Detection rules › By event
Microsoft-Windows-Sysmon event 1
Sigma (1171)
- 7Zip Compressing Dump Files
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abused Debug Privilege by Arbitrary Parent Processes
- Abusing Print Executable
- Active Directory Database Snapshot Via ADExplorer
- Active Directory Structure Export Via Csvde.EXE
- Active Directory Structure Export Via Ldifde.EXE
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Add Potential Suspicious New Download Source To Winget
- Add SafeBoot Keys Via Reg Utility
- Add Windows Capability Via PowerShell Cmdlet
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- All Backups Deleted Via Wbadmin.EXE
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Always Install Elevated MSI Spawned Cmd And Powershell
- Always Install Elevated Windows Installer
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Arbitrary Binary Execution Using GUP Utility
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via ConfigSecurityPolicy.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary File Download Via Squirrel.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- AspNetCompiler Execution
- Assembly Loading Via CL_LoadAssembly.ps1
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Audio Capture via PowerShell
- Audio Capture via SoundRecorder
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Automated Collection Command Prompt
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- Base64 Encoded PowerShell Command Detected
- Base64 MZ Header In CommandLine
- Binary Proxy Execution Via Dotnet-Trace.EXE
- BitLockerTogo.EXE Execution
- Boot Configuration Tampering Via Bcdedit.EXE
- Browser Execution In Headless Mode
- Browser Started with Remote Debugging
- Bypass UAC via CMSTP
- Bypass UAC via Fodhelper.exe
- Bypass UAC via WSReset.exe
- C# IL Code Compilation Via Ilasm.EXE
- Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
- Capture Credentials with Rpcping.exe
- Certificate Exported Via Certutil.EXE
- Certificate Exported Via PowerShell
- Change Default File Association To Executable Via Assoc
- Change Default File Association Via Assoc
- Change PowerShell Policies to an Insecure Level
- Changing Existing Service ImagePath Value Via Reg.EXE
- Chopper Webshell Process Pattern
- Chromium Browser Headless Execution To Mockbin Like Site
- Chromium Browser Instance Executed With Custom Extension
- Cloudflared Portable Execution
- Cloudflared Quick Tunnel Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Cmd Launched with Hidden Start Flags to Suspicious Targets
- Cmd.EXE Missing Space Characters Execution Anomaly
- CMSTP Execution Process Creation
- CMSTP UAC Bypass via COM Object Access
- CobaltStrike Load by Rundll32
- Code Execution via Pcwutl.dll
- CodePage Modification Via MODE.COM To Russian Language
- COM Object Execution via Xwizard.EXE
- Command Line Execution with Suspicious URL and AppData Strings
- Compress Data and Lock With Password for Exfiltration With 7-ZIP
- Compress Data and Lock With Password for Exfiltration With WINZIP
- Compressed File Creation Via Tar.EXE
- Compressed File Extraction Via Tar.EXE
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Computer Password Change Via Ksetup.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Conhost Spawned By Uncommon Parent Process
- Conhost.exe CommandLine Path Traversal
- Console CodePage Lookup Via CHCP
- Control Panel Items
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- Copy From Or To Admin Share Or Sysvol Folder
- Copy From VolumeShadowCopy Via Cmd.EXE
- Copying Sensitive Files with Credential Data
- CreateDump Process Dump
- Csc.EXE Execution Form Potentially Suspicious Parent
- Cscript/Wscript Potentially Suspicious Child Process
- Cscript/Wscript Uncommon Script Extension Execution
- Curl Download And Execute Combination
- Curl Web Request With Potential Custom User-Agent
- Data Copied To Clipboard Via Clip.EXE
- Data Export From MSSQL Table Via BCP.EXE
- Delete All Scheduled Tasks
- Delete Important Scheduled Task
- Deleted Data Overwritten Via Cipher.EXE
- Deletion of Volume Shadow Copies via WMI with PowerShell
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Detected Windows Software Discovery
- Detection of PowerShell Execution via Sqlps.exe
- Devcon Execution Disabling VMware VMCI Device
- DeviceCredentialDeployment Execution
- Devtoolslauncher.exe Executes Specified Binary
- Direct Autorun Keys Modification
- Directory Removal Via Rmdir
- DirLister Execution
- Disable Important Scheduled Task
- Disable Windows Defender AV Security Monitoring
- Disable Windows IIS HTTP Logging
- Disabled IE Security Features
- Disabled Volume Snapshots
- Disabling Windows Defender WMI Autologger Session via Reg.exe
- Discovery of a System Time
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Diskshadow Script Mode - Uncommon Script Extension Execution
- Dism Remove Online Package
- DLL Execution via Rasautou.exe
- DLL Execution Via Register-cimprovider.exe
- DLL Loaded via CertOC.EXE
- DLL Sideloading by VMware Xfer Utility
- Dllhost.EXE Execution Anomaly
- DllUnregisterServer Function Call Via Msiexec.EXE
- DNS Exfiltration and Tunneling Tools Execution
- Domain Trust Discovery Via Dsquery
- Driver/DLL Installation Via Odbcconf.EXE
- DriverQuery.EXE Execution
- Dropping Of Password Filter DLL
- DSInternals Suspicious PowerShell Cmdlets
- Dumping of Sensitive Hives Via Reg.EXE
- Dumping Process via Sqldumper.exe
- DumpMinitool Execution
- DumpStack.log Defender Evasion
- Dynamic .NET Compilation Via Csc.EXE
- Elevated System Shell Spawned From Uncommon Parent Location
- Email Exifiltration Via Powershell
- Enable LM Hash Storage - ProcCreation
- Enumerate All Information With Whoami.EXE
- Enumeration for 3rd Party Creds From CLI
- Enumeration for Credentials in Registry
- Esentutl Gather Credentials
- Esentutl Steals Browser Information
- ETW Logging Tamper In .NET Processes Via CommandLine
- ETW Trace Evasion Activity
- Exchange PowerShell Snap-Ins Usage
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Execute Files with Msdeploy.exe
- Execute From Alternate Data Streams
- Execute Pcwrun.EXE To Leverage Follina
- Execution Of Non-Existing File
- Execution of Powershell Script in Public Folder
- Execution of Suspicious File Type Extension
- Execution via stordiag.exe
- Execution via WorkFolders.exe
- Explorer NOUACCHECK Flag
- Explorer Process Tree Break
- Exports Critical Registry Keys To a File
- Exports Registry Key To a File
- File And SubFolder Enumeration Via Dir Command
- File Decoded From Base64/Hex Via Certutil.EXE
- File Decryption Using Gpg4win
- File Deletion Via Del
- File Download And Execution Via IEExec.EXE
- File Download From Browser Process Via Inline URL
- File Download From IP Based URL Via CertOC.EXE
- File Download From IP URL Via Curl.EXE
- File Download Using Notepad++ GUP Utility
- File Download Using ProtocolHandler.exe
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download via CertOC.EXE
- File Download Via InstallUtil.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- File Download with Headless Browser
- File Encoded To Base64 Via Certutil.EXE
- File Encryption Using Gpg4win
- File Encryption/Decryption Via Gpg4win From Suspicious Locations
- File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
- File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- File Recovery From Backup Via Wbadmin.EXE
- File With Suspicious Extension Downloaded Via Bitsadmin
- Files Added To An Archive Using Rar.EXE
- Filter Driver Unloaded Via Fltmc.EXE
- Findstr GPP Passwords
- Findstr Launching .lnk File
- Finger.EXE Execution
- Firewall Configuration Discovery Via Netsh.EXE
- Firewall Disabled via Netsh.EXE
- Firewall Rule Deleted Via Netsh.EXE
- Firewall Rule Update Via Netsh.EXE
- Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
- Forfiles Command Execution
- Forfiles.EXE Child Process Masquerading
- Fsutil Drive Enumeration
- Fsutil Suspicious Invocation
- Github Self-Hosted Runner Execution
- Gpresult Display Group Policy Information
- Gpscript Execution
- Greedy File Deletion Using Del
- Group Membership Reconnaissance Via Whoami.EXE
- Gzip Archive Decode Via PowerShell
- HackTool - ADCSPwn Execution
- HackTool - Bloodhound/Sharphound Execution
- HackTool - Certify Execution
- HackTool - Certipy Execution
- HackTool - CoercedPotato Execution
- HackTool - Covenant PowerShell Launcher
- HackTool - CrackMapExec Execution
- HackTool - CrackMapExec Execution Patterns
- HackTool - CrackMapExec PowerShell Obfuscation
- HackTool - CrackMapExec Process Patterns
- HackTool - CreateMiniDump Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- HackTool - DInjector PowerShell Cradle Execution
- HackTool - Doppelanger LSASS Dumper Execution
- HackTool - Dumpert Process Dumper Execution
- Hacktool - EDR-Freeze Execution
- HackTool - EDRSilencer Execution
- HackTool - Empire PowerShell Launch Parameters
- HackTool - Empire PowerShell UAC Bypass
- HackTool - F-Secure C3 Load by Rundll32
- HackTool - GMER Rootkit Detector and Remover Execution
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool - Hashcat Password Cracker Execution
- HackTool - HollowReaper Execution
- HackTool - Htran/NATBypass Execution
- HackTool - Hydra Password Bruteforce Execution
- HackTool - Impacket Tools Execution
- HackTool - Impersonate Execution
- HackTool - Inveigh Execution
- HackTool - Jlaive In-Memory Assembly Execution
- HackTool - Koadic Execution
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - LaZagne Execution
- HackTool - LocalPotato Execution
- HackTool - Mimikatz Execution
- HackTool - NetExec Execution
- HackTool - PCHunter Execution
- HackTool - Potential Impacket Lateral Movement Activity
- HackTool - PowerTool Execution
- HackTool - PPID Spoofing SelectMyParent Tool Execution
- HackTool - PurpleSharp Execution
- HackTool - Pypykatz Credentials Dumping Activity
- HackTool - Quarks PwDump Execution
- HackTool - RedMimicry Winnti Playbook Execution
- HackTool - RemoteKrbRelay Execution
- HackTool - Rubeus Execution
- HackTool - SafetyKatz Execution
- HackTool - SecurityXploded Execution
- HackTool - SharpChisel Execution
- HackTool - SharpDPAPI Execution
- HackTool - SharPersist Execution
- HackTool - SharpEvtMute Execution
- HackTool - SharpImpersonation Execution
- HackTool - SharpLDAPmonitor Execution
- HackTool - SharpLdapWhoami Execution
- HackTool - SharpMove Tool Execution
- HackTool - SharpUp PrivEsc Tool Execution
- HackTool - SharpView Execution
- HackTool - SharpWSUS/WSUSpendu Execution
- HackTool - SILENTTRINITY Stager Execution
- HackTool - Sliver C2 Implant Activity Pattern
- HackTool - SOAPHound Execution
- HackTool - Stracciatella Execution
- HackTool - SysmonEOP Execution
- HackTool - TruffleSnout Execution
- HackTool - UACMe Akagi Execution
- HackTool - Windows Credential Editor (WCE) Execution
- HackTool - winPEAS Execution
- HackTool - WinPwn Execution
- HackTool - WinRM Access Via Evil-WinRM
- HackTool - Wmiexec Default Powershell Command
- HackTool - WSASS Execution
- HackTool - XORDump Execution
- Hacktool Execution - Imphash
- Hacktool Execution - PE Metadata
- Hardware Model Reconnaissance Via Wmic.EXE
- Harvesting Of Wifi Credentials Via Netsh.EXE
- HH.EXE Execution
- Hidden Powershell in Link File Pattern
- Hiding Files with Attrib.exe
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- HKTL - SharpSuccessor Privilege Escalation Tool Execution
- HTML Help HH.EXE Suspicious Child Process
- Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- Ie4uinit Lolbin Use From Invalid Path
- IIS Native-Code Module Command Line Installation
- IIS WebServer Log Deletion via CommandLine Utilities
- ImagingDevices Unusual Parent/Child Processes
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- Imports Registry Key From a File
- Imports Registry Key From an ADS
- Indirect Command Execution By Program Compatibility Wizard
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE
- InfDefaultInstall.exe .inf Execution
- Insecure Proxy/DOH Transfer Via Curl.EXE
- Insecure Transfer Via Curl.EXE
- Insensitive Subfolder Search Via Findstr.EXE
- Install New Package Via Winget Local Manifest
- Installation of WSL Kali-Linux
- Interactive AT Job
- Interesting Service Enumeration Via Sc.EXE
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation Obfuscated IEX Invocation
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Invoke-Obfuscation Via Stdin
- Invoke-Obfuscation Via Use Clip
- Invoke-Obfuscation Via Use MSHTA
- Java Running with Remote Debugging
- JScript Compiler Execution
- Kavremover Dropped Binary LOLBIN Usage
- Kernel Memory Dump Via LiveKD
- Launch-VsDevShell.PS1 Proxy Execution
- Loaded Module Enumeration Via Tasklist.EXE
- Local Accounts Discovery
- Local File Read Using Curl.EXE
- Local Groups Reconnaissance Via Wmic.EXE
- Logged-On User Password Change Via Ksetup.EXE
- LOL-Binary Copied From System Directory
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- LOLBIN Execution From Abnormal Drive
- Lolbin Runexehelper Use As Proxy
- Lolbin Unregmp2.exe Use As Proxy
- LSA PPL Protection Setting Modification via CommandLine
- LSASS Dump Keyword In CommandLine
- LSASS Process Reconnaissance Via Findstr.EXE
- Malicious Base64 Encoded PowerShell Keywords in Command Lines
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious Windows Script Components File Execution by TAEF Detection
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Mavinject Inject DLL Into Running Process
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- MMC Spawning Windows Shell
- MMC20 Lateral Movement
- Modify Group Policy Settings
- Monitoring For Persistence Via BITS
- MpiExec Lolbin
- MSDT Execution Via Answer File
- MSExchange Transport Agent Installation
- MSHTA Execution with Suspicious File Extensions
- Mshtml.DLL RunHTMLApplication Suspicious Usage
- Msiexec Quiet Installation
- MsiExec Web Install
- Mstsc.EXE Execution From Uncommon Parent
- Mstsc.EXE Execution With Local RDP File
- Msxsl.EXE Execution
- Net WebClient Casing Anomalies
- Netsh Allow Group Policy on Microsoft Defender Firewall
- Network Reconnaissance Activity
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- New Capture Session Launched Via DXCap.EXE
- New DLL Registered Via Odbcconf.EXE
- New DMSA Service Account Created in Specific OUs
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- New Firewall Rule Added Via Netsh.EXE
- New Generic Credentials Added Via Cmdkey.EXE
- New Kernel Driver Via SC.EXE
- New Network Trace Capture Started Via Netsh.EXE
- New Port Forwarding Rule Added Via Netsh.EXE
- New Process Created Via Taskmgr.EXE
- New Process Created Via Wmic.EXE
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- New Root Certificate Installed Via CertMgr.EXE
- New Root Certificate Installed Via Certutil.EXE
- New Service Creation Using PowerShell
- New Service Creation Using Sc.EXE
- New User Created Via Net.EXE
- New User Created Via Net.EXE With Never Expire Option
- New Virtual Smart Card Created Via TpmVscMgr.EXE
- Nltest.EXE Execution
- Node Process Executions
- NodeJS Execution of JavaScript File
- Non Interactive PowerShell Process Spawned
- Non-privileged Usage of Reg or Powershell
- Notepad Password Files Discovery
- Nslookup PowerShell Download Cradle - ProcessCreation
- NtdllPipe Like Activity Execution
- Obfuscated IP Download Activity
- Obfuscated IP Via CLI
- Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Obfuscated PowerShell OneLiner Execution
- Odbcconf.EXE Suspicious DLL Location
- OneNote.EXE Execution of Malicious Embedded Scripts
- OpenEDR Spawning Command Shell
- OpenWith.exe Executes Specified Binary
- Operator Bloopers Cobalt Strike Commands
- Operator Bloopers Cobalt Strike Modules
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Password Provided In Command Line Of Net.EXE
- Password Set to Never Expire via WMI
- PDQ Deploy Remote Adminstartion Tool Execution
- Perl Inline Command Execution
- Permission Check Via Accesschk.EXE
- Permission Misconfiguration Reconnaissance Via Findstr.EXE
- Persistence Via Sticky Key Backdoor
- Persistence Via TypedPaths - CommandLine
- Phishing Pattern ISO in Archive
- Php Inline Command Execution
- Ping Hex IP
- PktMon.EXE Execution
- Port Forwarding Activity Via SSH.EXE
- Portable Gpg.EXE Execution
- Possible Privilege Escalation via Weak Service Permissions
- Potential Active Directory Enumeration Using AD Module - ProcCreation
- Potential Adplus.EXE Abuse
- Potential Amazon SSM Agent Hijacking
- Potential AMSI Bypass Using NULL Bits
- Potential AMSI Bypass Via .NET Reflection
- Potential Application Whitelisting Bypass via Dnx.EXE
- Potential Arbitrary Code Execution Via Node.EXE
- Potential Arbitrary Command Execution Using Msdt.EXE
- Potential Arbitrary Command Execution Via FTP.EXE
- Potential Arbitrary DLL Load Using Winword
- Potential Arbitrary File Download Using Office Application
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Impersonating Sysinternals Tools
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Binary Proxy Execution Via VSDiagnostics.EXE
- Potential Browser Data Stealing
- Potential CobaltStrike Process Patterns
- Potential COM Objects Download Cradles Usage - Process Creation
- Potential Command Line Path Traversal Evasion Attempt
- Potential Commandline Obfuscation Using Escape Characters
- Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
- Potential CommandLine Path Traversal Via Cmd.EXE
- Potential Configuration And Service Reconnaissance Via Reg.EXE
- Potential Cookies Session Hijacking
- Potential Credential Dumping Attempt Using New NetworkProvider - CLI
- Potential Credential Dumping Via LSASS Process Clone
- Potential Credential Dumping Via WER
- Potential Crypto Mining Activity
- Potential Data Exfiltration Activity Via CommandLine Tools
- Potential Data Stealing Via Chromium Headless Debugging
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
- Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
- Potential Defense Evasion Via Binary Rename
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Potential Defense Evasion Via Right-to-Left Override
- Potential Discovery Activity Via Dnscmd.EXE
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential DLL Injection Or Execution Using Tracker.exe
- Potential DLL Injection Via AccCheckConsole
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Potential Dosfuscation Activity
- Potential Download/Upload Activity Using Type Command
- Potential Dropper Script Execution Via WScript/CScript
- Potential Encoded PowerShell Patterns In CommandLine
- Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- Potential Execution of Sysinternals Tools
- Potential Fake Instance Of Hxtsr.EXE Executed
- Potential File Download Via MS-AppInstaller Protocol Handler
- Potential File Overwrite Via Sysinternals SDelete
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Potential Homoglyph Attack Using Lookalike Characters
- Potential Lateral Movement via Windows Remote Shell
- Potential LethalHTA Technique Execution
- Potential LSASS Process Dump Via Procdump
- Potential Manage-bde.wsf Abuse To Proxy Execution
- Potential Memory Dumping Activity Via LiveKD
- Potential Meterpreter/CobaltStrike Activity
- Potential Mftrace.EXE Abuse
- Potential Mpclient.DLL Sideloading Via Defender Binaries
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- Potential MsiExec Masquerading
- Potential MSTSC Shadowing Activity
- Potential Network Sniffing Activity Using Network Tools
- Potential NTLM Coercion Via Certutil.EXE
- Potential Obfuscated Ordinal Call Via Rundll32
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potential Persistence Attempt Via Existing Service Tampering
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Potential Persistence Via Logon Scripts - CommandLine
- Potential Persistence Via Microsoft Compatibility Appraiser
- Potential Persistence Via Netsh Helper DLL
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential PowerShell Command Line Obfuscation
- Potential PowerShell Console History Access Attempt via History File
- Potential PowerShell Downgrade Attack
- Potential PowerShell Execution Policy Tampering - ProcCreation
- Potential PowerShell Execution Via DLL
- Potential PowerShell Obfuscation Via Reversed Commands
- Potential PowerShell Obfuscation Via WCHAR/CHAR
- Potential Powershell ReverseShell Connection
- Potential Privilege Escalation To LOCAL SYSTEM
- Potential Privilege Escalation Using Symlink Between Osk and Cmd
- Potential Privilege Escalation via Service Permissions Weakness
- Potential Process Execution Proxy Via CL_Invocation.ps1
- Potential Process Injection Via Msra.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- Potential Product Reconnaissance Via Wmic.EXE
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Potential PsExec Remote Execution
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Potential RDP Session Hijacking Activity
- Potential RDP Tunneling Via Plink
- Potential RDP Tunneling Via SSH
- Potential Recon Activity Using DriverQuery.EXE
- Potential Recon Activity Via Nltest.EXE
- Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potential Register_App.Vbs LOLScript Abuse
- Potential Regsvr32 Commandline Flag Anomaly
- Potential Remote Desktop Tunneling
- Potential Remote SquiblyTwo Technique Execution
- Potential Renamed Rundll32 Execution
- Potential Rundll32 Execution With DLL Stored In ADS
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- Potential ShellDispatch.DLL Functionality Abuse
- Potential Shim Database Persistence via Sdbinst.EXE
- Potential Signing Bypass Via Windows Developer Features
- Potential SMB Relay Attack Tool Execution
- Potential SPN Enumeration Via Setspn.EXE
- Potential SSH Tunnel Persistence Install Using A Scheduled Task
- Potential Suspicious Activity Using SeCEdit
- Potential Suspicious Browser Launch From Document Reader Process
- Potential Suspicious Mofcomp Execution
- Potential Suspicious Registry File Imported Via Reg.EXE
- Potential Suspicious Windows Feature Enabled - ProcCreation
- Potential SysInternals ProcDump Evasion
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- Potential Tampering With Security Products Via WMIC
- Potential UAC Bypass Via Sdclt.EXE
- Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- Potential WinAPI Calls Via CommandLine
- Potential Windows Defender AV Bypass Via Dump64.EXE Rename
- Potential Windows Defender Tampering Via Wmic.EXE
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- Potentially Suspicious Cabinet File Expansion
- Potentially Suspicious Call To Win32_NTEventlogFile Class
- Potentially Suspicious Child Process Of ClickOnce Application
- Potentially Suspicious Child Process Of DiskShadow.EXE
- Potentially Suspicious Child Process of KeyScrambler.exe
- Potentially Suspicious Child Process Of Regsvr32
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Child Process Of WinRAR.EXE
- Potentially Suspicious Child Processes Spawned by ConHost
- Potentially Suspicious CMD Shell Output Redirect
- Potentially Suspicious Command Targeting Teams Sensitive Files
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Potentially Suspicious DLL Registered Via Odbcconf.EXE
- Potentially Suspicious Electron Application CommandLine
- Potentially Suspicious Event Viewer Child Process
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- Potentially Suspicious Execution From Parent Process In Public Folder
- Potentially Suspicious Execution Of PDQDeployRunner
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- Potentially Suspicious GoogleUpdate Child Process
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- Potentially Suspicious JWT Token Search Via CLI
- Potentially Suspicious NTFS Symlink Behavior Modification
- Potentially Suspicious Office Document Executed From Trusted Location
- Potentially Suspicious Ping/Copy Command Combination
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- Potentially Suspicious Regsvr32 HTTP/FTP Pattern
- Potentially Suspicious Rundll32 Activity
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Potentially Suspicious Usage Of Qemu
- Potentially Suspicious WebDAV LNK Execution
- Potentially Suspicious Windows App Activity
- PowerShell Base64 Encoded FromBase64String Cmdlet
- PowerShell Base64 Encoded IEX Cmdlet
- PowerShell Base64 Encoded Invoke Keyword
- Powershell Base64 Encoded MpPreference Cmdlet
- PowerShell Base64 Encoded Reflective Assembly Load
- PowerShell Base64 Encoded WMI Classes
- Powershell Defender Disable Scan Feature
- Powershell Defender Exclusion
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- PowerShell Download and Execution Cradles
- PowerShell Download Pattern
- Powershell Executed From Headless ConHost Process
- PowerShell Execution With Potential Decryption Capabilities
- PowerShell Get-Clipboard Cmdlet Via CLI
- PowerShell Get-Process LSASS
- Powershell Inline Execution From A File
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- PowerShell SAM Copy
- PowerShell Script Change Permission Via Set-Acl
- PowerShell Script Run in AppData
- PowerShell Set-Acl On Windows Folder
- Powershell Token Obfuscation - Process Creation
- PowerShell Web Access Feature Enabled Via DISM
- PPL Tampering Via WerFaultSecure
- PrintBrm ZIP Creation of Extraction
- Private Keys Reconnaissance Via CommandLine Tools
- Privilege Escalation via Named Pipe Impersonation
- Procdump Execution
- Process Access via TrolleyExpress Exclusion
- Process Creation Using Sysnative Folder
- Process Execution From A Potentially Suspicious Folder
- Process Launched Without Image Name
- Process Memory Dump Via Comsvcs.DLL
- Process Memory Dump Via Dotnet-Dump
- Process Memory Dump via RdrLeakDiag.EXE
- Process Proxy Execution Via Squirrel.EXE
- Process Reconnaissance Via Wmic.EXE
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Proxy Execution via Vshadow
- Proxy Execution Via Wuauclt.EXE
- Psexec Execution
- PsExec Service Child Process Execution as LOCAL SYSTEM
- PsExec Service Execution
- PsExec/PAExec Escalation to LOCAL SYSTEM
- PUA - 3Proxy Execution
- PUA - AdFind Suspicious Execution
- PUA - AdFind.EXE Execution
- PUA - Adidnsdump Execution
- PUA - Advanced IP Scanner Execution
- PUA - Advanced Port Scanner Execution
- PUA - AdvancedRun Execution
- PUA - AdvancedRun Suspicious Execution
- PUA - Chisel Tunneling Tool Execution
- PUA - CleanWipe Execution
- PUA - Crassus Execution
- PUA - CsExec Execution
- PUA - DefenderCheck Execution
- PUA - DIT Snapshot Viewer
- PUA - Fast Reverse Proxy (FRP) Execution
- PUA - Kernel Driver Utility (KDU) Execution
- PUA - Mouse Lock Execution
- PUA - Netcat Suspicious Execution
- PUA - Ngrok Execution
- PUA - Nimgrab Execution
- PUA - NimScan Execution
- PUA - NirCmd Execution
- PUA - NirCmd Execution As LOCAL SYSTEM
- PUA - Nmap/Zenmap Execution
- PUA - NPS Tunneling Tool Execution
- PUA - NSudo Execution
- PUA - PingCastle Execution
- PUA - PingCastle Execution From Potentially Suspicious Parent
- PUA - Potential PE Metadata Tamper Using Rcedit
- PUA - Process Hacker Execution
- PUA - Radmin Viewer Utility Execution
- PUA - Rclone Execution
- PUA - Restic Backup Tool Execution
- PUA - RunXCmd Execution
- PUA - Seatbelt Execution
- PUA - SoftPerfect Netscan Execution
- PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
- PUA - System Informer Execution
- PUA - TruffleHog Execution
- PUA - WebBrowserPassView Execution
- PUA - Wsudo Suspicious Execution
- PUA- IOX Tunneling Tool Execution
- Pubprn.vbs Proxy Execution
- Python Function Execution Security Warning Disabled In Excel
- Python Inline Command Execution
- Python One-Liners with Base64 Decoding
- Python Spawning Pretty TTY on Windows
- Query Usage To Exfil Data
- QuickAssist Execution
- Raccine Uninstall
- Rar Usage with Password and Compression Level
- RDP Connection Allowed Via Netsh.EXE
- RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Read Contents From Stdin Via Cmd.EXE
- Rebuild Performance Counter Values Via Lodctr.EXE
- Recon Command Output Piped To Findstr.EXE
- Recon Information for Export with Command Prompt
- Reg Add Suspicious Paths
- RegAsm.EXE Execution Without CommandLine Flags or Files
- Regedit as Trusted Installer
- REGISTER_APP.VBS Proxy Execution
- Registry Export of Third-Party Credentials
- Registry Manipulation via WMI Stdregprov
- Registry Modification Attempt Via VBScript
- Registry Modification of MS-settings Protocol Handler
- Registry Modification Via Regini.EXE
- Regsvr32 DLL Execution With Suspicious File Extension
- Regsvr32 DLL Execution With Uncommon Extension
- Regsvr32 Execution From Highly Suspicious Location
- Regsvr32 Execution From Potential Suspicious Location
- Remote Access Tool - AnyDesk Execution
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Remote Access Tool - AnyDesk Silent Installation
- Remote Access Tool - GoToAssist Execution
- Remote Access Tool - LogMeIn Execution
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Remote Access Tool - NetSupport Execution
- Remote Access Tool - NetSupport Execution From Unusual Location
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Remote Access Tool - RURAT Execution From Unusual Location
- Remote Access Tool - ScreenConnect Execution
- Remote Access Tool - ScreenConnect Installation Execution
- Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
- Remote Access Tool - ScreenConnect Remote Command Execution
- Remote Access Tool - ScreenConnect Server Web Shell Execution
- Remote Access Tool - Simple Help Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Remote Access Tool - Team Viewer Session Started On Windows Host
- Remote Access Tool - UltraViewer Execution
- Remote CHM File Download/Execution Via HH.EXE
- Remote Code Execute via Winrm.vbs
- Remote File Download Via Desktopimgdownldr Utility
- Remote File Download Via Findstr.EXE
- Remote PowerShell Session Host Process (WinRM)
- Remote XSL Execution Via Msxsl.EXE
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Remotely Hosted HTA File Executed Via Mshta.EXE
- Renamed AdFind Execution
- Renamed AutoHotkey.EXE Execution
- Renamed AutoIt Execution
- Renamed BOINC Client Execution
- Renamed BrowserCore.EXE Execution
- Renamed Cloudflared.EXE Execution
- Renamed CreateDump Utility Execution
- Renamed CURL.EXE Execution
- Renamed FTP.EXE Execution
- Renamed Gpg.EXE Execution
- Renamed Jusched.EXE Execution
- Renamed Mavinject.EXE Execution
- Renamed MegaSync Execution
- Renamed Microsoft Teams Execution
- Renamed Msdt.EXE Execution
- Renamed NetSupport RAT Execution
- Renamed NirCmd.EXE Execution
- Renamed Office Binary Execution
- Renamed PAExec Execution
- Renamed PingCastle Binary Execution
- Renamed Plink Execution
- Renamed ProcDump Execution
- Renamed PsExec Service Execution
- Renamed Remote Utilities RAT (RURAT) Execution
- Renamed Schtasks Execution
- Renamed SysInternals DebugView Execution
- Renamed Sysinternals Sdelete Execution
- Renamed Visual Studio Code Tunnel Execution
- Renamed Vmnat.exe Execution
- Renamed Whoami Execution
- Renamed ZOHO Dctask64 Execution
- Replace.exe Usage
- Response File Execution Via Odbcconf.EXE
- RestrictedAdminMode Registry Value Tampering - ProcCreation
- Root Certificate Installed From Susp Locations
- Ruby Inline Command Execution
- Run Once Task Execution as Configured in Registry
- Run PowerShell Script from ADS
- Run PowerShell Script from Redirected Input Stream
- Rundll32 Execution With Uncommon DLL Extension
- Rundll32 Execution Without CommandLine Parameters
- Rundll32 Execution Without Parameters
- Rundll32 InstallScreenSaver Execution
- Rundll32 Registered COM Objects
- Rundll32 Spawned Via Explorer.EXE
- RunDLL32 Spawning Explorer
- Rundll32 UNC Path Execution
- RunMRU Registry Key Deletion
- SafeBoot Registry Key Deleted Via Reg.EXE
- Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
- Scheduled Task Creation Masquerading as System Processes
- Scheduled Task Creation Via Schtasks.EXE
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- Schtasks Creation Or Modification With SYSTEM Privileges
- Schtasks From Suspicious Folders
- Screen Capture Activity Via Psr.EXE
- Script Event Consumer Spawning Process
- Script Interpreter Execution From Suspicious Folder
- Script Interpreter Spawning Credential Scanner - Windows
- Scripting/CommandLine Process Spawned Regsvr32
- Sdclt Child Processes
- Sdiagnhost Calling Suspicious Child Process
- Security Event Logging Disabled via MiniNt Registry Key - Process
- Security Privileges Enumeration Via Whoami.EXE
- Security Service Disabled Via Reg.EXE
- Security Tools Keyword Lookup Via Findstr.EXE
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Sensitive File Access Via Volume Shadow Copy Backup
- Sensitive File Dump Via Wbadmin.EXE
- Sensitive File Recovery From Backup Via Wbadmin.EXE
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Reconnaissance Via Wmic.EXE
- Service Registry Key Deleted Via Reg.EXE
- Service Security Descriptor Tampering Via Sc.EXE
- Service Started/Stopped Via Wmic.EXE
- Service StartupType Change Via PowerShell Set-Service
- Service StartupType Change Via Sc.EXE
- Set Suspicious Files as System Files Using Attrib.EXE
- Setup16.EXE Execution With Custom .Lst File
- Shadow Copies Creation Using Operating Systems Utilities
- Shadow Copies Deletion Using Operating Systems Utilities
- Share And Session Enumeration Using Net.EXE
- Shell Process Spawned by Java.EXE
- Shell32 DLL Execution in Suspicious Directory
- ShimCache Flush
- SQL Client Tools PowerShell Session Detection
- SQLite Chromium Profile Data DB Access
- SQLite Firefox Profile Data DB Access
- Start of NT Virtual DOS Machine
- Start Windows Service Via Net.EXE
- Sticky Key Like Backdoor Execution
- Stop Windows Service Via Net.EXE
- Stop Windows Service Via PowerShell Stop-Service
- Stop Windows Service Via Sc.EXE
- Suspect Svchost Activity
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Suspicious AddinUtil.EXE CommandLine Execution
- Suspicious Advpack Call Via Rundll32.EXE
- Suspicious AgentExecutor PowerShell Execution
- Suspicious ArcSOC.exe Child Process
- Suspicious Autorun Registry Modified via WMI
- Suspicious Binary In User Directory Spawned From Office Application
- Suspicious BitLocker Access Agent Update Utility Execution
- Suspicious Cabinet File Execution Via Msdt.EXE
- Suspicious Calculator Usage
- Suspicious CertReq Command to Download
- Suspicious Child Process Created as System
- Suspicious Child Process of AspNetCompiler
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Child Process Of Manage Engine ServiceDesk
- Suspicious Child Process of Notepad++ Updater - GUP.Exe
- Suspicious Child Process Of SQL Server
- Suspicious Child Process Of Veeam Dabatase
- Suspicious Child Process Of Wermgr.EXE
- Suspicious Chromium Browser Instance Executed With Custom Extension
- Suspicious ClickFix/FileFix Execution Pattern
- Suspicious CodePage Switch Via CHCP
- Suspicious Command Patterns In Scheduled Task Creation
- Suspicious Control Panel DLL Load
- Suspicious Copy From or To System Directory
- Suspicious Csi.exe Usage
- Suspicious Curl.EXE Download
- Suspicious CustomShellHost Execution
- Suspicious Debugger Registration Cmdline
- Suspicious Desktopimgdownldr Command
- Suspicious Diantz Alternate Data Stream Execution
- Suspicious Diantz Download and Compress Into a CAB File
- Suspicious DLL Loaded via CertOC.EXE
- Suspicious Double Extension File Execution
- Suspicious Download From Direct IP Via Bitsadmin
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Suspicious Download from Office Domain
- Suspicious Download Via Certutil.EXE
- Suspicious Driver Install by pnputil.exe
- Suspicious Driver/DLL Installation Via Odbcconf.EXE
- Suspicious DumpMinitool Execution
- Suspicious Electron Application Child Processes
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Suspicious Encoded PowerShell Command Line
- Suspicious Eventlog Clearing or Configuration Change Activity
- Suspicious Execution From Outlook Temporary Folder
- Suspicious Execution Location Of Wermgr.EXE
- Suspicious Execution of Hostname
- Suspicious Execution of InstallUtil Without Log
- Suspicious Execution of Powershell with Base64
- Suspicious Execution of Shutdown
- Suspicious Execution of Shutdown to Log Out
- Suspicious Execution of Systeminfo
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious Extrac32 Execution
- Suspicious File Characteristics Due to Missing Fields
- Suspicious File Download From File Sharing Domain Via Curl.EXE
- Suspicious File Download From File Sharing Domain Via Wget.EXE
- Suspicious File Download From IP Via Curl.EXE
- Suspicious File Download From IP Via Wget.EXE
- Suspicious File Download From IP Via Wget.EXE - Paths
- Suspicious File Downloaded From Direct IP Via Certutil.EXE
- Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- Suspicious File Encoded To Base64 Via Certutil.EXE
- Suspicious File Execution From Internet Hosted WebDav Share
- Suspicious FileFix Execution Pattern
- Suspicious FromBase64String Usage On Gzip Archive - Process Creation
- Suspicious Git Clone
- Suspicious Greedy Compression Using Rar.EXE
- Suspicious Group And Account Reconnaissance Activity Using Net.EXE
- Suspicious GrpConv Execution
- Suspicious GUP Usage
- Suspicious HH.EXE Execution
- Suspicious High IntegrityLevel Conhost Legacy Option
- Suspicious HWP Sub Processes
- Suspicious IIS Module Registration
- Suspicious IIS URL GlobalRules Rewrite Via AppCmd
- Suspicious Invoke-WebRequest Execution
- Suspicious Invoke-WebRequest Execution With DirectIP
- Suspicious JavaScript Execution Via Mshta.EXE
- Suspicious Kerberos Ticket Request via CLI
- Suspicious Kernel Dump Using Dtrace
- Suspicious Key Manager Access
- Suspicious LNK Command-Line Padding with Whitespace Characters
- Suspicious Manipulation Of Default Accounts Via Net.EXE
- Suspicious Microsoft Office Child Process
- Suspicious Microsoft OneNote Child Process
- Suspicious Modification Of Scheduled Tasks
- Suspicious Msbuild Execution By Uncommon Parent Process
- Suspicious MSDT Parent Process
- Suspicious MSHTA Child Process
- Suspicious Mshta.EXE Execution Patterns
- Suspicious MsiExec Embedding Parent
- Suspicious Msiexec Execute Arbitrary DLL
- Suspicious Msiexec Quiet Install From Remote Location
- Suspicious Mstsc.EXE Execution With Local RDP File
- Suspicious Network Command
- Suspicious New Service Creation
- Suspicious NTLM Authentication on the Printer Spooler Service
- Suspicious Obfuscated PowerShell Code
- Suspicious Outlook Child Process
- Suspicious Parent Double Extension File Execution
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Suspicious Ping/Del Command Combination
- Suspicious Plink Port Forwarding
- Suspicious Powercfg Execution To Change Lock Screen Timeout
- Suspicious PowerShell Download and Execute Pattern
- Suspicious PowerShell Encoded Command Patterns
- Suspicious PowerShell IEX Execution Patterns
- Suspicious PowerShell Invocation From Script Engines
- Suspicious PowerShell Invocations - Specific - ProcessCreation
- Suspicious PowerShell Mailbox Export to Share
- Suspicious PowerShell Parameter Substring
- Suspicious PowerShell Parent Process
- Suspicious Process By Web Server Process
- Suspicious Process Created Via Wmic.EXE
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Suspicious Process Masquerading As SvcHost.EXE
- Suspicious Process Parents
- Suspicious Process Patterns NTDS.DIT Exfil
- Suspicious Process Start Locations
- Suspicious Processes Spawned by Java.EXE
- Suspicious Processes Spawned by WinRM
- Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- Suspicious Program Names
- Suspicious Provlaunch.EXE Child Process
- Suspicious Query of MachineGUID
- Suspicious RASdial Activity
- Suspicious RDP Redirect Using TSCON
- Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Suspicious Recursive Takeown
- Suspicious Redirection to Local Admin Share
- Suspicious Reg Add BitLocker
- Suspicious Registry Modification From ADS Via Regini.EXE
- Suspicious Regsvr32 Execution From Remote Share
- Suspicious Remote Child Process From Outlook
- Suspicious Response File Execution Via Odbcconf.EXE
- Suspicious RunAs-Like Flag Combination
- Suspicious Rundll32 Activity Invoking Sys File
- Suspicious Rundll32 Execution With Image Extension
- Suspicious Rundll32 Invoking Inline VBScript
- Suspicious Rundll32 Setupapi.dll Activity
- Suspicious Runscripthelper.exe
- Suspicious Scan Loop Network
- Suspicious Scheduled Task Creation Involving Temp Folder
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Suspicious Scheduled Task Name As GUID
- Suspicious Schtasks Execution AppData Folder
- Suspicious Schtasks Schedule Type With High Privileges
- Suspicious Schtasks Schedule Types
- Suspicious ScreenSave Change by Reg.exe
- Suspicious Script Execution From Temp Folder
- Suspicious Serv-U Process Pattern
- Suspicious Service Binary Directory
- Suspicious Service DACL Modification Via Set-Service Cmdlet
- Suspicious Service Path Modification
- Suspicious ShellExec_RunDLL Call Via Ordinal
- Suspicious Shells Spawn by Java Utility Keytool
- Suspicious Speech Runtime Binary Child Process
- Suspicious Splwow64 Without Params
- Suspicious Spool Service Child Process
- Suspicious SysAidServer Child
- Suspicious SYSTEM User Process Creation
- Suspicious SYSVOL Domain Group Policy Access
- Suspicious TSCON Start as SYSTEM
- Suspicious UltraVNC Execution
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- Suspicious Usage of For Loop with Recursive Directory Search in CMD
- Suspicious Usage Of ShellExec_RunDLL
- Suspicious Use of CSharp Interactive Console
- Suspicious Use of PsLogList
- Suspicious Userinit Child Process
- Suspicious VBoxDrvInst.exe Parameters
- Suspicious Velociraptor Child Process
- Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Suspicious WebDav Client Execution Via Rundll32.EXE
- Suspicious Where Execution
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Suspicious Windows Service Tampering
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- Suspicious Windows Update Agent Empty Cmdline
- Suspicious WindowsTerminal Child Processes
- Suspicious WMIC Execution Via Office Process
- Suspicious WmiPrvSE Child Process
- Suspicious Workstation Locking via Rundll32
- Suspicious X509Enrollment - Process Creation
- Suspicious XOR Encoded PowerShell Command
- Suspicious ZipExec Execution
- SyncAppvPublishingServer Execute Arbitrary PowerShell Code
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Sysinternals PsService Execution
- Sysinternals PsSuspend Execution
- Sysinternals PsSuspend Suspicious Execution
- Sysmon Configuration Update
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- Sysmon Driver Unloaded Via Fltmc.EXE
- Sysprep on AppData Folder
- System Disk And Volume Reconnaissance Via Wmic.EXE
- System File Execution Location Anomaly
- System Information Discovery via Registry Queries
- System Language Discovery via Reg.Exe
- System Network Connections Discovery Via Net.EXE
- Tamper Windows Defender Remove-MpPreference
- Tap Installer Execution
- Taskkill Symantec Endpoint Protection
- Taskmgr as LOCAL_SYSTEM
- Tasks Folder Evasion
- Terminal Service Process Spawn
- Time Travel Debugging Utility Usage
- Tor Client/Browser Execution
- TrustedPath UAC Bypass Pattern
- UAC Bypass Abusing Winsat Path Parsing - Process
- UAC Bypass Tools Using ComputerDefaults
- UAC Bypass Using ChangePK and SLUI
- UAC Bypass Using Consent and Comctl32 - Process
- UAC Bypass Using Disk Cleanup
- UAC Bypass Using DismHost
- UAC Bypass Using Event Viewer RecentViews
- UAC Bypass Using IDiagnostic Profile
- UAC Bypass Using IEInstal - Process
- UAC Bypass Using MSConfig Token Modification - Process
- UAC Bypass Using NTFS Reparse Point - Process
- UAC Bypass Using PkgMgr and DISM
- UAC Bypass Using Windows Media Player - Process
- UAC Bypass via ICMLuaUtil
- UAC Bypass via Windows Firewall Snap-In Hijack
- UAC Bypass WSReset
- UEFI Persistence Via Wpbbin - ProcessCreation
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- Uncommon AddinUtil.EXE CommandLine Execution
- Uncommon Child Process Of AddinUtil.EXE
- Uncommon Child Process Of Appvlp.EXE
- Uncommon Child Process Of BgInfo.EXE
- Uncommon Child Process Of Conhost.EXE
- Uncommon Child Process Of Defaultpack.EXE
- Uncommon Child Process Of Setres.EXE
- Uncommon Child Process Spawned By Odbcconf.EXE
- Uncommon Child Processes Of SndVol.exe
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Uncommon FileSystem Load Attempt By Format.com
- Uncommon Link.EXE Parent Process
- Uncommon One Time Only Scheduled Task At 00:00
- Uncommon Sigverif.EXE Child Process
- Uncommon Svchost Command Line Parameter
- Uncommon Svchost Parent Process
- Uncommon System Information Discovery Via Wmic.EXE
- Uncommon Userinit Child Process
- Uninstall Crowdstrike Falcon Sensor
- Uninstall Sysinternals Sysmon
- Unmount Share Via Net.EXE
- Unsigned AppX Installation Attempt Using Add-AppxPackage
- Unusual Child Process of dns.exe
- Unusual Parent Process For Cmd.EXE
- Usage Of Web Request Commands And Cmdlets
- Use Icacls to Hide File to Everyone
- Use NTFS Short Name in Command Line
- Use NTFS Short Name in Image
- Use of FSharp Interpreters
- Use of OpenConsole
- Use of Pcalua For Execution
- Use of Remote.exe
- Use of Scriptrunner.exe
- Use Of The SFTP.EXE Binary As A LOLBIN
- Use of TTDInject.exe
- Use of UltraVNC Remote Access Software
- Use of VisualUiaVerifyNative.exe
- Use of VSIISExeLauncher.exe
- Use of W32tm as Timer
- Use of Wfc.exe
- Use Short Name Path in Image
- User Added To Highly Privileged Group
- User Added to Local Administrators Group
- User Added to Remote Desktop Users Group
- User Discovery And Export Via Get-ADUser Cmdlet
- User Shell Folders Registry Modification via CommandLine
- Using SettingSyncHost.exe as LOLBin
- UtilityFunctions.ps1 Proxy Dll
- Veeam Backup Database Suspicious Query
- VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
- Verclsid.exe Runs COM Object
- Virtualbox Driver Installation or Starting of VMs
- Visual Basic Command Line Compiler Usage
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Service Installation
- Visual Studio Code Tunnel Shell Execution
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- VMToolsd Suspicious Child Process
- VolumeShadowCopy Symlink Creation Via Mklink
- Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- Wab Execution From Non Default Location
- Wab/Wabmig Unusual Parent Or Child Processes
- Weak or Abused Passwords In CLI
- WebDav Client Execution Via Rundll32.EXE
- Webshell Detection With Command Line Keywords
- Webshell Hacking Activity Patterns
- Webshell Tool Reconnaissance Activity
- WhoAmI as Parameter
- Whoami.EXE Execution Anomaly
- Whoami.EXE Execution From Privileged Process
- Whoami.EXE Execution With Output Option
- Windows Admin Share Mount Via Net.EXE
- Windows AMSI Related Registry Tampering Via CommandLine
- Windows Backup Deleted Via Wbadmin.EXE
- Windows Binary Executed From WSL
- Windows Credential Guard Registry Tampering Via CommandLine
- Windows Credential Manager Access via VaultCmd
- Windows Default Domain GPO Modification via GPME
- Windows Defender Context Menu Removed
- Windows Defender Definition Files Removed
- Windows Firewall Disabled via PowerShell
- Windows Hotfix Updates Reconnaissance Via Wmic.EXE
- Windows Internet Hosted WebDav Share Mount Via Net.EXE
- Windows Kernel Debugger Execution
- Windows MSIX Package Support Framework AI_STUBS Execution
- Windows Processes Suspicious Parent Directory
- Windows Recall Feature Enabled Via Reg.EXE
- Windows Recovery Environment Disabled Via Reagentc
- Windows Share Mount Via Net.EXE
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Winrar Compressing Dump Files
- WinRAR Execution in Non-Standard Folder
- Winrs Local Command Execution
- Wlrmdr.EXE Uncommon Argument Or Child Process
- WMI Backdoor Exchange Transport Agent
- WMI Persistence - Script Event Consumer
- WMIC Remote Command Execution
- WmiPrvSE Spawned A Process
- Write Protect For Storage Disabled
- Writing Of Malicious Files To The Fonts Folder
- Wscript Shell Run In CommandLine
- WSL Child Process Anomaly
- WSL Kali-Linux Usage
- Wusa.EXE Executed By Parent Process Located In Suspicious Location
- XBAP Execution From Uncommon Locations Via PresentationHost.EXE
- XSL Script Execution Via WMIC.EXE
- Xwizard.EXE Execution From Non-Default Location
Elastic (1)
Splunk (59)
- Detect Outlook exe writing a zip file
- Detect Remote Access Software Usage FileInfo
- DLLHost with no Command Line Arguments with Network
- Excessive Usage Of SC Service Utility
- GPUpdate with no Command Line Arguments with Network
- MacOS - Re-opened Applications
- Malicious PowerShell Process With Obfuscation Techniques
- MS Exchange Mailbox Replication service writing Active Server Pages
- Outbound Network Connection from Java Using Default Ports
- Process Deleting Its Process File Path
- Rundll32 with no Command Line Arguments with Network
- SearchProtocolHost with no Command Line with Network
- Spoolsv Writing a DLL
- Suspicious Image Creation In Appdata Folder
- Suspicious WAV file in Appdata Folder
- Suspicious writes to windows Recycle Bin
- Unknown Process Using The Kerberos Protocol
- Web or Application Server Spawning a Shell
- Web Servers Executing Suspicious Processes
- Windows Account Access Removal via Logoff Exec
- Windows Alternate DataStream - Process Execution
- Windows BitLockerToGo Process Execution
- Windows Browser Process Launched with Unusual Flags
- Windows ComputerDefaults Spawning a Process
- Windows Credential Target Information Structure in Commandline
- Windows Defacement Modify Transcodedwallpaper File
- Windows Default RDP File Creation By Non MSTSC Process
- Windows Default Rdp File Unhidden
- Windows Deleted Registry By A Non Critical Process File Path
- Windows Disable or Stop Browser Process
- Windows DISM Install PowerShell Web Access
- Windows Explorer LNK Exploit Process Launch With Padding
- Windows Explorer.exe Spawning PowerShell or Cmd
- Windows File and Directory Enable ReadOnly Permissions
- Windows File and Directory Permissions Enable Inheritance
- Windows File and Directory Permissions Remove Inheritance
- Windows LOLBAS Executed Outside Expected Path
- Windows Modify Registry Qakbot Binary Data Registry
- Windows Office Product Dropped Cab or Inf File
- Windows Office Product Dropped Uncommon File
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows Privilege Escalation Suspicious Process Elevation
- Windows Privilege Escalation System Process Without System Parent
- Windows Privilege Escalation User Process Spawn System Process
- Windows Process Executed From Removable Media
- Windows RDP Client Launched with Admin Session
- Windows Remote Host Computer Management Access
- Windows Remote Management Execute Shell
- Windows Renamed Powershell Execution
- Windows Rundll32 Load DLL in Temp Dir
- Windows Rundll32 WebDav With Network Connection
- Windows Sqlservr Spawning Shell
- Windows Svchost.exe Parent Process Anomaly
- Windows TinyCC Shellcode Execution
- Windows UAC Bypass Suspicious Escalation Behavior
- Windows Unusual SysWOW64 Process Run System32 Executable
- Windows Vulnerable 3CX Software
- Windows WinLogon with Public Network Connection
- Windows WMIC Shadowcopy Delete