma DLL Sideloading by VMware Xfer Utility
- Sigma DLL Sideloading Of ShellChromeAPI.DLL
- Sigma DNS Server Error Failed Loading the ServerLevelPluginDLL
- Sigma Fax Service DLL Search Order Hijack
- Sigma HackTool - Powerup Write Hijack DLL
- Sigma Malicious DLL File Dropped in the Teams or OneDrive Folder
- Sigma Microsoft Defender Blocked from Loading Unsigned DLL
- Sigma Microsoft Office DLL Sideload
- Splunk MSI Module Loaded by Non-System Binary
- Splunk Msmpeng Application DLL Side Loading
- Sigma New DNS ServerLevelPluginDll Installed
- Sigma New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Sigma Potential 7za.DLL Sideloading
- Sigma Potential Antivirus Software DLL Sideloading
- Sigma Potential appverifUI.DLL Sideloading
- Sigma Potential AVKkid.DLL Sideloading
- Sigma Potential Azure Browser SSO Abuse
- Sigma Potential CCleanerDU.DLL Sideloading
- Sigma Potential CCleanerReactivator.DLL Sideloading
- Sigma Potential Chrome Frame Helper DLL Sideloading
- Sigma Potential DLL Sideloading Of DBGCORE.DLL
- Sigma Potential DLL Sideloading Of DBGHELP.DLL
- Sigma Potential DLL Sideloading Of DbgModel.DLL
- Sigma Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Sigma Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- Sigma Potential DLL Sideloading Of MpSvc.DLL
- Sigma Potential DLL Sideloading Of MsCorSvc.DLL
- Sigma Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Sigma Potential DLL Sideloading Via ClassicExplorer32.dll
- Sigma Potential DLL Sideloading Via comctl32.dll
- Sigma Potential DLL Sideloading Via DeviceEnroller.EXE
- Sigma Potential DLL Sideloading Via JsSchHlp
- Sigma Potential DLL Sideloading Via VMware Xfer
- Sigma Potential EACore.DLL Sideloading
- Sigma Potential Edputil.DLL Sideloading
- Sigma Potential Goopdate.DLL Sideloading
- Sigma Potential Initial Access via DLL Search Order Hijacking
- Sigma Potential Iviewers.DLL Sideloading
- Sigma Potential JLI.dll Side-Loading
- Sigma Potential Libvlc.DLL Sideloading
- Sigma Potential Mfdetours.DLL Sideloading
- Sigma Potential Mpclient.DLL Sideloading
- Sigma Potential Mpclient.DLL Sideloading Via Defender Binaries
- Sigma Potential Python DLL SideLoading
- Sigma Potential Rcdll.DLL Sideloading
- Sigma Potential RjvPlatform.DLL Sideloading From Default Location
- Sigma Potential RjvPlatform.DLL Sideloading From Non-Default Location
- Sigma Potential RoboForm.DLL Sideloading
- Sigma Potential ShellDispatch.DLL Sideloading
- Sigma Potential SmadHook.DLL Sideloading
- Sigma Potential SolidPDFCreator.DLL Sideloading
- Sigma Potential System DLL Sideloading From Non System Locations
- Sigma Potential Vivaldi_elf.DLL Sideloading
- Sigma Potential Waveedit.DLL Sideloading
- Sigma Potential Wazuh Security Platform DLL Sideloading
- Sigma Potential WWlib.DLL Sideloading
- Sigma Potentially Suspicious Child Process of KeyScrambler.exe
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Registry Modification for OCI DLL Redirection
- Sigma Renamed Vmnat.exe Execution
- Sigma Suspicious GUP Usage
- Sigma Suspicious Unsigned Thor Scanner Execution
- Sigma System Control Panel Item Loaded From Uncommon Location
- Sigma Tasks Folder Evasion
- Sigma Third Party Software DLL Sideloading
- Sigma UAC Bypass With Fake DLL
- Sigma Unsigned .node File Loaded
- Sigma Unsigned Binary Loaded From Suspicious Location
- Sigma Unsigned Mfdetours.DLL Sideloading
- Sigma Unsigned Module Loaded by ClickOnce Application
- Sigma VMGuestLib DLL Sideload
- Sigma VMMap Signed Dbghelp.DLL Potential Sideloading
- Sigma VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Splunk Windows DLL Search Order Hijacking Hunt with Sysmon
- Splunk Windows DLL Side-Loading In Calc
- Splunk Windows Hijack Execution Flow Version Dll Side Load
- Splunk Windows Known Abused DLL Created
- Splunk Windows Known Abused DLL Loaded Suspiciously
- Splunk Windows Known GraphicalProton Loaded Modules
- Splunk Windows SqlWriter SQLDumper DLL Sideload
- Splunk Windows Unsigned DLL Side-Loading
- Splunk Windows Unsigned DLL Side-Loading In Same Process Path
- Splunk Windows Unsigned MS DLL Side-Loading
- Sigma Xwizard.EXE Execution From Non-Default Location
Hijack Execution Flow: Dylib Hijacking T1574.004 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Hijack Execution Flow: Path Interception by Search Order Hijacking T1574.008 2 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Using SettingSyncHost.exe as LOLBin
Hijack Execution Flow: Path Interception by Unquoted Path T1574.009 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Hijack Execution Flow: Services Registry Permissions Weakness T1574.011 12 rules
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service
- Sigma Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Sigma Changing Existing Service ImagePath Value Via Reg.EXE
- Sigma Possible Privilege Escalation via Weak Service Permissions
- Sigma Potential Persistence Attempt Via Existing Service Tampering
- Sigma Potential Privilege Escalation via Service Permissions Weakness
- Sigma Service DACL Abuse To Hide Services Via Sc.EXE
- Sigma Service Registry Key Read Access Request
- Sigma Service Registry Permissions Weakness Check
- Sigma Service Security Descriptor Tampering Via Sc.EXE
- Sigma Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- Splunk Windows Service Creation Using Registry Entry
Network Boundary Bridging: Network Address Translation Traversal T1599.001 1 rule
- Sigma WinDivert Driver Load
Reflective Code Loading T1620 3 rules
Debugger Evasion T1622 1 rule
Credential Access
OS Credential Dumping T1003 46 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Capture Credentials with Rpcping.exe
- Splunk Detect Mimikatz With PowerShell Script Block Logging
- Kusto Query Language Dev-0228 File Path Hashes November 2021
- Kusto Query Language Dev-0228 File Path Hashes November 2021 (ASIM Version)
- Kusto Query Language DopplePaymer Procdump
- Splunk Enable WDigest UseLogonCredential Registry
- Sigma Esentutl Gather Credentials
- Sigma File Access Of Signal Desktop Sensitive Data
- Elastic FirstTime Seen Account Performing DCSync
- Sigma HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
- Sigma HackTool - Rubeus Execution
- Sigma HackTool - Rubeus Execution - ScriptBlock
- Sigma Hacktool Execution - Imphash
- Sigma Hacktool Execution - PE Metadata
- Sigma Interesting Service Enumeration Via Sc.EXE
- Kusto Query Language LaZagne Credential Theft
- Sigma Live Memory Dump Using Powershell
- Sigma Loaded Module Enumeration Via Tasklist.EXE
- Kusto Query Language LSASS Credential Dumping with Procdump
- Elastic LSASS Memory Dump Handle Access
- Sigma Microsoft IIS Connection Strings Decryption
- Sigma Microsoft IIS Service Account Password Dumped
- Elastic Multiple Vault Web Credentials Read
- Splunk PetitPotam Suspicious Kerberos TGT Request
- Elastic Potential Active Directory Replication Account Backdoor
- Elastic Potential Credential Access via DCSync
- Elastic Potential Credential Access via DuplicateHandle in LSASS
- Elastic Potential Credential Access via LSASS Memory Dump
- Elastic Potential Credential Access via Renamed COM+ Services DLL
- Sigma Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Sigma Potential Credential Dumping Attempt Using New NetworkProvider - REG
- Sigma Potential Credential Dumping Via LSASS Process Clone
- Sigma Potential Invoke-Mimikatz PowerShell Script
- Elastic Potential LSASS Clone Creation via PssCaptureSnapShot
- Elastic Potential LSASS Memory Dump via PssCaptureSnapShot
- Sigma Potentially Suspicious ODBC Driver Registered
- Sigma Shadow Copies Creation Using Operating Systems Utilities
- Sigma Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Elastic Suspicious LSASS Access via MalSecLogon
- Elastic Suspicious Lsass Process Access
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege
- Sigma Suspicious SYSTEM User Process Creation
- Sigma WCE wceaux.dll Access
- Kusto Query Language WDigest downgrade attack
- Splunk Windows Remote Access Software BRC4 Loaded Dll
OS Credential Dumping: LSASS Memory T1003.001 88 rules
- Splunk Access LSASS Memory for Dump Creation
- Splunk Create Remote Thread into LSASS
- Sigma CreateDump Process Dump
- Splunk Creation of lsass Dump with Taskmgr
- Sigma Cred Dump Tools Dropped Files
- Sigma Credential Dumping Activity By Python Based Tool
- Sigma Credential Dumping Attempt Via WerFault
- Kusto Query Language Credential Dumping Tools - File Artifacts
- Kusto Query Language Credential Dumping Tools - Service Installation
- Sigma Credential Dumping Tools Service Execution - Security
- Sigma Credential Dumping Tools Service Execution - System
- Splunk Detect Credential Dumping through LSASS access
- Kusto Query Language Dumping LSASS Process Into a File
- Sigma Dumping Process via Sqldumper.exe
- Sigma DumpMinitool Execution
- Sigma HackTool - CrackMapExec File Indicators
- Sigma HackTool - CrackMapExec Process Patterns
- Sigma HackTool - CreateMiniDump Execution
- Sigma HackTool - Credential Dumping Tools Named Pipe Created
- Sigma HackTool - Doppelanger LSASS Dumper Execution
- Sigma HackTool - Dumpert Process Dumper Default File
- Sigma HackTool - Dumpert Process Dumper Execution
- Sigma HackTool - Generic Process Access
- Sigma HackTool - HandleKatz Duplicating LSASS Handle
- Sigma HackTool - HandleKatz LSASS Dumper Execution
- Sigma HackTool - Impacket File Indicators
- Sigma HackTool - Inveigh Execution
- Sigma HackTool - Mimikatz Execution
- Sigma HackTool - SafetyKatz Dump Indicator
- Sigma HackTool - SafetyKatz Execution
- Sigma HackTool - Windows Credential Editor (WCE) Execution
- Sigma HackTool - WSASS Execution
- Sigma HackTool - XORDump Execution
- Sigma LSASS Access Detected via Attack Surface Reduction
- Sigma LSASS Access From Non System Account
- Sigma LSASS Access From Potentially White-Listed Processes
- Sigma LSASS Dump Keyword In CommandLine
- Sigma Lsass Full Dump Request Via DumpType Registry Settings
- Sigma LSASS Memory Access by Tool With Dump Keyword In Name
- Elastic LSASS Memory Dump Handle Access
- Sigma Lsass Memory Dump via Comsvcs DLL
- Sigma LSASS Process Crashed - Application
- Sigma LSASS Process Dump Artefact In CrashDumps Folder
- Sigma LSASS Process Memory Dump Creation Via Taskmgr.EXE
- Sigma LSASS Process Memory Dump Files
- Sigma Password Dumper Activity on LSASS
- Sigma Password Dumper Remote Thread in LSASS
- Sigma Potential Adplus.EXE Abuse
- Elastic Potential Credential Access via DuplicateHandle in LSASS
- Elastic Potential Credential Access via LSASS Memory Dump
- Elastic Potential Credential Access via Renamed COM+ Services DLL
- Sigma Potential Credential Dumping Activity Via LSASS
- Sigma Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Sigma Potential Credential Dumping Via LSASS Process Clone
- Sigma Potential Credential Dumping Via LSASS SilentProcessExit Technique
- Sigma Potential Credential Dumping Via WER
- Elastic Potential LSASS Clone Creation via PssCaptureSnapShot
- Elastic Potential LSASS Memory Dump via PssCaptureSnapShot
- Sigma Potential LSASS Process Dump Via Procdump
- Sigma Potential SysInternals ProcDump Evasion
- Sigma Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Sigma Potentially Suspicious AccessMask Requested From LSASS
- Sigma Potentially Suspicious GrantedAccess Flags On LSASS
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell Get-Process LSASS in ScriptBlock
- Sigma PPL Tampering Via WerFaultSecure
- Sigma Procdump Execution
- Sigma Process Access via TrolleyExpress Exclusion
- Sigma Process Memory Dump Via Comsvcs.DLL
- Sigma Process Memory Dump via RdrLeakDiag.EXE
- Sigma Remote LSASS Process Access Through Windows Remote Management
- Sigma Renamed CreateDump Utility Execution
- Sigma Suspicious DumpMinitool Execution
- Sigma Suspicious LSASS Access Via MalSecLogon
- Elastic Suspicious LSASS Access via MalSecLogon
- Elastic Suspicious Lsass Process Access
- Sigma Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Sigma Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- Sigma Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- Sigma Time Travel Debugging Utility Usage
- Sigma Time Travel Debugging Utility Usage - Image
- Sigma Transferring Files with Credential Data via Network Shares
- Sigma Unsigned Image Loaded Into LSASS Process
- Sigma WerFault LSASS Process Memory Dump
- Sigma Windows Credential Editor Registry
- Splunk Windows Hunting System Account Targeting Lsass
- Splunk Windows Non-System Account Targeting Lsass
- Splunk Windows Possible Credential Dumping
OS Credential Dumping: Security Account Manager T1003.002 26 rules
- Sigma Copying Sensitive Files with Credential Data
- Sigma Crash Dump Created By Operating System
- Sigma Cred Dump Tools Dropped Files
- Sigma Credential Dumping Tools Service Execution - Security
- Sigma Credential Dumping Tools Service Execution - System
- Sigma Critical Hive In Suspicious Location Access Bits Cleared
- Splunk Detect Copy of ShadowCopy with Script Block Logging
- Sigma Dumping of Sensitive Hives Via Reg.EXE
- Sigma Esentutl Volume Shadow Copy Service Keys
- Sigma HackTool - Credential Dumping Tools Named Pipe Created
- Sigma HackTool - Mimikatz Execution
- Sigma HackTool - Pypykatz Credentials Dumping Activity
- Sigma HackTool - Quarks PwDump Execution
- Sigma HackTool - QuarksPwDump Dump File
- Sigma NTDS.DIT Creation By Uncommon Process
- Sigma Possible Impacket SecretDump Remote Activity
- Sigma Potential SAM Database Dump
- Sigma PowerShell SAM Copy
- Splunk SAM Database File Access Attempt
- Sigma Shadow Copies Creation Using Operating Systems Utilities
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege
- Sigma Transferring Files with Credential Data via Network Shares
- Sigma Volume Shadow Copy Mount
- Sigma VolumeShadowCopy Symlink Creation Via Mklink
- Sigma VSSAudit Security Event Source Registration
- Splunk Windows Rapid Authentication On Multiple Hosts
OS Credential Dumping: NTDS T1003.003 20 rules
- Sigma Copying Sensitive Files with Credential Data
- Sigma Create Volume Shadow Copy with Powershell
- Sigma Cred Dump Tools Dropped Files
- Sigma Esentutl Gather Credentials
- Sigma Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Sigma NTDS Exfiltration Filename Patterns
- Sigma NTDS.DIT Created
- Sigma NTDS.DIT Creation By Uncommon Parent Process
- Sigma NTDS.DIT Creation By Uncommon Process
- Sigma Ntdsutil Abuse
- Sigma Possible Impacket SecretDump Remote Activity
- Sigma PUA - DIT Snapshot Viewer
- Sigma Sensitive File Dump Via Wbadmin.EXE
- Sigma Sensitive File Recovery From Backup Via Wbadmin.EXE
- Sigma Shadow Copies Creation Using Operating Systems Utilities
- Sigma Suspicious Get-ADDBAccount Usage
- Sigma Suspicious Process Patterns NTDS.DIT Exfil
- Sigma Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- Sigma Transferring Files with Credential Data via Network Shares
- Sigma VolumeShadowCopy Symlink Creation Via Mklink
OS Credential Dumping: LSA Secrets T1003.004 11 rules
- Sigma Cred Dump Tools Dropped Files
- Sigma Credential Dumping Tools Service Execution - Security
- Sigma Credential Dumping Tools Service Execution - System
- Sigma DPAPI Domain Backup Key Extraction
- Sigma DPAPI Domain Master Key Backup Attempt
- Sigma Dumping of Sensitive Hives Via Reg.EXE
- Sigma HackTool - Credential Dumping Tools Named Pipe Created
- Sigma HackTool - Mimikatz Execution
- Sigma Possible Impacket SecretDump Remote Activity
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege
- Splunk Windows LSA Secrets NoLMhash Registry
OS Credential Dumping: Cached Domain Credentials T1003.005 8 rules
- Sigma Cred Dump Tools Dropped Files
- Sigma Credential Dumping Tools Service Execution - Security
- Sigma Credential Dumping Tools Service Execution - System
- Sigma Dumping of Sensitive Hives Via Reg.EXE
- Sigma HackTool - Credential Dumping Tools Named Pipe Created
- Sigma HackTool - Mimikatz Execution
- Sigma New Generic Credentials Added Via Cmdkey.EXE
- Sigma Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
OS Credential Dumping: DCSync T1003.006 12 rules
- Sigma Active Directory Replication from Non Machine Account
- Sigma Credential Dumping Tools Service Execution - Security
- Sigma Credential Dumping Tools Service Execution - System
- Elastic FirstTime Seen Account Performing DCSync
- Sigma HackTool - Mimikatz Execution
- Sigma Mimikatz DC Sync
- Kusto Query Language Non Domain Controller Active Directory Replication
- Elastic Potential Active Directory Replication Account Backdoor
- Elastic Potential Credential Access via DCSync
- Sigma Suspicious Get-ADReplAccount
- Splunk Windows AD Replication Request Initiated by User Account
- Splunk Windows AD Replication Request Initiated from Unsanctioned Location
Network Sniffing T1040 7 rules
- Sigma Harvesting Of Wifi Credentials Via Netsh.EXE
- Sigma New Network Trace Capture Started Via Netsh.EXE
- Sigma PktMon.EXE Execution
- Sigma Potential Network Sniffing Activity Using Network Tools
- Sigma Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Windows Pcap Drivers
Input Capture: Keylogging T1056.001 3 rules
- Sigma Potential Keylogger Activity
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Powershell Keylogging
Input Capture: Credential API Hooking T1056.004 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Brute Force T1110 13 rules
- Kusto Query Language Brute force attack against user credentials (Uses Authentication Normalization)
- Kusto Query Language Excessive Windows Logon Failures
- Sigma External Remote RDP Logon from Public IP
- Sigma External Remote SMB Logon from Public IP
- Kusto Query Language Failed logon attempts by valid accounts within 10 mins
- Sigma HackTool - CrackMapExec Execution
- Sigma HackTool - Hydra Password Bruteforce Execution
- Elastic Multiple Logon Failure Followed by Logon Success
- Elastic Multiple Logon Failure from the same Source Address
- Kusto Query Language Potential Password Spray Attack (Uses Authentication Normalization)
- Elastic Privileged Accounts Brute Force
- Kusto Query Language Remote Desktop Network Brute force (ASIM Network Session schema)
- Kusto Query Language SecurityEvent - Multiple authentication failures followed by a success
Brute Force: Password Guessing T1110.001 6 rules
- Sigma HackTool - Hydra Password Bruteforce Execution
- Elastic Multiple Logon Failure Followed by Logon Success
- Elastic Multiple Logon Failure from the same Source Address
- Elastic Privileged Accounts Brute Force
- Sigma Suspicious Connection to Remote Account
- Splunk Windows Remote Desktop Network Bruteforce Attempt
Brute Force: Password Spraying T1110.003 23 rules
- Splunk Detect Password Spray Attack Behavior From Source
- Splunk Detect Password Spray Attack Behavior On User
- Splunk Detect Password Spray Attempts
- Elastic Multiple Logon Failure Followed by Logon Success
- Elastic Multiple Logon Failure from the same Source Address
- Kusto Query Language Password Spraying
- Elastic Privileged Accounts Brute Force
- Splunk Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- Splunk Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
- Splunk Windows Multiple Invalid Users Failed To Authenticate Using NTLM
- Splunk Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
- Splunk Windows Multiple Users Failed To Authenticate From Host Using NTLM
- Splunk Windows Multiple Users Failed To Authenticate From Process
- Splunk Windows Multiple Users Failed To Authenticate Using Kerberos
- Splunk Windows Multiple Users Remotely Failed To Authenticate From Host
- Splunk Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
- Splunk Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Splunk Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Splunk Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
- Splunk Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Splunk Windows Unusual Count Of Users Failed To Authenticate From Process
- Splunk Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Splunk Windows Unusual Count Of Users Remotely Failed To Auth From Host
Forced Authentication T1187 14 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Splunk DNS Kerberos Coercion
- Splunk PetitPotam Network Share Access Request
- Sigma PetitPotam Suspicious Kerberos TGT Request
- Sigma Possible PetitPotam Coerce Authentication Attempt
- Elastic Potential Computer Account NTLM Relay Activity
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Machine Account Relay Attack via SMB
- Elastic Potential NTLM Relay Attack against a Computer Account
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Splunk Windows Credential Target Information Structure in Commandline
- Splunk Windows Kerberos Coercion via DNS
- Splunk Windows Short Lived DNS Record
Steal Web Session Cookie T1539 2 rules
Unsecured Credentials T1552 4 rules
Unsecured Credentials: Credentials In Files T1552.001 14 rules
- Sigma Automated Collection Command Prompt
- Sigma Extracting Information with PowerShell
- Sigma HackTool - Typical HiveNightmare SAM File Export
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Sigma Insensitive Subfolder Search Via Findstr.EXE
- Sigma Potential PowerShell Console History Access Attempt via History File
- Sigma Potentially Suspicious JWT Token Search Via CLI
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PUA - TruffleHog Execution
- Sigma Remote File Download Via Findstr.EXE
- Splunk Shai-Hulud 2 Exfiltration Artifact Files
- Splunk Windows Unusual FileZilla XML Config Access
- Splunk Windows Unusual Intelliform Storage Registry Access
Unsecured Credentials: Private Keys T1552.004 10 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Certificate Exported Via PowerShell
- Sigma Certificate Exported Via PowerShell - ScriptBlock
- Sigma DPAPI Backup Keys And Certificate Export Activity IOC
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell Get-Process LSASS
- Sigma Private Keys Reconnaissance Via CommandLine Tools
- Splunk Windows Export Certificate
- Splunk Windows PowerShell Export Certificate
- Splunk Windows PowerShell Export PfxCertificate
Credentials from Password Stores T1555 8 rules
- Sigma DPAPI Backup Keys And Certificate Export Activity IOC
- Sigma Dump Credentials from Windows Credential Manager With PowerShell
- Sigma Enumerate Credentials from Windows Credential Manager With PowerShell
- Sigma HackTool - SecurityXploded Execution
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Elastic Multiple Vault Web Credentials Read
- Sigma Suspicious Serv-U Process Pattern
Credentials from Password Stores: Credentials from Web Browsers T1555.003 11 rules
- Sigma Access to Browser Login Data
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Splunk Non Chrome Process Accessing Chrome Default Dir
- Splunk Non Firefox Process Access Firefox Profile Dir
- Sigma Potential Browser Data Stealing
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PUA - WebBrowserPassView Execution
- Sigma SQLite Chromium Profile Data DB Access
- Splunk Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Splunk Windows Credentials from Web Browsers Saved in TEMP Folder
Adversary-in-the-Middle T1557 14 rules
- Elastic Creation of a DNS-Named Record
- Sigma ISATAP Router Address Was Set
- Sigma Notepad++ Updater DNS Query to Uncommon Domains
- Elastic Potential ADIDNS Poisoning via Wildcard Record Creation
- Elastic Potential Computer Account NTLM Relay Activity
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Machine Account Relay Attack via SMB
- Elastic Potential NTLM Relay Attack against a Computer Account
- Sigma Potential Suspicious Activity Using SeCEdit
- Elastic Potential WPAD Spoofing via DNS Record Creation
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay T1557.001 19 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Elastic Creation of a DNS-Named Record
- Splunk DNS Kerberos Coercion
- Sigma HackTool - ADCSPwn Execution
- Sigma HackTool - Impacket Tools Execution
- Sigma Local Privilege Escalation Indicator TabTip
- Elastic Potential Computer Account NTLM Relay Activity
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Machine Account Relay Attack via SMB
- Elastic Potential NTLM Relay Attack against a Computer Account
- Sigma Potential SMB Relay Attack Tool Execution
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma RottenPotato Like Attack Pattern
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Sigma WinDivert Driver Load
- Splunk Windows Credential Target Information Structure in Commandline
- Splunk Windows Kerberos Coercion via DNS
- Splunk Windows Short Lived DNS Record
Steal or Forge Kerberos Tickets T1558 14 rules
- Sigma HackTool - Mimikatz Kirbi File Creation
- Elastic Kerberos Pre-authentication Disabled for User
- Elastic KRBTGT Delegation Backdoor
- Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
- Sigma Replay Attack Detected
- Elastic Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Uncommon Outbound Kerberos Connection
- Elastic User account exposed to Kerberoasting
- Splunk Windows Computer Account Created by Computer Account
- Splunk Windows Computer Account Requesting Kerberos Ticket
- Splunk Windows Computer Account With SPN
- Splunk Windows Domain Admin Impersonation Indicator
- Splunk Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets: Silver Ticket T1558.002 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 21 rules
- Sigma HackTool - KrbRelay Execution
- Sigma HackTool - KrbRelayUp Execution
- Sigma HackTool - RemoteKrbRelay Execution
- Sigma HackTool - Rubeus Execution
- Sigma HackTool - Rubeus Execution - ScriptBlock
- Sigma Kerberoasting Activity - Initial Query
- Splunk Kerberoasting spn request with RC4 encryption
- Sigma No Suitable Encryption Key Found For Generating Kerberos Ticket
- Sigma Potential SPN Enumeration Via Setspn.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Register new Logon Process by Rubeus
- Splunk ServicePrincipalNames Discovery with PowerShell
- Sigma Suspicious Kerberos RC4 Ticket Encryption
- Sigma Suspicious Kerberos Ticket Request via CLI
- Sigma Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
- Sigma Uncommon Outbound Kerberos Connection - Security
- Splunk Unusual Number of Kerberos Service Tickets Requested
- Elastic User account exposed to Kerberoasting
- Sigma User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
- Splunk Windows PowerView Kerberos Service Ticket Request
- Splunk Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets: AS-REP Roasting T1558.004 5 rules
- Splunk Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Splunk Disabled Kerberos Pre-Authentication Discovery With PowerView
- Elastic Kerberos Pre-authentication Disabled for User
- Splunk Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Splunk Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Authentication Certificates T1649 17 rules
- Elastic Access to a Sensitive LDAP Attribute
- Sigma Certificate Exported From Local Certificate Store
- Sigma Certificate Private Key Acquired
- Splunk Detect Certify With PowerShell Script Block Logging
- Splunk Detect Certipy File Modifications
- Sigma HackTool - Certify Execution
- Sigma HackTool - Certipy Execution
- Splunk Windows Export Certificate
- Splunk Windows Mimikatz Crypto Export File Extensions
- Splunk Windows PowerShell Export Certificate
- Splunk Windows PowerShell Export PfxCertificate
- Splunk Windows Steal Authentication Certificates - ESC1 Abuse
- Splunk Windows Steal Authentication Certificates - ESC1 Authentication
- Splunk Windows Steal Authentication Certificates Certificate Issued
- Splunk Windows Steal Authentication Certificates Certificate Request
- Splunk Windows Steal Authentication Certificates CryptoAPI
- Splunk Windows Steal Authentication Certificates CS Backup
Discovery
System Service Discovery T1007 2 rules
Application Window Discovery T1010 2 rules
- Kusto Query Language Qakbot Discovery Activies
- Sigma SCM Database Handle Failure
Query Registry T1012 19 rules
- Sigma Azure AD Health Monitoring Agent Registry Keys Access
- Sigma Azure AD Health Service Agents Registry Keys Access
- Sigma Exports Critical Registry Keys To a File
- Sigma Exports Registry Key To a File
- Sigma HackTool - PCHunter Execution
- Kusto Query Language Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access
- Sigma Potential Configuration And Service Reconnaissance Via Reg.EXE
- Sigma Registry Manipulation via WMI Stdregprov
- Sigma SAM Registry Hive Handle Request
- Sigma SysKey Registry Keys Access
- Splunk Windows Credential Access From Browser Password Store
- Splunk Windows Credentials from Password Stores Chrome Extension Access
- Splunk Windows Credentials from Password Stores Chrome LocalState Access
- Splunk Windows Credentials from Password Stores Chrome Login Data Access
- Splunk Windows Hosts File Access
- Splunk Windows Non Discord App Access Discord LevelDB
- Splunk Windows Product Key Registry Query
- Splunk Windows Query Registry Browser List Application
- Splunk Windows Query Registry UnInstall Program List
System Network Configuration Discovery T1016 8 rules
- Sigma Firewall Configuration Discovery Via Netsh.EXE
- Sigma Nltest.EXE Execution
- Sigma Potential Recon Activity Via Nltest.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Kusto Query Language Probable AdFind Recon Tool Usage
- Sigma Suspicious Network Command
- Sigma Suspicious Network Connection to IP Lookup Service APIs
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection
Remote System Discovery T1018 23 rules
- Sigma Active Directory Computers Enumeration With Get-AdComputer
- Sigma Chopper Webshell Process Pattern
- Sigma DirectorySearcher Powershell Exploitation
- Splunk GetAdComputer with PowerShell Script Block
- Splunk GetDomainComputer with PowerShell Script Block
- Splunk GetDomainController with PowerShell Script Block
- Splunk GetWmiObject Ds Computer with PowerShell Script Block
- Sigma HackTool - NetExec Execution
- Sigma Nltest.EXE Execution
- Sigma Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
- Kusto Query Language Probable AdFind Recon Tool Usage
- Kusto Query Language Probable AdFind Recon Tool Usage (Normalized Process Events)
- Sigma PUA - AdFind Suspicious Execution
- Sigma PUA - Adidnsdump Execution
- Splunk Remote System Discovery with Adsisearcher
- Sigma Renamed AdFind Execution
- Sigma Share And Session Enumeration Using Net.EXE
- Sigma Suspicious Scan Loop Network
- Sigma Webshell Detection With Command Line Keywords
- Sigma Webshell Hacking Activity Patterns
- Splunk Windows Get-AdComputer Unconstrained Delegation Discovery
- Splunk Windows PowerView Constrained Delegation Discovery
- Splunk Windows PowerView Unconstrained Delegation Discovery
System Owner/User Discovery T1033 22 rules
- Sigma Chopper Webshell Process Pattern
- Sigma Computer Discovery And Export Via Get-ADComputer Cmdlet
- Sigma Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Sigma Enumerate All Information With Whoami.EXE
- Sigma Get-ADUser Enumeration Using UserAccountControl Flags
- Splunk GetCurrent User with PowerShell Script Block
- Sigma Group Membership Reconnaissance Via Whoami.EXE
- Sigma HackTool - SharpLdapWhoami Execution
- Sigma HackTool - SharpView Execution
- Sigma Local Accounts Discovery
- Sigma Renamed Whoami Execution
- Sigma Security Privileges Enumeration Via Whoami.EXE
- Sigma Suspicious PowerShell Get Current User
- Sigma User Discovery And Export Via Get-ADUser Cmdlet
- Sigma User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
- Splunk User Discovery With Env Vars PowerShell Script Block
- Sigma Webshell Detection With Command Line Keywords
- Sigma Webshell Hacking Activity Patterns
- Sigma WhoAmI as Parameter
- Sigma Whoami.EXE Execution Anomaly
- Sigma Whoami.EXE Execution From Privileged Process
- Sigma Whoami.EXE Execution With Output Option
Network Sniffing T1040 7 rules
- Sigma Harvesting Of Wifi Credentials Via Netsh.EXE
- Sigma New Network Trace Capture Started Via Netsh.EXE
- Sigma PktMon.EXE Execution
- Sigma Potential Network Sniffing Activity Using Network Tools
- Sigma Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Windows Pcap Drivers
Network Service Discovery T1046 13 rules
- Sigma Advanced IP Scanner - File Event
- Sigma HackTool - winPEAS Execution
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Kusto Query Language Network Port Sweep from External Network (ASIM Network Session schema)
- Kusto Query Language Port scan detected (ASIM Network Session schema)
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PUA - Advanced IP Scanner Execution
- Sigma PUA - Advanced Port Scanner Execution
- Sigma PUA - NimScan Execution
- Sigma PUA - Nmap/Zenmap Execution
- Sigma PUA - SoftPerfect Netscan Execution
- Sigma Python Initiated Connection
System Network Connections Discovery T1049 6 rules
- Splunk GetNetTcpconnection with PowerShell Script Block
- Sigma HackTool - SharpView Execution
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma System Network Connections Discovery Via Net.EXE
- Sigma Use Get-NetTCPConnection
- Sigma Use Get-NetTCPConnection - PowerShell Module
Process Discovery T1057 4 rules
- Sigma HackTool - PCHunter Execution
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Recon Command Output Piped To Findstr.EXE
- Sigma Suspicious Process Discovery With Get-Process
Permission Groups Discovery: Local Groups T1069.001 19 rules
- Sigma AD Groups Or Users Enumeration Using PowerShell - PoshModule
- Sigma AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- Sigma BloodHound Collection Files
- Splunk Detect AzureHound File Modifications
- Splunk Detect SharpHound File Modifications
- Splunk Get WMIObject Group Discovery with Script Block Logging
- Sigma HackTool - Bloodhound/Sharphound Execution
- Sigma Local Groups Reconnaissance Via Wmic.EXE
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Splunk Network Traffic to Active Directory Web Services Protocol
- Sigma Permission Check Via Accesschk.EXE
- Splunk Powershell Get LocalGroup Discovery with Script Block Logging
- Sigma Suspicious Get Information for SMB Share
- Sigma Suspicious Get Information for SMB Share - PowerShell Module
- Sigma Suspicious Get Local Groups Information
- Sigma Suspicious Get Local Groups Information - PowerShell
- Splunk Windows Admin Permission Discovery
Permission Groups Discovery: Domain Groups T1069.002 24 rules
- Sigma Active Directory Database Snapshot Via ADExplorer
- Sigma Active Directory Group Enumeration With Get-AdGroup
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File
- Sigma BloodHound Collection Files
- Splunk Detect AzureHound File Modifications
- Splunk Detect SharpHound File Modifications
- Splunk Domain Group Discovery with Adsisearcher
- Splunk Elevated Group Discovery with PowerView
- Splunk GetAdGroup with PowerShell Script Block
- Splunk GetDomainGroup with PowerShell Script Block
- Splunk GetWmiObject Ds Group with PowerShell Script Block
- Sigma HackTool - Bloodhound/Sharphound Execution
- Sigma HackTool - SharpView Execution
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Splunk Network Traffic to Active Directory Web Services Protocol
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Kusto Query Language Probable AdFind Recon Tool Usage
- Sigma PUA - AdFind Suspicious Execution
- Sigma Reconnaissance Activity
- Sigma Renamed AdFind Execution
- Elastic Suspicious Access to LDAP Attributes
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer
System Information Discovery T1082 19 rules
- Kusto Query Language Detect Suspicious Commands Initiated by Webserver Processes
- Sigma HackTool - PCHunter Execution
- Sigma HackTool - winPEAS Execution
- Sigma HackTool - WinPwn Execution
- Sigma HackTool - WinPwn Execution - ScriptBlock
- Sigma Network Reconnaissance Activity
- Sigma Potential Product Class Reconnaissance Via Wmic.EXE
- Sigma Potential Suspicious Activity Using SeCEdit
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PUA - System Informer Execution
- Sigma Suspicious Execution of Hostname
- Sigma Suspicious Execution of Systeminfo
- Sigma Suspicious Kernel Dump Using Dtrace
- Sigma Suspicious Query of MachineGUID
- Sigma System Disk And Volume Reconnaissance Via Wmic.EXE
- Sigma System Information Discovery via Registry Queries
- Sigma Uncommon System Information Discovery Via Wmic.EXE
- Splunk Web Servers Executing Suspicious Processes
- Splunk Windows PowerShell Invoke-RestMethod IP Information Collection
File and Directory Discovery T1083 8 rules
- Sigma DirLister Execution
- Sigma HackTool - PCHunter Execution
- Sigma Notepad Password Files Discovery
- Sigma Powershell Directory Enumeration
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Powershell Sensitive File Discovery
- Sigma PUA - Seatbelt Execution
- Sigma PUA - TruffleHog Execution
Account Discovery T1087 20 rules
- Sigma Chopper Webshell Process Pattern
- Kusto Query Language Detect Suspicious Commands Initiated by Webserver Processes
- Splunk Enumerate Users Local Group Using Telegram
- Sigma HackTool - SOAPHound Execution
- Sigma HackTool - winPEAS Execution
- Sigma Hacktool Ruler
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Sigma Network Reconnaissance Activity
- Sigma Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Sigma PUA - Seatbelt Execution
- Elastic Suspicious Access to LDAP Attributes
- Sigma Suspicious Use of PsLogList
- Sigma Uncommon Connection to Active Directory Web Services
- Sigma Webshell Detection With Command Line Keywords
- Sigma Webshell Hacking Activity Patterns
- Splunk Windows Account Discovery for Sam Account Name
- Splunk Windows Account Discovery With NetUser PreauthNotRequire
- Splunk Windows Special Privileged Logon On Multiple Hosts
Account Discovery: Local Account T1087.001 16 rules
- Sigma BloodHound Collection Files
- Splunk Detect AzureHound File Modifications
- Splunk Detect SharpHound File Modifications
- Splunk GetLocalUser with PowerShell Script Block
- Splunk GetWmiObject User Account with PowerShell Script Block
- Sigma HackTool - Bloodhound/Sharphound Execution
- Sigma Local Accounts Discovery
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Splunk Network Traffic to Active Directory Web Services Protocol
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- Sigma Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- Sigma Suspicious Use of PsLogList
- Splunk Windows Account Discovery for None Disable User Account
Account Discovery: Domain Account T1087.002 41 rules
- Sigma Active Directory Computers Enumeration With Get-AdComputer
- Sigma Active Directory Database Snapshot Via ADExplorer
- Sigma Active Directory Structure Export Via Csvde.EXE
- Sigma AD Privileged Users or Groups Reconnaissance
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File
- Splunk AdsiSearcher Account Discovery
- Sigma BloodHound Collection Files
- Splunk Detect AzureHound File Modifications
- Splunk Detect SharpHound File Modifications
- Splunk Get ADUser with PowerShell Script Block
- Splunk Get DomainUser with PowerShell Script Block
- Splunk GetWmiObject DS User with PowerShell Script Block
- Sigma HackTool - Bloodhound/Sharphound Execution
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Splunk Network Traffic to Active Directory Web Services Protocol
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Sigma Potential AD User Enumeration From Non-Machine Account
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Kusto Query Language Probable AdFind Recon Tool Usage
- Sigma PUA - AdFind Suspicious Execution
- Sigma PUA - AdFind.EXE Execution
- Sigma PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- Sigma Reconnaissance Activity
- Sigma Renamed AdFind Execution
- Splunk SchCache Change By App Connect And Create ADSI Object
- Elastic Suspicious Access to LDAP Attributes
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer
- Sigma Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- Sigma Suspicious Use of PsLogList
- Splunk Windows AD Abnormal Object Access Activity
- Splunk Windows AD Privileged Object Access Activity
- Splunk Windows Domain Account Discovery Via Get-NetComputer
- Splunk Windows Find Domain Organizational Units with GetDomainOU
- Splunk Windows Find Interesting ACL with FindInterestingDomainAcl
- Splunk Windows Forest Discovery with GetForestDomain
- Splunk Windows Get Local Admin with FindLocalAdminAccess
- Splunk Windows Linked Policies In ADSI Discovery
- Splunk Windows Root Domain linked policies Discovery
- Splunk Windows Suspect Process With Authentication Traffic
System Time Discovery T1124 2 rules
- Sigma Discovery of a System Time
- Sigma Use of W32tm as Timer
Network Share Discovery T1135 11 rules
- Kusto Query Language Excessive share permissions
- Sigma File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- Sigma HackTool - SharpView Execution
- Splunk Network Share Discovery Via Dir Command
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PUA - Advanced IP Scanner Execution
- Sigma PUA - Advanced Port Scanner Execution
- Splunk Windows Administrative Shares Accessed On Multiple Hosts
- Splunk Windows File Share Discovery With Powerview
- Splunk Windows Large Number of Computer Service Tickets Requested
- Splunk Windows Special Privileged Logon On Multiple Hosts
Password Policy Discovery T1201 6 rules
- Splunk Get ADDefaultDomainPasswordPolicy with Powershell Script Block
- Splunk Get ADUserResultantPasswordPolicy with Powershell Script Block
- Splunk Get DomainPolicy with Powershell Script Block
- Sigma HackTool - CrackMapExec Execution
- Sigma Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
- Sigma Password Policy Enumerated
Domain Trust Discovery T1482 26 rules
- Sigma Active Directory Database Snapshot Via ADExplorer
- Sigma ADExplorer Writing Complete AD Snapshot Into .dat File
- Sigma BloodHound Collection Files
- Splunk Detect AzureHound File Modifications
- Splunk Detect SharpHound File Modifications
- Kusto Query Language Dev-0270 WMIC Discovery
- Sigma DNS Server Discovery Via LDAP Query
- Sigma Domain Trust Discovery Via Dsquery
- Splunk Get-DomainTrust with PowerShell Script Block
- Splunk Get-ForestTrust with PowerShell Script Block
- Sigma HackTool - Bloodhound/Sharphound Execution
- Sigma HackTool - SharpView Execution
- Sigma HackTool - TruffleSnout Execution
- Sigma Malicious PowerShell Commandlets - PoshModule
- Sigma Malicious PowerShell Commandlets - ProcessCreation
- Sigma Malicious PowerShell Commandlets - ScriptBlock
- Splunk Network Traffic to Active Directory Web Services Protocol
- Sigma Nltest.EXE Execution
- Sigma Potential Active Directory Reconnaissance/Enumeration Via LDAP
- Sigma Potential Recon Activity Via Nltest.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Kusto Query Language Probable AdFind Recon Tool Usage
- Sigma PUA - AdFind Suspicious Execution
- Sigma Renamed AdFind Execution
- Elastic Suspicious Access to LDAP Attributes
- Sigma Suspicious Active Directory Database Snapshot Via ADExplorer
Software Discovery T1518 4 rules
Cloud Service Discovery T1526 1 rule
- Sigma PUA - Seatbelt Execution
Group Policy Discovery T1615 6 rules
- Sigma Gpresult Display Group Policy Information
- Sigma HackTool - SharpUp PrivEsc Tool Execution
- Sigma Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Suspicious GPO Discovery With Get-GPO
- Sigma Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Debugger Evasion T1622 1 rule
Lateral Movement
Remote Services T1021 11 rules
- Splunk Enable RDP In Other Port Number
- Sigma HackTool - NetExec Execution
- Kusto Query Language Multiple RDP connections from Single System
- Elastic Potential Machine Account Relay Attack via SMB
- Sigma Potential Remote Desktop Tunneling
- Sigma Privilege Escalation via Named Pipe Impersonation
- Sigma Psexec Execution
- Kusto Query Language Rare RDP Connections
- Elastic Remote Scheduled Task Creation via RPC
- Elastic Remote Windows Service Installed
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege
Remote Services: Remote Desktop Protocol T1021.001 23 rules
- Splunk Allow Inbound Traffic By Firewall Rule Registry
- Splunk Allow Inbound Traffic In Firewall Rule
- Sigma Denied Access To Remote Desktop
- Sigma New Remote Desktop Connection Initiated Via Mstsc.EXE
- Sigma Outbound RDP Connections Over Non-Standard Tools
- Sigma Port Forwarding Activity Via SSH.EXE
- Sigma Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Sigma RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
- Sigma RDP Login from Localhost
- Sigma RDP Over Reverse SSH Tunnel
- Sigma RDP over Reverse SSH Tunnel WFP
- Sigma RDP to HTTP or HTTPS Target Ports
- Sigma Suspicious Plink Port Forwarding
- Sigma Suspicious RDP Redirect Using TSCON
- Sigma User Added to Remote Desktop Users Group
- Splunk Windows Default RDP File Creation By Non MSTSC Process
- Splunk Windows Default Rdp File Unhidden
- Splunk Windows RDP Bitmap Cache File Creation
- Splunk Windows RDP Client Launched with Admin Session
- Splunk Windows RDP Login Session Was Established
- Splunk Windows RDP Server Registry Entry Created
- Splunk Windows Remote Services Allow Remote Assistance
- Splunk Windows Remote Services Rdp Enable
Remote Services: SMB/Windows Admin Shares T1021.002 42 rules
- Sigma Access To ADMIN$ Network Share
- Sigma CobaltStrike Service Installations - Security
- Sigma CobaltStrike Service Installations - System
- Sigma Copy From Or To Admin Share Or Sysvol Folder
- Sigma DCERPC SMB Spoolss Named Pipe
- Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- Splunk Executable File Written in Administrative SMB Share
- Sigma First Time Seen Remote Named Pipe
- Sigma HackTool - NetExec File Indicators
- Sigma HackTool - SharpMove Tool Execution
- Sigma Impacket PsExec Execution
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec
- Sigma Metasploit SMB Authentication
- Sigma Password Provided In Command Line Of Net.EXE
- Sigma Potential CobaltStrike Service Installations - Registry
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Elastic Potential Machine Account Relay Attack via SMB
- Sigma Protected Storage Service Access
- Sigma PUA - CSExec Default Named Pipe
- Sigma PUA - RemCom Default Named Pipe
- Sigma Remote Service Activity via SVCCTL Named Pipe
- Elastic Remote Windows Service Installed
- Sigma Rundll32 Execution Without Parameters
- Sigma Rundll32 UNC Path Execution
- Sigma SMB Create Remote File Admin Share
- Sigma smbexec.py Service Installation
- Sigma Suspicious New-PSDrive to Admin Share
- Sigma Suspicious PsExec Execution
- Elastic Suspicious Remote Registry Access via SeBackupPrivilege
- Sigma T1047 Wmiprvse Wbemcomn DLL Hijack
- Sigma Unsigned or Unencrypted SMB Connection to Share Established
- Sigma Windows Admin Share Mount Via Net.EXE
- Sigma Windows Internet Hosted WebDav Share Mount Via Net.EXE
- Splunk Windows PUA Named Pipe
- Splunk Windows RMM Named Pipe
- Sigma Windows Share Mount Via Net.EXE
- Splunk Windows Special Privileged Logon On Multiple Hosts
- Splunk Windows Suspicious C2 Named Pipe
- Splunk Windows Suspicious Named Pipe
- Sigma Wmiprvse Wbemcomn DLL Hijack
- Sigma Wmiprvse Wbemcomn DLL Hijack - File
Remote Services: Distributed Component Object Model T1021.003 16 rules
- Sigma BaaUpdate.exe Suspicious DLL Load
- Sigma DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- Kusto Query Language Detecting Macro Invoking ShellBrowserWindow COM Objects
- Sigma HackTool - Potential Impacket Lateral Movement Activity
- Kusto Query Language Lateral Movement via DCOM
- Sigma MMC Spawning Windows Shell
- Sigma MMC20 Lateral Movement
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack
- Sigma Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Sigma Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Remote Process Instantiation via DCOM and PowerShell Script Block
- Sigma Suspicious BitLocker Access Agent Update Utility Execution
- Sigma Suspicious Speech Runtime Binary Child Process
- Sigma Suspicious WSMAN Provider Image Loads
- Splunk Windows SpeechRuntime COM Hijacking DLL Load
Remote Services: SSH T1021.004 4 rules
- Sigma OpenEDR Spawning Command Shell
- Sigma OpenSSH Server Listening On Socket
- Sigma Port Forwarding Activity Via SSH.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Remote Services: Windows Remote Management T1021.006 15 rules
- Sigma Enable Windows Remote Management
- Sigma Execute Invoke-command on Remote Host
- Sigma HackTool - WinRM Access Via Evil-WinRM
- Splunk Interactive Session on Remote Endpoint with PowerShell
- Sigma Potential Lateral Movement via Windows Remote Shell
- Sigma Potential Remote PowerShell Session Initiated
- Splunk Powershell Remote Services Add TrustedHost
- Sigma Remote LSASS Process Access Through Windows Remote Management
- Sigma Remote PowerShell Session (PS Classic)
- Sigma Remote PowerShell Session (PS Module)
- Sigma Remote PowerShell Session Host Process (WinRM)
- Splunk Remote Process Instantiation via WinRM and PowerShell Script Block
- Splunk Windows Remote Host Computer Management Access
- Splunk Windows Remote Management Execute Shell
- Sigma Winrs Local Command Execution
Software Deployment Tools T1072 6 rules
- Kusto Query Language New EXE deployed via Default Domain or Default Domain Controller Policies
- Kusto Query Language New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Sigma PDQ Deploy Remote Adminstartion Tool Execution
- Sigma PUA - Radmin Viewer Utility Execution
- Sigma Restricted Software Access By SRP
- Sigma Suspicious Csi.exe Usage
Exploitation of Remote Services T1210 11 rules
- Sigma Audit CVE Event
- Splunk Detect Computer Changed with Anonymous Account
- Sigma DNS Query Request By QuickAssist.EXE
- Kusto Query Language Gain Code Execution on ADFS Server via Remote WMI Execution
- Kusto Query Language Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task
- Sigma HackTool - SharpWSUS/WSUSpendu Execution
- Kusto Query Language Oracle suspicious command execution
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Kusto Query Language Service Accounts Performing Remote PS
- Sigma Suspicious SysAidServer Child
- Sigma Terminal Service Process Spawn
Use Alternate Authentication Material T1550 7 rules
- Splunk Kerberos TGT Request Using RC4 Encryption
- Sigma Outgoing Logon with New Credentials
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Pass-the-Hash (PtH) Attempt
- Splunk Unknown Process Using The Kerberos Protocol
- Splunk Windows AD Suspicious Attribute Modification
- Splunk Windows Steal Authentication Certificates - ESC1 Authentication
Use Alternate Authentication Material: Pass the Hash T1550.002 7 rules
- Sigma Hacktool Ruler
- Sigma NTLM Logon
- Sigma NTLMv1 Logon Between Client and Server
- Sigma Pass the Hash Activity 2
- Elastic Potential Pass-the-Hash (PtH) Attempt
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Successful Overpass the Hash Attempt
Lateral Tool Transfer T1570 9 rules
- Kusto Query Language Identify Mango Sandstorm powershell commands
- Sigma Metasploit Or Impacket Service Installation Via SMB PsExec
- Kusto Query Language New EXE deployed via Default Domain or Default Domain Controller Policies
- Kusto Query Language New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
- Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService
- Sigma PSEXEC Remote Execution File Artefact
- Kusto Query Language Remote File Creation with PsExec
- Sigma Rundll32 Execution Without Parameters
- Elastic Scheduled Task Execution at Scale via GPO
Collection
Data from Local System T1005 16 rules
- Kusto Query Language AD FS Remote Auth Sync Connection
- Kusto Query Language AD FS Remote HTTP Network Connection
- Kusto Query Language ADFS Database Named Pipe Connection
- Sigma ADFS Database Named Pipe Connection By Uncommon Tool
- Kusto Query Language ADFS DKM Master Key Export
- Sigma Crash Dump Created By Operating System
- Kusto Query Language Deimos Component Execution
- Sigma Esentutl Steals Browser Information
- Kusto Query Language Microsoft Entra ID Health Monitoring Agent Registry Keys Access
- Kusto Query Language Microsoft Entra ID Health Service Agents Registry Keys Access
- Sigma Script Interpreter Spawning Credential Scanner - Windows
- Sigma SQLite Chromium Profile Data DB Access
- Sigma SQLite Firefox Profile Data DB Access
- Splunk Sqlite Module In Temp Folder
- Sigma Veeam Backup Database Suspicious Query
- Sigma VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Data from Removable Media T1025 3 rules
Data from Network Shared Drive T1039 3 rules
- Sigma Copy From Or To Admin Share Or Sysvol Folder
- Kusto Query Language Excessive share permissions
- Sigma Suspicious Access to Sensitive File Extensions
Input Capture: Keylogging T1056.001 3 rules
- Sigma Potential Keylogger Activity
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Powershell Keylogging
Input Capture: Credential API Hooking T1056.004 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Screen Capture T1113 12 rules
- Sigma Periodic Backup For System Registry Hives Enabled
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Remcos RAT File Creation in Remcos Folder
- Sigma Screen Capture Activity Via Psr.EXE
- Splunk Suspicious Image Creation In Appdata Folder
- Splunk Suspicious WAV file in Appdata Folder
- Sigma Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Sigma Windows Recall Feature Enabled - Registry
- Sigma Windows Recall Feature Enabled Via Reg.EXE
- Splunk Windows Screen Capture in TEMP folder
- Splunk Windows Screen Capture Via Powershell
- Sigma Windows Screen Capture with CopyFromScreen
Email Collection T1114 2 rules
- Sigma Exchange PowerShell Snap-Ins Usage
- Sigma Hacktool Ruler
Email Collection: Local Email Collection T1114.001 4 rules
- Splunk Email files written outside of the Outlook directory
- Splunk Mailsniper Invoke functions
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Powershell Local Email Collection
Clipboard Data T1115 5 rules
- Sigma Data Copied To Clipboard Via Clip.EXE
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell Get Clipboard
- Sigma PowerShell Get-Clipboard Cmdlet Via CLI
- Splunk Windows ClipBoard Data via Get-ClipBoard
Automated Collection T1119 4 rules
Audio Capture T1123 4 rules
Video Capture T1125 2 rules
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Suspicious Camera and Microphone Access
Browser Session Hijacking T1185 5 rules
Adversary-in-the-Middle T1557 14 rules
- Elastic Creation of a DNS-Named Record
- Sigma ISATAP Router Address Was Set
- Sigma Notepad++ Updater DNS Query to Uncommon Domains
- Elastic Potential ADIDNS Poisoning via Wildcard Record Creation
- Elastic Potential Computer Account NTLM Relay Activity
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Machine Account Relay Attack via SMB
- Elastic Potential NTLM Relay Attack against a Computer Account
- Sigma Potential Suspicious Activity Using SeCEdit
- Elastic Potential WPAD Spoofing via DNS Record Creation
- Elastic Service Creation via Local Kerberos Authentication
- Sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Sigma Uncommon File Created by Notepad++ Updater Gup.EXE
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay T1557.001 19 rules
- Sigma Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Elastic Creation of a DNS-Named Record
- Splunk DNS Kerberos Coercion
- Sigma HackTool - ADCSPwn Execution
- Sigma HackTool - Impacket Tools Execution
- Sigma Local Privilege Escalation Indicator TabTip
- Elastic Potential Computer Account NTLM Relay Activity
- Elastic Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Elastic Potential Kerberos Relay Attack against a Computer Account
- Elastic Potential Machine Account Relay Attack via SMB
- Elastic Potential NTLM Relay Attack against a Computer Account
- Sigma Potential SMB Relay Attack Tool Execution
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma RottenPotato Like Attack Pattern
- Sigma Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Sigma WinDivert Driver Load
- Splunk Windows Credential Target Information Structure in Commandline
- Splunk Windows Kerberos Coercion via DNS
- Splunk Windows Short Lived DNS Record
Archive Collected Data T1560 6 rules
- Sigma Compressed File Creation Via Tar.EXE
- Sigma Compressed File Extraction Via Tar.EXE
- Splunk Detect Certipy File Modifications
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Windows Archive Collected Data via Powershell
- Splunk Windows Archived Collected Data In TEMP Folder
Archive Collected Data: Archive via Utility T1560.001 11 rules
- Sigma 7Zip Compressing Dump Files
- Sigma Compress Data and Lock With Password for Exfiltration With 7-ZIP
- Sigma Compress Data and Lock With Password for Exfiltration With WINZIP
- Sigma Compressed File Creation Via Tar.EXE
- Sigma Compressed File Extraction Via Tar.EXE
- Sigma Files Added To An Archive Using Rar.EXE
- Splunk IcedID Exfiltrated Archived File Creation
- Sigma Rar Usage with Password and Compression Level
- Sigma Suspicious Manipulation Of Default Accounts Via Net.EXE
- Sigma Winrar Compressing Dump Files
- Sigma WinRAR Execution in Non-Standard Folder
Command & Control
Fallback Channels T1008 8 rules
- Kusto Query Language Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)
- Kusto Query Language Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
- Kusto Query Language Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- Sigma New Outlook Macro Created
- Sigma Outlook Macro Execution Without Warning Setting Enabled
- Sigma Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Sigma Suspicious Outlook Macro Created
- Splunk Windows Outlook Macro Security Modified
Application Layer Protocol T1071 10 rules
- Sigma Github Self-Hosted Runner Execution
- Kusto Query Language Google Threat Intelligence - Threat Hunting Domain
- Kusto Query Language Google Threat Intelligence - Threat Hunting IP
- Sigma HackTool - SILENTTRINITY Stager DLL Load
- Sigma HackTool - SILENTTRINITY Stager Execution
- Kusto Query Language Potential beaconing activity (ASIM Network Session schema)
- Sigma Potentially Suspicious Rundll32.EXE Execution of UDL File
- Splunk Windows App Layer Protocol Qakbot NamedPipe
- Splunk Windows App Layer Protocol Wermgr Connect To NamedPipe
- Splunk Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol: Web Protocols T1071.001 12 rules
- Sigma Change User Agents with WebRequest
- Sigma Cloudflared Tunnels Related DNS Requests
- Sigma DNS Query Request By QuickAssist.EXE
- Sigma DNS Query To Devtunnels Domain
- Sigma DNS Query To Visual Studio Code Tunnels Domain
- Sigma Outbound Network Connection Initiated By Microsoft Dialer
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma Renamed Visual Studio Code Tunnel Execution
- Sigma Visual Studio Code Tunnel Execution
- Sigma Visual Studio Code Tunnel Service Installation
- Sigma Visual Studio Code Tunnel Shell Execution
- Kusto Query Language Windows host username encoded in base64 web request
Application Layer Protocol: DNS T1071.004 14 rules
- Sigma DNS Exfiltration and Tunneling Tools Execution
- Splunk DNS Kerberos Coercion
- Sigma DNS Query by Finger Utility
- Sigma DNS Query To Common Malware Hosting and Shortener Services
- Sigma Network Connection Initiated via Finger.EXE
- Sigma Silence.EDA Detection
- Sigma Suspicious Cobalt Strike DNS Beaconing - DNS Client
- Sigma Suspicious Cobalt Strike DNS Beaconing - Sysmon
- Splunk Windows AI Platform DNS Query
- Splunk Windows Credential Target Information Structure in Commandline
- Splunk Windows DNS Query Request by Telegram Bot API
- Splunk Windows Kerberos Coercion via DNS
- Splunk Windows Short Lived DNS Record
- Splunk Windows Visual Basic Commandline Compiler DNSQuery
Proxy T1090 16 rules
- Sigma Cloudflared Tunnel Connections Cleanup
- Sigma Cloudflared Tunnel Execution
- Sigma Communication To LocaltoNet Tunneling Service Initiated
- Sigma Communication To Ngrok Tunneling Service Initiated
- Sigma HackTool - Htran/NATBypass Execution
- Sigma New Port Forwarding Rule Added Via Netsh.EXE
- Sigma New PortProxy Registry Entry Added
- Splunk Ngrok Reverse Proxy on Network
- Kusto Query Language Ngrok Reverse Proxy on Network (ASIM DNS Solution)
- Sigma Ngrok Usage with Remote Desktop Service
- Sigma Potentially Suspicious Usage Of Qemu
- Sigma PUA - Fast Reverse Proxy (FRP) Execution
- Sigma PUA - NPS Tunneling Tool Execution
- Sigma PUA- IOX Tunneling Tool Execution
- Sigma RDP Port Forwarding Rule Added Via Netsh.EXE
- Sigma Suspicious TCP Tunnel Via PowerShell Script
Proxy: Internal Proxy T1090.001 7 rules
Proxy: External Proxy T1090.002 2 rules
Proxy: Multi-hop Proxy T1090.003 3 rules
Web Service T1102 14 rules
- Sigma Cloudflared Tunnel Connections Cleanup
- Sigma Cloudflared Tunnel Execution
- Sigma Communication To LocaltoNet Tunneling Service Initiated
- Sigma Communication To Ngrok Tunneling Service Initiated
- Sigma Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Sigma New Connection Initiated To Potential Dead Drop Resolver Domain
- Splunk Ngrok Reverse Proxy on Network
- Kusto Query Language Ngrok Reverse Proxy on Network (ASIM DNS Solution)
- Sigma Potentially Suspicious Network Connection To Notion API
- Sigma Process Initiated Network Connection To Ngrok Domain
- Sigma Suspicious Child Process Of Manage Engine ServiceDesk
- Sigma Suspicious Non-Browser Network Communication With Google API
- Sigma Suspicious Non-Browser Network Communication With Telegram API
- Splunk Windows Abused Web Services
Web Service: Bidirectional Communication T1102.002 3 rules
- Sigma Github Self-Hosted Runner Execution
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Splunk Windows DNS Query Request by Telegram Bot API
Ingress Tool Transfer T1105 69 rules
- Sigma AppX Package Installation Attempts Via AppInstaller.EXE
- Sigma Arbitrary File Download Via GfxDownloadWrapper.EXE
- Kusto Query Language Bitsadmin Activity
- Sigma Browser Execution In Headless Mode
- Kusto Query Language C2-NamedPipe
- Sigma Command Line Execution with Suspicious URL and AppData Strings
- Sigma Curl Download And Execute Combination
- Splunk Download Files Using Telegram
- Sigma File Download And Execution Via IEExec.EXE
- Sigma File Download From Browser Process Via Inline URL
- Sigma File Download From IP Based URL Via CertOC.EXE
- Sigma File Download Using Notepad++ GUP Utility
- Sigma File Download Via Bitsadmin
- Sigma File Download Via Bitsadmin To A Suspicious Target Folder
- Sigma File Download via CertOC.EXE
- Sigma File Download Via Windows Defender MpCmpRun.EXE
- Sigma File Download with Headless Browser
- Sigma File With Suspicious Extension Downloaded Via Bitsadmin
- Sigma Finger.EXE Execution
- Sigma Import LDAP Data Interchange Format File Via Ldifde.EXE
- Kusto Query Language Ingress Tool Transfer - Certutil
- Sigma Insensitive Subfolder Search Via Findstr.EXE
- Sigma Legitimate Application Writing Files In Uncommon Location
- Sigma Local Network Connection Initiated By Script Interpreter
- Sigma Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- Splunk LOLBAS With Network Traffic
- Sigma MsiExec Web Install
- Sigma Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Sigma Network Connection Initiated By IMEWDBLD.EXE
- Sigma Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Kusto Query Language Office Apps Launching Wscipt
- Sigma Outbound Network Connection Initiated By Script Interpreter
- Sigma Password Protected ZIP File Opened (Suspicious Filenames)
- Sigma Potential COM Objects Download Cradles Usage - Process Creation
- Sigma Potential COM Objects Download Cradles Usage - PS Script
- Sigma Potential DLL File Download Via PowerShell Invoke-WebRequest
- Sigma Potential Download/Upload Activity Using Type Command
- Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Splunk PowerShell Script Block With URL Chain
- Splunk PowerShell WebRequest Using Memory Stream
- Sigma PrintBrm ZIP Creation of Extraction
- Sigma PUA - Nimgrab Execution
- Sigma Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Sigma Remote File Download Via Desktopimgdownldr Utility
- Sigma Remote File Download Via Findstr.EXE
- Sigma Replace.exe Usage
- Sigma Scheduled Task Creation with Curl and PowerShell Execution Combo
- Sigma Suspicious CertReq Command to Download
- Sigma Suspicious Curl.EXE Download
- Sigma Suspicious Deno File Written from Remote Source
- Sigma Suspicious Desktopimgdownldr Command
- Sigma Suspicious Desktopimgdownldr Target File
- Sigma Suspicious Diantz Download and Compress Into a CAB File
- Sigma Suspicious Download From File-Sharing Website Via Bitsadmin
- Sigma Suspicious Download from Office Domain
- Sigma Suspicious Download Via Certutil.EXE
- Sigma Suspicious Dropbox API Usage
- Sigma Suspicious Extrac32 Execution
- Sigma Suspicious File Created by ArcSOC.exe
- Sigma Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Sigma Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Sigma Suspicious Invoke-WebRequest Execution
- Sigma Suspicious Invoke-WebRequest Execution With DirectIP
- Sigma Suspicious Non-Browser Network Communication With Telegram API
- Sigma Uncommon Network Connection Initiated By Certutil.EXE
- Splunk Windows DLL Module Loaded in Temp Dir
- Splunk Windows DNS Query Request To TinyUrl
Remote Access Tools T1219 12 rules
- Splunk Detect Remote Access Software Usage DNS
- Splunk Detect Remote Access Software Usage File
- Splunk Detect Remote Access Software Usage FileInfo
- Splunk Detect Remote Access Software Usage Registry
- Sigma OpenEDR Spawning Command Shell
- Sigma Potentially Suspicious File Creation by OpenEDR's ITSMService
- Sigma Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Sigma Renamed Visual Studio Code Tunnel Execution
- Sigma Suspicious Velociraptor Child Process
- Sigma Visual Studio Code Tunnel Execution
- Splunk Windows Remote Access Software BRC4 Loaded Dll
- Splunk Windows Remote Access Software RMS Registry
Remote Access Tools: Remote Desktop Software T1219.002 37 rules
- Sigma Anydesk Temporary Artefact
- Sigma Atera Agent Installation
- Sigma DNS Query To AzureWebsites.NET By Non-Browser Process
- Sigma DNS Query To Remote Access Software Domain From Non-Browser App
- Sigma GoToAssist Temporary Installation Artefact
- Sigma HackTool - Inveigh Execution Artefacts
- Sigma HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
- Sigma Hijack Legit RDP Session to Move Laterally
- Sigma Installation of TeamViewer Desktop
- Sigma Mesh Agent Service Installation
- Sigma Mstsc.EXE Execution With Local RDP File
- Sigma Potential Amazon SSM Agent Hijacking
- Sigma Potential Remote Desktop Connection to Non-Domain Host
- Sigma QuickAssist Execution
- Sigma Remote Access Tool - AnyDesk Execution
- Sigma Remote Access Tool - Anydesk Execution From Suspicious Folder
- Sigma Remote Access Tool - AnyDesk Incoming Connection
- Sigma Remote Access Tool - AnyDesk Piped Password Via CLI
- Sigma Remote Access Tool - AnyDesk Silent Installation
- Sigma Remote Access Tool - GoToAssist Execution
- Sigma Remote Access Tool - LogMeIn Execution
- Sigma Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Sigma Remote Access Tool - NetSupport Execution
- Sigma Remote Access Tool - Potential MeshAgent Execution - Windows
- Sigma Remote Access Tool - Renamed MeshAgent Execution - Windows
- Sigma Remote Access Tool - ScreenConnect Execution
- Sigma Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- Sigma Remote Access Tool - Simple Help Execution
- Sigma Remote Access Tool - UltraViewer Execution
- Sigma ScreenConnect Temporary Installation Artefact
- Sigma Suspicious Binary Writes Via AnyDesk
- Sigma Suspicious Mstsc.EXE Execution With Local RDP File
- Sigma Suspicious TSCON Start as SYSTEM
- Sigma TacticalRMM Service Installation
- Sigma TeamViewer Domain Query By Non-TeamViewer Application
- Sigma TeamViewer Remote Session
- Sigma Use of UltraVNC Remote Access Software
Dynamic Resolution T1568 5 rules
- Kusto Query Language Detect DNS queries reporting multiple errors from different clients - Static threshold based (ASIM DNS Solution)
- Kusto Query Language Detect excessive NXDOMAIN DNS queries - Static threshold based (ASIM DNS Solution)
- Kusto Query Language Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)
- Kusto Query Language RecordedFuture Threat Hunting Domain All Actors
- Kusto Query Language RecordedFuture Threat Hunting IP All Actors
Non-Standard Port T1571 4 rules
Protocol Tunneling T1572 24 rules
- Sigma Cloudflared Tunnel Connections Cleanup
- Sigma Cloudflared Tunnel Execution
- Sigma Cloudflared Tunnels Related DNS Requests
- Sigma Communication To LocaltoNet Tunneling Service Initiated
- Sigma Communication To Ngrok Tunneling Service Initiated
- Sigma DNS Query To Devtunnels Domain
- Sigma Network Connection Initiated To BTunnels Domains
- Sigma Network Connection Initiated To Cloudflared Tunnels Domains
- Sigma Network Connection Initiated To DevTunnels Domain
- Sigma Network Connection Initiated To Visual Studio Code Tunnels Domain
- Splunk Ngrok Reverse Proxy on Network
- Kusto Query Language Ngrok Reverse Proxy on Network (ASIM DNS Solution)
- Sigma Port Forwarding Activity Via SSH.EXE
- Sigma Potential RDP Tunneling Via Plink
- Sigma Potential RDP Tunneling Via SSH
- Kusto Query Language Potential Remote Desktop Tunneling
- Sigma Potentially Suspicious Usage Of Qemu
- Sigma Process Initiated Network Connection To Ngrok Domain
- Sigma PUA - 3Proxy Execution
- Sigma PUA - Ngrok Execution
- Sigma RDP Over Reverse SSH Tunnel
- Sigma RDP to HTTP or HTTPS Target Ports
- Sigma Silence.EDA Detection
- Sigma Suspicious Plink Port Forwarding
Encrypted Channel T1573 2 rules
Encrypted Channel: Asymmetric Cryptography T1573.002 1 rule
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Exfiltration
Automated Exfiltration T1020 3 rules
- Kusto Query Language Deimos Component Execution
- Sigma PowerShell Script With File Hostname Resolving Capabilities
- Sigma PowerShell Script With File Upload Capabilities
Exfiltration Over C2 Channel T1041 6 rules
- Sigma Network Communication Initiated To Portmap.IO Domain
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Kusto Query Language RecordedFuture Threat Hunting IP All Actors
- Splunk Windows Exfiltration Over C2 Via Invoke RestMethod
- Splunk Windows Exfiltration Over C2 Via Powershell UploadString
- Kusto Query Language Windows host username encoded in base64 web request
Exfiltration Over Alternative Protocol T1048 11 rules
- Kusto Query Language Bitsadmin Activity
- Sigma Copy From Or To Admin Share Or Sysvol Folder
- Sigma Data Export From MSSQL Table Via BCP.EXE
- Kusto Query Language Dev-0270 Malicious Powershell usage
- Kusto Query Language DNS events related to ToR proxies (ASIM DNS Schema)
- Sigma Powershell DNSExfiltration
- Sigma PUA - Restic Backup Tool Execution
- Sigma Suspicious Redirection to Local Admin Share
- Sigma Tap Driver Installation
- Sigma Tap Driver Installation - Security
- Sigma Tap Installer Execution
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol T1048.003 6 rules
Exfiltration Over Web Service T1567 9 rules
- Sigma Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Sigma Communication To Ngrok Tunneling Service Initiated
- Sigma LOLBAS Data Exfiltration by DataSvcUtil.exe
- Splunk LOLBAS With Network Traffic
- Sigma Network Connection Initiated To BTunnels Domains
- Sigma Network Connection Initiated To Cloudflared Tunnels Domains
- Sigma Network Connection Initiated To Visual Studio Code Tunnels Domain
- Sigma Process Initiated Network Connection To Ngrok Domain
- Sigma Suspicious Non-Browser Network Communication With Telegram API
Exfiltration Over Web Service: Exfiltration to Code Repository T1567.001 2 rules
- Sigma Network Connection Initiated To DevTunnels Domain
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 12 rules
- Sigma DNS Query for Anonfiles.com Domain - DNS Client
- Sigma DNS Query for Anonfiles.com Domain - Sysmon
- Sigma DNS Query To MEGA Hosting Website
- Sigma DNS Query To MEGA Hosting Website - DNS Client
- Sigma DNS Query To Ufile.io
- Sigma DNS Query To Ufile.io - DNS Client
- Sigma Network Connection Initiated To Mega.nz
- Kusto Query Language Powershell Empire Cmdlets Executed in Command Line
- Sigma PUA - Rclone Execution
- Sigma PUA - Restic Backup Tool Execution
- Sigma Rclone Config File Creation
- Sigma Suspicious Dropbox API Usage
Impact
Data Destruction T1485 18 rules
- Splunk Common Ransomware Extensions
- Splunk Common Ransomware Notes
- Sigma Deleted Data Overwritten Via Cipher.EXE
- Kusto Query Language Deletion of data on multiple drives using cipher exe
- Splunk Detect DNS Query to Decommissioned S3 Bucket
- Splunk Excessive File Deletion In WinDefender Folder
- Sigma Fsutil Suspicious Invocation
- Sigma Potential File Overwrite Via Sysinternals SDelete
- Kusto Query Language Potential re-named sdelete usage
- Kusto Query Language Potential re-named sdelete usage (ASIM Version)
- Sigma Potential Secure Deletion with SDelete
- Sigma Renamed Sysinternals Sdelete Execution
- Kusto Query Language Sdelete deployed via GPO and run recursively
- Kusto Query Language Sdelete deployed via GPO and run recursively (ASIM Version)
- Splunk Windows Data Destruction Recursive Exec Files Deletion
- Splunk Windows Disable Memory Crash Dump
- Splunk Windows File Without Extension In Critical Folder
- Splunk Windows High File Deletion Frequency
Data Encrypted for Impact T1486 15 rules
- Kusto Query Language AV detections related to Europium actors
- Kusto Query Language AV detections related to Hive Ransomware
- Kusto Query Language AV detections related to Zinc actors
- Kusto Query Language Dev-0270 Registry IOC - September 2022
- Kusto Query Language Dev-0530 File Extension Rename
- Splunk High Process Termination Frequency
- Sigma Load Of RstrtMgr.DLL By A Suspicious Process
- Sigma Load Of RstrtMgr.DLL By An Uncommon Process
- Sigma Portable Gpg.EXE Execution
- Splunk Ransomware Notes bulk creation
- Sigma Renamed Gpg.EXE Execution
- Splunk Ryuk Test Files Detected
- Splunk Samsam Test File Write
- Sigma Suspicious Creation TXT File in User Desktop
- Sigma Suspicious Reg Add BitLocker
Service Stop T1489 12 rules
- Sigma Application Uninstalled
- Sigma Delete All Scheduled Tasks
- Sigma Delete Important Scheduled Task
- Sigma Disable Important Scheduled Task
- Sigma Important Scheduled Task Deleted
- Sigma Stop Windows Service Via Net.EXE
- Sigma Stop Windows Service Via PowerShell Stop-Service
- Sigma Stop Windows Service Via Sc.EXE
- Sigma Suspicious Windows Service Tampering
- Splunk Windows Processes Killed By Industroyer2 Malware
- Splunk Windows Service Deletion In Registry
- Splunk Windows Service Stop Win Updates
Inhibit System Recovery T1490 26 rules
- Sigma All Backups Deleted Via Wbadmin.EXE
- Sigma Backup Files Deleted
- Sigma Boot Configuration Tampering Via Bcdedit.EXE
- Sigma Copy From VolumeShadowCopy Via Cmd.EXE
- Splunk Delete ShadowCopy With PowerShell
- Sigma Delete Volume Shadow Copies Via WMI With PowerShell
- Sigma Deletion of Volume Shadow Copies via WMI with PowerShell
- Sigma Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- Kusto Query Language Detecting UAC bypass - ChangePK and SLUI registry tampering
- Kusto Query Language Detecting UAC bypass - elevated COM interface
- Kusto Query Language Detecting UAC bypass - modify Windows Store settings
- Splunk Disabling SystemRestore In Registry
- Sigma File Recovery From Backup Via Wbadmin.EXE
- Sigma New Root or CA or AuthRoot Certificate to Store
- Sigma Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
- Sigma Registry Disable System Restore
- Sigma Sensitive File Access Via Volume Shadow Copy Backup
- Sigma Shadow Copies Deletion Using Operating Systems Utilities
- Kusto Query Language Shadow Copy Deletions
- Sigma Suspicious Volume Shadow Copy VSS_PS.dll Load
- Sigma Suspicious Volume Shadow Copy Vssapi.dll Load
- Sigma Windows Backup Deleted Via Wbadmin.EXE
- Splunk Windows Cisco Secure Endpoint Related Service Stopped
- Sigma Windows Recovery Environment Disabled Via Reagentc
- Splunk Windows Security And Backup Services Stop
- Splunk Windows WMIC Shadowcopy Delete
Defacement T1491 2 rules
Resource Hijacking T1496 4 rules
- Kusto Query Language Chia_Crypto_Mining IOC - June 2021
- Kusto Query Language DNS events related to mining pools (ASIM DNS Schema)
- Sigma Network Communication With Crypto Mining Pool
- Sigma Potential Crypto Mining Activity
Endpoint Denial of Service: Application or System Exploitation T1499.004 1 rule
- Sigma Audit CVE Event
System Shutdown/Reboot T1529 3 rules
Account Access Removal T1531 5 rules
Untagged
- Sigma .RDP File Created By Uncommon Application
- Sigma AADInternals PowerShell Cmdlets Execution - ProccessCreation
- Sigma AADInternals PowerShell Cmdlets Execution - PsScript
- Sigma Active Directory Structure Export Via Ldifde.EXE
- Sigma ADCS Certificate Template Configuration Vulnerability
- Sigma ADCS Certificate Template Configuration Vulnerability with Risky EKU
- Sigma Add Debugger Entry To AeDebug For Persistence
- Sigma Add Debugger Entry To Hangs Key For Persistence
- Sigma Add Windows Capability Via PowerShell Cmdlet
- Sigma Add Windows Capability Via PowerShell Script
- Sigma Amsi.DLL Loaded Via LOLBIN Process
- Sigma Anydesk Remote Access Software Service Installation
- Sigma AppX Located in Known Staging Directory Added to Deployment Pipeline
- Sigma AppX Located in Uncommon Directory Added to Deployment Pipeline
- Sigma AppX Package Deployment Failed Due to Signing Requirements
- Sigma Arbitrary Binary Execution Using GUP Utility
- Sigma Assembly DLL Creation Via AspNetCompiler
- Sigma Base64 MZ Header In CommandLine
- Sigma Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Sigma Chromium Browser Headless Execution To Mockbin Like Site
- Sigma CodeIntegrity - Blocked Image Load With Revoked Certificate
- Sigma CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
- Sigma CodeIntegrity - Revoked Image Loaded
- Sigma CodeIntegrity - Revoked Kernel Driver Loaded
- Sigma CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
- Sigma CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
- Sigma CodeIntegrity - Unsigned Image Loaded
- Sigma CodeIntegrity - Unsigned Kernel Module Loaded
- Sigma Computer Password Change Via Ksetup.EXE
- Sigma Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- Sigma Creation of a Diagcab
- Sigma Creation Of a Suspicious ADS File Outside a Browser Download
- Sigma Cscript/Wscript Potentially Suspicious Child Process
- Sigma Curl Web Request With Potential Custom User-Agent
- Sigma Delete Defender Scan ShellEx Context Menu Registry Key
- Sigma Deployment AppX Package Was Blocked By AppLocker
- Sigma Deployment Of The AppX Package Was Blocked By The Policy
- Sigma DiagTrackEoP Default Login Username
- Sigma Disable Macro Runtime Scan Scope
- Sigma DNS Query To Put.io - DNS Client
- Sigma Driver Added To Disallowed Images In HVCI - Registry
- Sigma DriverQuery.EXE Execution
- Sigma Drop Binaries Into Spool Drivers Color Folder
- Sigma Dump Ntds.dit To Suspicious Location
- Sigma DumpStack.log Defender Evasion
- Sigma Email Exifiltration Via Powershell
- Sigma Enable Local Manifest Installation With Winget
- Sigma Execution Of Non-Existing File
- Sigma Execution of Suspicious File Type Extension
- Sigma File Decryption Using Gpg4win
- Sigma File Download From IP URL Via Curl.EXE
- Sigma File Encryption Using Gpg4win
- Sigma File Encryption/Decryption Via Gpg4win From Suspicious Locations
- Splunk File with Samsam Extension
- Sigma Firewall Rule Update Via Netsh.EXE
- Sigma GatherNetworkInfo.VBS Reconnaissance Script Output
- Sigma HackTool - DiagTrackEoP Default Named Pipe
- Sigma HackTool - Evil-WinRm Execution - PowerShell Module
- Sigma HackTool - GMER Rootkit Detector and Remover Execution
- Sigma HackTool - LaZagne Execution
- Sigma HackTool - LocalPotato Execution
- Sigma HackTool - NPPSpy Hacktool Usage
- Sigma HackTool - SharpLDAPmonitor Execution
- Sigma HackTool - Wmiexec Default Powershell Command
- Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- Sigma IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Sigma ImagingDevices Unusual Parent/Child Processes
- Sigma Important Windows Service Terminated Unexpectedly
- Sigma Important Windows Service Terminated With Error
- Sigma Insecure Proxy/DOH Transfer Via Curl.EXE
- Sigma Insecure Transfer Via Curl.EXE
- Sigma Internet Explorer DisableFirstRunCustomize Enabled
- Sigma Kernel Memory Dump Via LiveKD
- Sigma LiveKD Driver Creation
- Sigma LiveKD Driver Creation By Uncommon Process
- Sigma LiveKD Kernel Memory Dump File Created
- Sigma Loading Diagcab Package From Remote Path
- Sigma Local File Read Using Curl.EXE
- Sigma Locked Workstation
- Sigma Logged-On User Password Change Via Ksetup.EXE
- Sigma LOLBIN Execution From Abnormal Drive
- Splunk MacOS - Re-opened Applications
- Sigma Mshtml.DLL RunHTMLApplication Suspicious Usage
- Sigma MSI Installation From Suspicious Locations
- Sigma Mstsc.EXE Execution From Uncommon Parent
- Sigma NetSupport Manager Service Install
- Sigma New File Association Using Exefile
- Sigma New ODBC Driver Registered
- Sigma New Virtual Smart Card Created Via TpmVscMgr.EXE
- Sigma Nslookup PowerShell Download Cradle - ProcessCreation
- Sigma NtdllPipe Like Activity Execution
- Sigma Obfuscated IP Download Activity
- Sigma Obfuscated IP Via CLI
- Sigma Office Application Initiated Network Connection Over Uncommon Ports
- Sigma Old TLS1.0/TLS1.1 Protocol Version Enabled
- Sigma OneNote Attachment File Dropped In Suspicious Location
- Sigma PDF File Created By RegEdit.EXE
- Sigma Persistence Via Disk Cleanup Handler - Autorun
- Sigma Persistence Via Hhctrl.ocx
- Sigma Persistence Via TypedPaths - CommandLine
- Sigma Potential Active Directory Enumeration Using AD Module - ProcCreation
- Sigma Potential Active Directory Enumeration Using AD Module - PsModule
- Sigma Potential Active Directory Enumeration Using AD Module - PsScript
- Sigma Potential AS-REP Roasting via Kerberos TGT Requests
- Sigma Potential Attachment Manager Settings Associations Tamper
- Sigma Potential Attachment Manager Settings Attachments Tamper
- Sigma Potential AutoLogger Sessions Tampering
- Sigma Potential Binary Or Script Dropper Via PowerShell
- Sigma Potential Cookies Session Hijacking
- Sigma Potential Data Exfiltration Via Audio File
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- Sigma Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- Sigma Potential Discovery Activity Via Dnscmd.EXE
- Sigma Potential DLL Injection Via AccCheckConsole
- Sigma Potential Malicious AppX Package Installation Attempts
- Sigma Potential Memory Dumping Activity Via LiveKD
- Sigma Potential Persistence Attempt Via ErrorHandler.Cmd
- Sigma Potential Persistence Via AutodialDLL
- Sigma Potential Persistence Via CHM Helper DLL
- Sigma Potential Persistence Via Disk Cleanup Handler - Registry
- Sigma Potential Persistence Via DLLPathOverride
- Sigma Potential Persistence Via LSA Extensions
- Sigma Potential Persistence Via Mpnotify
- Sigma Potential Persistence Via MyComputer Registry Keys
- Sigma Potential Persistence Via New AMSI Providers - Registry
- Sigma Potential Persistence Via Notepad++ Plugins
- Sigma Potential Persistence Via Security Descriptors - ScriptBlock
- Sigma Potential Persistence Via TypedPaths
- Sigma Potential PowerShell Execution Policy Tampering
- Sigma Potential PowerShell Execution Policy Tampering - ProcCreation
- Sigma Potential Privilege Escalation Attempt Via .Exe.Local Technique
- Sigma Potential RDP Session Hijacking Activity
- Sigma Potential Recon Activity Using DriverQuery.EXE
- Sigma Potential Renamed Rundll32 Execution
- Sigma Potential SentinelOne Shell Context Menu Scan Command Tampering
- Sigma Potential ShellDispatch.DLL Functionality Abuse
- Sigma Potential Signing Bypass Via Windows Developer Features
- Sigma Potential Signing Bypass Via Windows Developer Features - Registry
- Sigma Potential Suspicious PowerShell Module File Created
- Sigma Potential Suspicious Windows Feature Enabled
- Sigma Potential Suspicious Windows Feature Enabled - ProcCreation
- Sigma Potential Suspicious Winget Package Installation
- Sigma Potentially Suspicious Call To Win32_NTEventlogFile Class
- Sigma Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
- Sigma Potentially Suspicious Child Process Of ClickOnce Application
- Sigma Potentially Suspicious DMP/HDMP File Creation
- Sigma Potentially Suspicious Electron Application CommandLine
- Sigma Potentially Suspicious Execution Of PDQDeployRunner
- Sigma Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Sigma Potentially Suspicious File Download From ZIP TLD
- Sigma Potentially Suspicious GoogleUpdate Child Process
- Sigma Potentially Suspicious WDAC Policy File Creation
- Sigma Potentially Suspicious Windows App Activity
- Sigma PowerShell Core DLL Loaded Via Office Application
- Sigma PowerShell Execution With Potential Decryption Capabilities
- Sigma PowerShell Hotfix Enumeration
- Sigma PowerShell Module File Created
- Sigma PowerShell Module File Created By Non-PowerShell Process
- Sigma PowerShell Script Change Permission Via Set-Acl
- Sigma PowerShell Script Dropped Via PowerShell.EXE
- Sigma PowerShell Script Execution Policy Enabled
- Sigma PowerShell Set-Acl On Windows Folder
- Sigma PowerShell Write-EventLog Usage
- Sigma Process Deletion of Its Own Executable
- Sigma Process Launched Without Image Name
- Sigma PsExec Service Child Process Execution as LOCAL SYSTEM
- Sigma PsExec Service Execution
- Sigma PSScriptPolicyTest Creation By Uncommon Process
- Sigma Publisher Attachment File Dropped In Suspicious Location
- Sigma Query Usage To Exfil Data
- Sigma Rebuild Performance Counter Values Via Lodctr.EXE
- Sigma Register New IFiltre For Persistence
- Sigma Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
- Sigma Remote Access Tool - NetSupport Execution From Unusual Location
- Sigma Remote Access Tool - RURAT Execution From Unusual Location
- Sigma Remote AppX Package Downloaded from File Sharing or CDN Domain
- Sigma Remote Thread Creation In Mstsc.Exe From Suspicious Location
- Sigma Remote Utilities Host Service Install
- Sigma Renamed AutoHotkey.EXE Execution
- Sigma Renamed Microsoft Teams Execution
- Sigma Renamed NetSupport RAT Execution
- Sigma Renamed PsExec Service Execution
- Sigma Renamed Remote Utilities RAT (RURAT) Execution
- Sigma Renamed VsCode Code Tunnel Execution - File Indicator
- Sigma RTCore Suspicious Service Installation
- Sigma Rundll32 Spawned Via Explorer.EXE
- Sigma Shell Process Spawned by Java.EXE
- Splunk Spike in File Writes
- Sigma Standard User In High Privileged Group
- Sigma Start of NT Virtual DOS Machine
- Kusto Query Language SUNBURST suspicious SolarWinds child processes
- Sigma Suspicious Advpack Call Via Rundll32.EXE
- Sigma Suspicious Application Installed
- Sigma Suspicious Child Process Of Veeam Dabatase
- Sigma Suspicious Digital Signature Of AppX Package
- Sigma Suspicious Electron Application Child Processes
- Sigma Suspicious Environment Variable Has Been Registered
- Sigma Suspicious Execution Location Of Wermgr.EXE
- Sigma Suspicious Execution of InstallUtil Without Log
- Sigma Suspicious File Created Via OneNote Application
- Sigma Suspicious File Creation Activity From Fake Recycle.Bin Folder
- Sigma Suspicious File Creation In Uncommon AppData Folder
- Sigma Suspicious File Download From File Sharing Domain Via Curl.EXE
- Sigma Suspicious File Download From File Sharing Domain Via Wget.EXE
- Sigma Suspicious File Download From IP Via Curl.EXE
- Sigma Suspicious File Download From IP Via Wget.EXE
- Sigma Suspicious File Download From IP Via Wget.EXE - Paths
- Sigma Suspicious IIS URL GlobalRules Rewrite Via AppCmd
- Sigma Suspicious Msbuild Execution By Uncommon Parent Process
- Sigma Suspicious Network Connection Binary No CommandLine
- Sigma Suspicious Obfuscated PowerShell Code
- Sigma Suspicious Powercfg Execution To Change Lock Screen Timeout
- Sigma Suspicious PowerShell Invocations - Specific - ProcessCreation
- Sigma Suspicious PowerShell Mailbox Export to Share
- Sigma Suspicious PowerShell Mailbox Export to Share - PS
- Sigma Suspicious Process Execution From Fake Recycle.Bin Folder
- Sigma Suspicious Processes Spawned by Java.EXE
- Sigma Suspicious RunAs-Like Flag Combination
- Sigma Suspicious Shells Spawn by Java Utility Keytool
- Sigma Suspicious Usage Of ShellExec_RunDLL
- Sigma Suspicious WindowsTerminal Child Processes
- Sigma Suspicious Wordpad Outbound Connections
- Sigma Suspicious Workstation Locking via Rundll32
- Sigma Sysinternals Tools AppX Versions Execution
- Sigma Sysmon Blocked Executable
- Sigma Sysmon Blocked File Shredding
- Sigma Sysmon Configuration Change
- Sigma Sysmon File Executable Creation Detected
- Sigma UAC Bypass Using Event Viewer RecentViews
- Sigma UAC Bypass Using EventVwr
- Sigma Uncommon Child Processes Of SndVol.exe
- Sigma Uncommon File Creation By Mysql Daemon Process
- Sigma Uncommon FileSystem Load Attempt By Format.com
- Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage
- Sigma Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
- Sigma Veeam Backup Servers Credential Dumping Script Execution
- Sigma Visual Studio Code Tunnel Remote File Creation
- Sigma Wab Execution From Non Default Location
- Sigma Wab/Wabmig Unusual Parent Or Child Processes
- Sigma Weak or Abused Passwords In CLI
- Sigma Windows Defender Malware Detection History Deletion
- Sigma Windows Kernel Debugger Execution
- Sigma Windows Service Terminated With Error
- Sigma Winget Admin Settings Modification
- Sigma WinSxS Executable File Creation By Non-System Process
- Sigma Wusa.EXE Executed By Parent Process Located In Suspicious Location