Detection rules › By event
Microsoft-Windows-Security-Auditing event 4688
Sigma (493)
- Abusing Print Executable
- Arbitrary Binary Execution Using GUP Utility
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Arbitrary File Download Via Squirrel.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- AspNetCompiler Execution
- Assembly Loading Via CL_LoadAssembly.ps1
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Audio Capture via PowerShell
- Audio Capture via SoundRecorder
- Audit Policy Tampering Via NT Resource Kit Auditpol
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Base64 Encoded PowerShell Command Detected
- Base64 MZ Header In CommandLine
- BitLockerTogo.EXE Execution
- Browser Execution In Headless Mode
- Browser Started with Remote Debugging
- Bypass UAC via Fodhelper.exe
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Certificate Exported Via PowerShell
- Changing Existing Service ImagePath Value Via Reg.EXE
- Chopper Webshell Process Pattern
- Chromium Browser Headless Execution To Mockbin Like Site
- Chromium Browser Instance Executed With Custom Extension
- Cloudflared Portable Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Cmd.EXE Missing Space Characters Execution Anomaly
- CMSTP Execution Process Creation
- COM Object Execution via Xwizard.EXE
- Command Line Execution with Suspicious URL and AppData Strings
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Copy From VolumeShadowCopy Via Cmd.EXE
- Cscript/Wscript Potentially Suspicious Child Process
- Curl Download And Execute Combination
- Delete All Scheduled Tasks
- Delete Important Scheduled Task
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Detected Windows Software Discovery
- DeviceCredentialDeployment Execution
- Devtoolslauncher.exe Executes Specified Binary
- Disable Important Scheduled Task
- Disabled IE Security Features
- Disabled Volume Snapshots
- Discovery of a System Time
- DLL Execution Via Register-cimprovider.exe
- DLL Sideloading by VMware Xfer Utility
- Dllhost.EXE Execution Anomaly
- DNS Exfiltration and Tunneling Tools Execution
- Dropping Of Password Filter DLL
- DSInternals Suspicious PowerShell Cmdlets
- Dumping Process via Sqldumper.exe
- DumpStack.log Defender Evasion
- Email Exifiltration Via Powershell
- Enable LM Hash Storage - ProcCreation
- Enumeration for 3rd Party Creds From CLI
- Enumeration for Credentials in Registry
- Esentutl Gather Credentials
- ETW Logging Tamper In .NET Processes Via CommandLine
- ETW Trace Evasion Activity
- Execute Code with Pester.bat
- Execute Files with Msdeploy.exe
- Execute From Alternate Data Streams
- Execute Pcwrun.EXE To Leverage Follina
- Execution Of Non-Existing File
- Execution of Powershell Script in Public Folder
- Execution of Suspicious File Type Extension
- Execution via stordiag.exe
- Execution via WorkFolders.exe
- Explorer Process Tree Break
- File Download From Browser Process Via Inline URL
- File Download with Headless Browser
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- Files Added To An Archive Using Rar.EXE
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
- Gpresult Display Group Policy Information
- Gzip Archive Decode Via PowerShell
- HackTool - ADCSPwn Execution
- HackTool - Covenant PowerShell Launcher
- HackTool - CrackMapExec Execution
- HackTool - CrackMapExec Execution Patterns
- HackTool - CrackMapExec Process Patterns
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- HackTool - DInjector PowerShell Cradle Execution
- HackTool - Empire PowerShell Launch Parameters
- HackTool - Empire PowerShell UAC Bypass
- HackTool - F-Secure C3 Load by Rundll32
- HackTool - Hashcat Password Cracker Execution
- HackTool - HollowReaper Execution
- HackTool - Htran/NATBypass Execution
- HackTool - Hydra Password Bruteforce Execution
- HackTool - Impacket Tools Execution
- HackTool - LaZagne Execution
- HackTool - Mimikatz Execution
- HackTool - NetExec Execution
- HackTool - Pypykatz Credentials Dumping Activity
- HackTool - Quarks PwDump Execution
- HackTool - RedMimicry Winnti Playbook Execution
- HackTool - SharpWSUS/WSUSpendu Execution
- HackTool - Sliver C2 Implant Activity Pattern
- HackTool - SOAPHound Execution
- HackTool - WinPwn Execution
- HackTool - WinRM Access Via Evil-WinRM
- HackTool - Wmiexec Default Powershell Command
- HackTool - XORDump Execution
- Hidden Powershell in Link File Pattern
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- HTML Help HH.EXE Suspicious Child Process
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- ImagingDevices Unusual Parent/Child Processes
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- Indirect Command Execution By Program Compatibility Wizard
- InfDefaultInstall.exe .inf Execution
- Interactive AT Job
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation Obfuscated IEX Invocation
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Invoke-Obfuscation Via Stdin
- Invoke-Obfuscation Via Use Clip
- Invoke-Obfuscation Via Use MSHTA
- Java Running with Remote Debugging
- Kavremover Dropped Binary LOLBIN Usage
- Launch-VsDevShell.PS1 Proxy Execution
- Lolbin Runexehelper Use As Proxy
- LSASS Dump Keyword In CommandLine
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Malicious PowerShell Commandlets - ProcessCreation
- Mavinject Inject DLL Into Running Process
- MMC Spawning Windows Shell
- MMC20 Lateral Movement
- MSDT Execution Via Answer File
- MSExchange Transport Agent Installation
- Mshtml.DLL RunHTMLApplication Suspicious Usage
- MsiExec Web Install
- Msxsl.EXE Execution
- Network Reconnaissance Activity
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- New Kernel Driver Via SC.EXE
- New Process Created Via Taskmgr.EXE
- New Service Creation Using PowerShell
- New Service Creation Using Sc.EXE
- Node Process Executions
- Non-privileged Usage of Reg or Powershell
- Notepad Password Files Discovery
- NtdllPipe Like Activity Execution
- Obfuscated IP Download Activity
- Obfuscated IP Via CLI
- Obfuscated PowerShell OneLiner Execution
- OneNote.EXE Execution of Malicious Embedded Scripts
- OpenEDR Spawning Command Shell
- OpenWith.exe Executes Specified Binary
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Persistence Via Sticky Key Backdoor
- Persistence Via TypedPaths - CommandLine
- Phishing Pattern ISO in Archive
- Ping Hex IP
- Port Forwarding Activity Via SSH.EXE
- Possible Privilege Escalation via Weak Service Permissions
- Potential Amazon SSM Agent Hijacking
- Potential AMSI Bypass Using NULL Bits
- Potential AMSI Bypass Via .NET Reflection
- Potential Application Whitelisting Bypass via Dnx.EXE
- Potential Arbitrary Code Execution Via Node.EXE
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential Command Line Path Traversal Evasion Attempt
- Potential Commandline Obfuscation Using Escape Characters
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Potential Credential Dumping Via LSASS Process Clone
- Potential Crypto Mining Activity
- Potential Data Exfiltration Activity Via CommandLine Tools
- Potential Data Stealing Via Chromium Headless Debugging
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- Potential Defense Evasion Via Right-to-Left Override
- Potential Discovery Activity Via Dnscmd.EXE
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential Dosfuscation Activity
- Potential Download/Upload Activity Using Type Command
- Potential Dropper Script Execution Via WScript/CScript
- Potential Execution of Sysinternals Tools
- Potential Fake Instance Of Hxtsr.EXE Executed
- Potential File Download Via MS-AppInstaller Protocol Handler
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Potential Homoglyph Attack Using Lookalike Characters
- Potential Lateral Movement via Windows Remote Shell
- Potential LethalHTA Technique Execution
- Potential LSASS Process Dump Via Procdump
- Potential Meterpreter/CobaltStrike Activity
- Potential Mftrace.EXE Abuse
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential MSTSC Shadowing Activity
- Potential Network Sniffing Activity Using Network Tools
- Potential Persistence Attempt Via Existing Service Tampering
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Potential Persistence Via Logon Scripts - CommandLine
- Potential PowerShell Console History Access Attempt via History File
- Potential PowerShell Downgrade Attack
- Potential PowerShell Execution Policy Tampering - ProcCreation
- Potential PowerShell Obfuscation Via WCHAR/CHAR
- Potential Privilege Escalation To LOCAL SYSTEM
- Potential Privilege Escalation via Service Permissions Weakness
- Potential Process Execution Proxy Via CL_Invocation.ps1
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Potential PsExec Remote Execution
- Potential RDP Tunneling Via Plink
- Potential RDP Tunneling Via SSH
- Potential Regsvr32 Commandline Flag Anomaly
- Potential Remote Desktop Tunneling
- Potential Renamed Rundll32 Execution
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- Potential SMB Relay Attack Tool Execution
- Potential Suspicious Browser Launch From Document Reader Process
- Potential Suspicious Windows Feature Enabled - ProcCreation
- Potential SysInternals ProcDump Evasion
- Potential Tampering With Security Products Via WMIC
- Potential UAC Bypass Via Sdclt.EXE
- Potential WinAPI Calls Via CommandLine
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- Potentially Suspicious Cabinet File Expansion
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Potentially Suspicious Child Process Of ClickOnce Application
- Potentially Suspicious Child Process Of DiskShadow.EXE
- Potentially Suspicious Child Process Of Regsvr32
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Command Targeting Teams Sensitive Files
- Potentially Suspicious Event Viewer Child Process
- Potentially Suspicious Execution From Parent Process In Public Folder
- Potentially Suspicious Execution Of PDQDeployRunner
- Potentially Suspicious GoogleUpdate Child Process
- Potentially Suspicious JWT Token Search Via CLI
- Potentially Suspicious Usage Of Qemu
- Potentially Suspicious WebDAV LNK Execution
- Potentially Suspicious Windows App Activity
- PowerShell Base64 Encoded FromBase64String Cmdlet
- PowerShell Base64 Encoded IEX Cmdlet
- Powershell Base64 Encoded MpPreference Cmdlet
- PowerShell Base64 Encoded Reflective Assembly Load
- Powershell Defender Disable Scan Feature
- Powershell Defender Exclusion
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- PowerShell Download and Execution Cradles
- PowerShell Get-Clipboard Cmdlet Via CLI
- PowerShell Get-Process LSASS
- Powershell Inline Execution From A File
- PowerShell SAM Copy
- PowerShell Script Run in AppData
- Powershell Token Obfuscation - Process Creation
- PrintBrm ZIP Creation of Extraction
- Procdump Execution
- Process Creation Using Sysnative Folder
- Process Execution From A Potentially Suspicious Folder
- Process Launched Without Image Name
- Process Proxy Execution Via Squirrel.EXE
- PsExec Service Child Process Execution as LOCAL SYSTEM
- PsExec/PAExec Escalation to LOCAL SYSTEM
- PUA - AdFind Suspicious Execution
- PUA - Adidnsdump Execution
- PUA - AdvancedRun Suspicious Execution
- PUA - Chisel Tunneling Tool Execution
- PUA - CleanWipe Execution
- PUA - DIT Snapshot Viewer
- PUA - Netcat Suspicious Execution
- PUA - Ngrok Execution
- PUA - NirCmd Execution As LOCAL SYSTEM
- PUA - Restic Backup Tool Execution
- PUA - RunXCmd Execution
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- PUA - TruffleHog Execution
- Pubprn.vbs Proxy Execution
- Python Function Execution Security Warning Disabled In Excel
- Python Spawning Pretty TTY on Windows
- Query Usage To Exfil Data
- QuickAssist Execution
- Raccine Uninstall
- Rar Usage with Password and Compression Level
- Recon Command Output Piped To Findstr.EXE
- Regedit as Trusted Installer
- REGISTER_APP.VBS Proxy Execution
- Registry Modification Attempt Via VBScript
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Remote Access Tool - AnyDesk Silent Installation
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Remote Access Tool - ScreenConnect Installation Execution
- Remote Access Tool - ScreenConnect Server Web Shell Execution
- Remote Access Tool - Simple Help Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Remote Access Tool - Team Viewer Session Started On Windows Host
- Remote File Download Via Desktopimgdownldr Utility
- Remote PowerShell Session Host Process (WinRM)
- Remote XSL Execution Via Msxsl.EXE
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Replace.exe Usage
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- Root Certificate Installed From Susp Locations
- Run PowerShell Script from ADS
- Run PowerShell Script from Redirected Input Stream
- Rundll32 Execution Without CommandLine Parameters
- Rundll32 Execution Without Parameters
- Scheduled Task Creation Via Schtasks.EXE
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Schtasks Creation Or Modification With SYSTEM Privileges
- Screen Capture Activity Via Psr.EXE
- Script Event Consumer Spawning Process
- Script Interpreter Spawning Credential Scanner - Windows
- Scripting/CommandLine Process Spawned Regsvr32
- Sdclt Child Processes
- Sdiagnhost Calling Suspicious Child Process
- Security Service Disabled Via Reg.EXE
- Sensitive File Access Via Volume Shadow Copy Backup
- Shell Process Spawned by Java.EXE
- ShimCache Flush
- Start of NT Virtual DOS Machine
- Sticky Key Like Backdoor Execution
- Suspect Svchost Activity
- Suspicious ArcSOC.exe Child Process
- Suspicious Binary In User Directory Spawned From Office Application
- Suspicious BitLocker Access Agent Update Utility Execution
- Suspicious Calculator Usage
- Suspicious Child Process of AspNetCompiler
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Child Process Of Manage Engine ServiceDesk
- Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Suspicious Child Process Of SQL Server
- Suspicious Child Process Of Wermgr.EXE
- Suspicious Chromium Browser Instance Executed With Custom Extension
- Suspicious ClickFix/FileFix Execution Pattern
- Suspicious CodePage Switch Via CHCP
- Suspicious Command Patterns In Scheduled Task Creation
- Suspicious CustomShellHost Execution
- Suspicious Debugger Registration Cmdline
- Suspicious Desktopimgdownldr Command
- Suspicious Diantz Alternate Data Stream Execution
- Suspicious Diantz Download and Compress Into a CAB File
- Suspicious Double Extension File Execution
- Suspicious Download from Office Domain
- Suspicious Driver Install by pnputil.exe
- Suspicious Electron Application Child Processes
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Suspicious Execution From Outlook Temporary Folder
- Suspicious Execution Location Of Wermgr.EXE
- Suspicious Execution of Hostname
- Suspicious Execution of InstallUtil Without Log
- Suspicious Execution of Powershell with Base64
- Suspicious Execution of Shutdown
- Suspicious Execution of Shutdown to Log Out
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious FileFix Execution Pattern
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation
- Suspicious GrpConv Execution
- Suspicious GUP Usage
- Suspicious High IntegrityLevel Conhost Legacy Option
- Suspicious HWP Sub Processes
- Suspicious IIS Module Registration
- Suspicious Kernel Dump Using Dtrace
- Suspicious Modification Of Scheduled Tasks
- Suspicious Msiexec Execute Arbitrary DLL
- Suspicious Network Command
- Suspicious New Service Creation
- Suspicious Obfuscated PowerShell Code
- Suspicious Outlook Child Process
- Suspicious Ping/Del Command Combination
- Suspicious PowerShell Download and Execute Pattern
- Suspicious PowerShell IEX Execution Patterns
- Suspicious PowerShell Invocations - Specific - ProcessCreation
- Suspicious PowerShell Mailbox Export to Share
- Suspicious PowerShell Parameter Substring
- Suspicious Process Created Via Wmic.EXE
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Suspicious Process Parents
- Suspicious Process Patterns NTDS.DIT Exfil
- Suspicious Process Start Locations
- Suspicious Processes Spawned by Java.EXE
- Suspicious Processes Spawned by WinRM
- Suspicious Program Names
- Suspicious Provlaunch.EXE Child Process
- Suspicious Query of MachineGUID
- Suspicious RASdial Activity
- Suspicious RDP Redirect Using TSCON
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Suspicious Recursive Takeown
- Suspicious Redirection to Local Admin Share
- Suspicious Reg Add BitLocker
- Suspicious Remote Child Process From Outlook
- Suspicious RunAs-Like Flag Combination
- Suspicious Rundll32 Activity Invoking Sys File
- Suspicious Rundll32 Invoking Inline VBScript
- Suspicious Runscripthelper.exe
- Suspicious Scan Loop Network
- Suspicious Scheduled Task Creation Involving Temp Folder
- Suspicious Scheduled Task Name As GUID
- Suspicious Schtasks Execution AppData Folder
- Suspicious ScreenSave Change by Reg.exe
- Suspicious Script Execution From Temp Folder
- Suspicious Serv-U Process Pattern
- Suspicious Service Binary Directory
- Suspicious Service Path Modification
- Suspicious Shells Spawn by Java Utility Keytool
- Suspicious Speech Runtime Binary Child Process
- Suspicious Splwow64 Without Params
- Suspicious SYSVOL Domain Group Policy Access
- Suspicious TSCON Start as SYSTEM
- Suspicious UltraVNC Execution
- Suspicious Usage Of ShellExec_RunDLL
- Suspicious VBoxDrvInst.exe Parameters
- Suspicious Velociraptor Child Process
- Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Suspicious WindowsTerminal Child Processes
- Suspicious WmiPrvSE Child Process
- Suspicious X509Enrollment - Process Creation
- Suspicious ZipExec Execution
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Sysprep on AppData Folder
- System File Execution Location Anomaly
- System Information Discovery via Registry Queries
- Tamper Windows Defender Remove-MpPreference
- Tap Installer Execution
- Taskkill Symantec Endpoint Protection
- Taskmgr as LOCAL_SYSTEM
- Tasks Folder Evasion
- Time Travel Debugging Utility Usage
- TrustedPath UAC Bypass Pattern
- UAC Bypass Tools Using ComputerDefaults
- UAC Bypass Using ChangePK and SLUI
- UAC Bypass Using Consent and Comctl32 - Process
- UAC Bypass Using DismHost
- UAC Bypass Using Event Viewer RecentViews
- UAC Bypass Using IEInstal - Process
- UAC Bypass Using MSConfig Token Modification - Process
- UAC Bypass Using PkgMgr and DISM
- UAC Bypass WSReset
- UEFI Persistence Via Wpbbin - ProcessCreation
- Uncommon Child Process Of AddinUtil.EXE
- Uncommon Child Process Of Appvlp.EXE
- Uncommon Child Process Of BgInfo.EXE
- Uncommon Child Process Of Conhost.EXE
- Uncommon Child Process Of Defaultpack.EXE
- Uncommon Child Process Of Setres.EXE
- Uncommon Child Process Spawned By Odbcconf.EXE
- Uncommon Child Processes Of SndVol.exe
- Uncommon FileSystem Load Attempt By Format.com
- Uncommon Link.EXE Parent Process
- Uncommon Sigverif.EXE Child Process
- Uncommon Svchost Command Line Parameter
- Uncommon Svchost Parent Process
- Uncommon Userinit Child Process
- Uninstall Crowdstrike Falcon Sensor
- Unusual Child Process of dns.exe
- Unusual Parent Process For Cmd.EXE
- Usage Of Web Request Commands And Cmdlets
- Use NTFS Short Name in Command Line
- Use NTFS Short Name in Image
- Use of Pcalua For Execution
- Use Of The SFTP.EXE Binary As A LOLBIN
- User Added To Highly Privileged Group
- User Added to Local Administrators Group
- User Added to Remote Desktop Users Group
- UtilityFunctions.ps1 Proxy Dll
- Veeam Backup Database Suspicious Query
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
- Virtualbox Driver Installation or Starting of VMs
- Visual Basic Command Line Compiler Usage
- Visual Studio Code Tunnel Service Installation
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- VolumeShadowCopy Symlink Creation Via Mklink
- Wab Execution From Non Default Location
- Wab/Wabmig Unusual Parent Or Child Processes
- Weak or Abused Passwords In CLI
- Webshell Hacking Activity Patterns
- Webshell Tool Reconnaissance Activity
- WhoAmI as Parameter
- Windows Processes Suspicious Parent Directory
- WMI Backdoor Exchange Transport Agent
- WMI Persistence - Script Event Consumer
- WmiPrvSE Spawned A Process
- Write Protect For Storage Disabled
- Writing Of Malicious Files To The Fonts Folder
- Wscript Shell Run In CommandLine
- WSL Child Process Anomaly
- WSL Kali-Linux Usage
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
Elastic (1)
Splunk (18)
- Spoolsv Writing a DLL
- Suspicious WAV file in Appdata Folder
- Windows Alternate DataStream - Process Execution
- Windows BitLockerToGo Process Execution
- Windows DISM Install PowerShell Web Access
- Windows Explorer LNK Exploit Process Launch With Padding
- Windows Explorer.exe Spawning PowerShell or Cmd
- Windows File and Directory Enable ReadOnly Permissions
- Windows File and Directory Permissions Enable Inheritance
- Windows File and Directory Permissions Remove Inheritance
- Windows LOLBAS Executed Outside Expected Path
- Windows Office Product Dropped Cab or Inf File
- Windows Remote Host Computer Management Access
- Windows Remote Management Execute Shell
- Windows Sqlservr Spawning Shell
- Windows Svchost.exe Parent Process Anomaly
- Windows TinyCC Shellcode Execution
- Windows Unusual SysWOW64 Process Run System32 Executable