Detection rules › By event

Microsoft-Windows-Sysmon event 11

238 detection rules reference this event. View event page.

Sigma (166)

.RDP File Created By Uncommon Application severity high
ADExplorer Writing Complete AD Snapshot Into .dat File severity medium T1069.002, T1087.002, T1482
ADSI-Cache File Creation By Uncommon Tool severity medium T1001.003
Advanced IP Scanner - File Event severity medium T1046
Adwind RAT / JRAT File Artifact severity high T1059.005, T1059.007
Anydesk Temporary Artefact severity medium T1219.002
Assembly DLL Creation Via AspNetCompiler severity medium
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File severity medium T1216
BloodHound Collection Files severity high T1059.001, T1069.001, T1069.002, T1087.001, T1087.002, T1482
Created Files by Microsoft Sync Center severity medium T1055, T1218
Creation Exe for Service with Unquoted Path severity high T1547.009
Creation of a Diagcab severity medium
Creation Of Non-Existent System DLL severity medium T1574.001
Creation of WerFault.exe/Wer.dll in Unusual Folder severity medium T1574.001
Cred Dump Tools Dropped Files severity high T1003.001, T1003.002, T1003.003, T1003.004, T1003.005
CSExec Service File Creation severity medium T1569.002
Desktop.INI Created by Uncommon Process severity medium T1547.009
DLL Search Order Hijackig Via Additional Space in Path severity high T1574.001
DPAPI Backup Keys And Certificate Export Activity IOC severity high T1552.004, T1555
Drop Binaries Into Spool Drivers Color Folder severity medium
Dynamic CSharp Compile Artefact severity low T1027.004
EVTX Created In Uncommon Location severity medium T1562.002
File Creation In Suspicious Directory By Msdt.EXE severity high T1547.001
File With Uncommon Extension Created By An Office Application severity high T1204.002
Files With System DLL Name In Unsuspected Locations severity medium T1036.005
Files With System Process Name In Unsuspected Locations severity medium T1036.005
GatherNetworkInfo.VBS Reconnaissance Script Output severity medium
GoToAssist Temporary Installation Artefact severity medium T1219.002
HackTool - CrackMapExec File Indicators severity high T1003.001
HackTool - Dumpert Process Dumper Default File severity critical T1003.001
HackTool - Impacket File Indicators severity high T1003.001
HackTool - Inveigh Execution Artefacts severity critical T1219.002
HackTool - Mimikatz Kirbi File Creation severity critical T1558
HackTool - NetExec File Indicators severity high T1021.002, T1059.005
HackTool - NPPSpy Hacktool Usage severity high
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump severity high T1003
HackTool - Powerup Write Hijack DLL severity high T1574.001
HackTool - QuarksPwDump Dump File severity critical T1003.002
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators severity high T1219.002
HackTool - SafetyKatz Dump Indicator severity high T1003.001
HackTool - Typical HiveNightmare SAM File Export severity high T1552.001
Hijack Legit RDP Session to Move Laterally severity high T1219.002
Installation of TeamViewer Desktop severity medium T1219.002
ISO File Created Within Temp Folders severity high T1566.001
ISO or Image Mount Indicator in Recent Files severity medium T1566.001
Legitimate Application Dropped Archive severity high T1218
Legitimate Application Dropped Executable severity high T1218
Legitimate Application Dropped Script severity high T1218
Legitimate Application Writing Files In Uncommon Location severity high T1105, T1218
LiveKD Driver Creation severity medium
LiveKD Driver Creation By Uncommon Process severity high
LiveKD Kernel Memory Dump File Created severity high
LSASS Process Dump Artefact In CrashDumps Folder severity high T1003.001
LSASS Process Memory Dump Creation Via Taskmgr.EXE severity high T1003.001
LSASS Process Memory Dump Files severity high T1003.001
Malicious DLL File Dropped in the Teams or OneDrive Folder severity high T1574.001
Malicious PowerShell Scripts - FileCreation severity high T1059.001
New Custom Shim Database Created severity medium T1547.009
New Outlook Macro Created severity medium T1008, T1137, T1546
NTDS Exfiltration Filename Patterns severity high T1003.003
NTDS.DIT Created severity low T1003.003
NTDS.DIT Creation By Uncommon Parent Process severity high T1003.003
NTDS.DIT Creation By Uncommon Process severity high T1003.002, T1003.003
Octopus Scanner Malware severity high T1195, T1195.001
Office Macro File Creation severity low T1566.001
Office Macro File Creation From Suspicious Process severity high T1566.001
Office Macro File Download severity low T1566.001
OneNote Attachment File Dropped In Suspicious Location severity medium
PCRE.NET Package Temp Files severity high T1059
PDF File Created By RegEdit.EXE severity high
Potential Binary Or Script Dropper Via PowerShell severity medium
Potential DCOM InternetExplorer.Application DLL Hijack severity critical T1021.002, T1021.003
Potential File Extension Spoofing Using Right-to-Left Override severity high T1036.002
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream severity medium T1564.004
Potential Homoglyph Attack Using Lookalike Characters in Filename severity medium T1036, T1036.003
Potential Initial Access via DLL Search Order Hijacking severity medium T1566, T1566.001, T1574, T1574.001
Potential Persistence Attempt Via ErrorHandler.Cmd severity medium
Potential Persistence Via Microsoft Office Add-In severity high T1137.006
Potential Persistence Via Microsoft Office Startup Folder severity high T1137
Potential Persistence Via Notepad++ Plugins severity medium
Potential Persistence Via Outlook Form severity high T1137.003
Potential Privilege Escalation Attempt Via .Exe.Local Technique severity high
Potential RipZip Attack on Startup Folder severity high T1547
Potential SAM Database Dump severity high T1003.002
Potential Startup Shortcut Persistence Via PowerShell.EXE severity high T1547.001
Potential Suspicious PowerShell Module File Created severity medium
Potential Webshell Creation On Static Website severity medium T1505.003
Potential Winnti Dropper Activity severity high T1027
Potentially Suspicious DMP/HDMP File Creation severity medium
Potentially Suspicious File Creation by OpenEDR's ITSMService severity medium T1105, T1219, T1570
Potentially Suspicious WDAC Policy File Creation severity medium
PowerShell Module File Created severity low
PowerShell Module File Created By Non-PowerShell Process severity medium
PowerShell Profile Modification severity medium T1546.013
PowerShell Script Dropped Via PowerShell.EXE severity low
Process Explorer Driver Creation By Non-Sysinternals Binary severity high T1068
Process Monitor Driver Creation By Non-Sysinternals Binary severity medium T1068
PSEXEC Remote Execution File Artefact severity high T1136.002, T1543.003, T1570
PsExec Service File Creation severity low T1569.002
PSScriptPolicyTest Creation By Uncommon Process severity medium
Publisher Attachment File Dropped In Suspicious Location severity medium
Rclone Config File Creation severity medium T1567.002
RemCom Service File Creation severity medium T1569.002
Remote Access Tool - ScreenConnect Temporary File severity low T1059.003
Renamed VsCode Code Tunnel Execution - File Indicator severity high
SCR File Write Event severity medium T1218.011
ScreenConnect Temporary Installation Artefact severity medium T1219.002
Self Extraction Directive File Created In Potentially Suspicious Location severity medium T1218
Startup Folder File Write severity medium T1547.001
Suspicious ASPX File Drop by Exchange severity high T1505.003
Suspicious Binaries and Scripts in Public Folder severity high T1204
Suspicious Binary Writes Via AnyDesk severity high T1219.002
Suspicious Creation TXT File in User Desktop severity high T1486
Suspicious Creation with Colorcpl severity high T1564
Suspicious Deno File Written from Remote Source severity low T1059.007, T1105, T1204
Suspicious Desktopimgdownldr Target File severity high T1105
Suspicious DotNET CLR Usage Log Artifact severity high T1218
Suspicious Double Extension Files severity high T1036.007
Suspicious Executable File Creation severity high T1564
Suspicious File Created by ArcSOC.exe severity high T1105, T1127, T1133
Suspicious File Created in Outlook Temporary Directory severity high T1566.001
Suspicious File Created In PerfLogs severity medium T1059
Suspicious File Created Via OneNote Application severity high
Suspicious File Creation Activity From Fake Recycle.Bin Folder severity high
Suspicious File Creation In Uncommon AppData Folder severity high
Suspicious File Drop by Exchange severity medium T1190, T1505.003
Suspicious File Write to SharePoint Layouts Directory severity high T1190, T1505.003
Suspicious File Write to Webapps Root Directory severity medium T1190, T1505.003
Suspicious Files in Default GPO Folder severity medium T1036.005
Suspicious Get-Variable.exe Creation severity high T1027, T1546
Suspicious Interactive PowerShell as SYSTEM severity high T1059.001
Suspicious LNK Double Extension File Created severity medium T1036.007
Suspicious MSExchangeMailboxReplication ASPX Write severity high T1190, T1505.003
Suspicious Outlook Macro Created severity high T1008, T1137, T1546
Suspicious PROCEXP152.sys File Created In TMP severity medium T1562.001
Suspicious Scheduled Task Write to System32 Tasks severity high T1053
Suspicious Screensaver Binary File Creation severity medium T1546.002
Suspicious Startup Folder Persistence severity high T1204.002, T1547.001
TeamViewer Remote Session severity medium T1219.002
UAC Bypass Abusing Winsat Path Parsing - File severity high T1548.002
UAC Bypass Using .NET Code Profiler on MMC severity high T1548.002
UAC Bypass Using Consent and Comctl32 - File severity high T1548.002
UAC Bypass Using EventVwr severity high
UAC Bypass Using IDiagnostic Profile - File severity high T1548.002
UAC Bypass Using IEInstal - File severity high T1548.002
UAC Bypass Using MSConfig Token Modification - File severity high T1548.002
UAC Bypass Using NTFS Reparse Point - File severity high T1548.002
UAC Bypass Using Windows Media Player - File severity high T1548.002
UEFI Persistence Via Wpbbin - FileCreation severity high T1542.001
Uncommon File Created by Notepad++ Updater Gup.EXE severity high T1195.002, T1557
Uncommon File Created In Office Startup Folder severity high T1587.001
Uncommon File Creation By Mysql Daemon Process severity high
VHD Image Download Via Browser severity medium T1587.001
Visual Studio Code Tunnel Remote File Creation severity medium
VsCode Powershell Profile Modification severity medium T1546.013
WerFault LSASS Process Memory Dump severity high T1003.001
Windows Binaries Write Suspicious Extensions severity high T1036
Windows Shell/Scripting Application File Write to Suspicious Folder severity high T1059
Windows Terminal Profile Settings Modification By Uncommon Process severity medium T1547.015
WinRAR Creating Files in Startup Locations severity high T1547.001
WinSxS Executable File Creation By Non-System Process severity medium
WMI Persistence - Script Event Consumer File Write severity high T1546.003
Wmiexec Default Output File severity critical T1047
Wmiprvse Wbemcomn DLL Hijack - File severity critical T1021.002, T1047
Writing Local Admin Share severity medium T1546.002
WScript or CScript Dropper - File severity high T1059.005, T1059.007

Microsoft-Windows-Sysmon event 11

Sigma (166)

Splunk (72)

Keyboard Shortcuts