Detection rules › By event

Microsoft-Windows-Security-Auditing event 4697

25 detection rules reference this event. View event page.

Sigma (21)

CobaltStrike Service Installations - Security severity high T1021.002, T1543.003, T1569.002
Credential Dumping Tools Service Execution - Security severity high T1003.001, T1003.002, T1003.004, T1003.005, T1003.006, T1569.002
HybridConnectionManager Service Installation severity high T1554
Invoke-Obfuscation CLIP+ Launcher - Security severity high T1027, T1059.001
Invoke-Obfuscation COMPRESS OBFUSCATION - Security severity medium T1027, T1059.001
Invoke-Obfuscation Obfuscated IEX Invocation - Security severity high T1027
Invoke-Obfuscation RUNDLL LAUNCHER - Security severity medium T1027, T1059.001
Invoke-Obfuscation STDIN+ Launcher - Security severity high T1027, T1059.001
Invoke-Obfuscation VAR+ Launcher - Security severity high T1027, T1059.001
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security severity high T1027, T1059.001
Invoke-Obfuscation Via Stdin - Security severity high T1027, T1059.001
Invoke-Obfuscation Via Use Clip - Security severity high T1027, T1059.001
Invoke-Obfuscation Via Use MSHTA - Security severity high T1027, T1059.001
Invoke-Obfuscation Via Use Rundll32 - Security severity high T1027, T1059.001
Metasploit Or Impacket Service Installation Via SMB PsExec severity high T1021.002, T1569.002, T1570
Meterpreter or Cobalt Strike Getsystem Service Installation - Security severity high T1134.001, T1134.002
PowerShell Scripts Installed as Services - Security severity high T1569.002
Remote Access Tool Services Have Been Installed - Security severity medium T1543.003, T1569.002
Service Installed By Unusual Client - Security severity high T1543
Tap Driver Installation - Security severity low T1048
Windows Pcap Drivers severity medium T1040

Microsoft-Windows-Security-Auditing event 4697

Sigma (21)

Elastic (4)

Keyboard Shortcuts