Detection rules › By event

Microsoft-Windows-Sysmon event 13

408 detection rules reference this event. View event page.

Sigma (236)

Activate Suppression of Windows Security Center Notifications severity medium T1112
Add Debugger Entry To AeDebug For Persistence severity medium
Add Debugger Entry To Hangs Key For Persistence severity high
Add DisallowRun Execution to Registry severity medium T1112
Add Port Monitor Persistence in Registry severity medium T1547.010
Allow RDP Remote Assistance Feature severity medium T1112
AMSI Disabled via Registry Modification severity high T1562.001, T1562.006
Antivirus Filter Driver Disallowed On Dev Drive - Registry severity high T1562.001
Atbroker Registry Change severity medium T1218, T1547
Bypass UAC Using DelegateExecute severity high T1548.002
Bypass UAC Using Event Viewer severity high T1547.010
Bypass UAC Using SilentCleanup Task severity high T1548.002
Change the Fax Dll severity high T1112
Change User Account Associated with the FAX Service severity high T1112
Change Winevt Channel Access Permission Via Registry severity high T1562.002
Classes Autorun Keys Modification severity medium T1547.001
ClickOnce Trust Prompt Tampering severity medium T1112
CMSTP Execution Registry Event severity high T1218.003
COM Hijack via Sdclt severity high T1546, T1548
COM Hijacking via TreatAs severity medium T1546.015
COM Object Hijacking Via Modification Of Default System CLSID Default Value severity high T1546.015
Common Autorun Keys Modification severity medium T1547.001
CrashControl CrashDump Disabled severity medium T1112, T1564
Creation of a Local Hidden User Account by Registry severity high T1136.001
CurrentControlSet Autorun Keys Modification severity medium T1547.001
CurrentVersion Autorun Keys Modification severity medium T1547.001
CurrentVersion NT Autorun Keys Modification severity medium T1547.001
Custom File Open Handler Executes PowerShell severity high T1202
Default RDP Port Changed to Non Standard Port severity high T1547.010
DHCP Callout DLL Installation severity high T1112, T1574.001
Directory Service Restore Mode(DSRM) Registry Value Tampering severity high T1556
Disable Administrative Share Creation at Startup severity medium T1070.005
Disable Exploit Guard Network Protection on Windows Defender severity medium T1562.001
Disable Internal Tools or Feature in Registry severity medium T1112
Disable Macro Runtime Scan Scope severity high
Disable Microsoft Defender Firewall via Registry severity medium T1562.004
Disable Privacy Settings Experience in Registry severity medium T1562.001
Disable PUA Protection on Windows Defender severity high T1562.001
Disable Security Events Logging Adding Reg Key MiniNt severity high T1112, T1562.002
Disable Tamper Protection on Windows Defender severity medium T1562.001
Disable Windows Defender Functionalities Via Registry Keys severity high T1562.001
Disable Windows Event Logging Via Registry severity high T1562.002
Disable Windows Firewall by Registry severity medium T1562.004
Disable Windows Security Center Notifications severity medium T1112
Disabled Windows Defender Eventlog severity high T1562.001
Displaying Hidden Files Feature Disabled severity medium T1564.001
DLL Load via LSASS severity high T1547.008
DNS-over-HTTPS Enabled by Registry severity medium T1112, T1140
Driver Added To Disallowed Images In HVCI - Registry severity high
Enable LM Hash Storage severity high T1112
Enable Local Manifest Installation With Winget severity medium
Enable Microsoft Dynamic Data Exchange severity medium T1559.002
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback severity medium T1562.001
Enabling COR Profiler Environment Variables severity medium T1574.012
Esentutl Volume Shadow Copy Service Keys severity high T1003.002
ETW Logging Disabled For rpcrt4.dll severity low T1112, T1562
ETW Logging Disabled For SCM severity low T1112, T1562
ETW Logging Disabled In .NET Processes - Sysmon Registry severity high T1112, T1562
Execution DLL of Choice Using WAB.EXE severity high T1218
FileFix - Command Evidence in TypedPaths severity high T1204.004
Hide Schedule Task Via Index Value Tamper severity high T1562
Hiding User Account Via SpecialAccounts Registry Key severity high T1564.002
HybridConnectionManager Service Installation - Registry severity high T1608
Hypervisor Enforced Paging Translation Disabled severity high T1562.001
IE Change Domain Zone severity medium T1137
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols severity high
Internet Explorer Autorun Keys Modification severity medium T1547.001
Internet Explorer DisableFirstRunCustomize Enabled severity medium
Lolbas OneDriveStandaloneUpdater.exe Proxy Download severity high T1105
Lsass Full Dump Request Via DumpType Registry Settings severity high T1003.001
Macro Enabled In A Potentially Suspicious Document severity high T1112
MaxMpxCt Registry Value Changed severity low T1070.005
Microsoft Office Protected View Disabled severity high T1562.001
Modification of IE Registry Settings severity low T1112
Modify User Shell Folders Startup Value severity high T1547.001
Narrator's Feedback-Hub Persistence severity high T1547.001
NET NGenAssemblyUsageLog Registry Key Tamper severity high T1112
NetNTLM Downgrade Attack - Registry severity high T1112, T1562.001
New Application in AppCompat severity informational T1204.002
New BgInfo.EXE Custom DB Path Registry Configuration severity medium T1112
New BgInfo.EXE Custom VBScript Registry Configuration severity medium T1112
New BgInfo.EXE Custom WMI Query Registry Configuration severity medium T1112
New DLL Added to AppCertDlls Registry Key severity medium T1546.009
New DLL Added to AppInit_DLLs Registry Key severity medium T1546.010
New DNS ServerLevelPluginDll Installed severity high T1112, T1574.001
New File Association Using Exefile severity high
New Netsh Helper DLL Registered From A Suspicious Location severity high T1546.007
New ODBC Driver Registered severity low
New PortProxy Registry Entry Added severity medium T1090
New Root or CA or AuthRoot Certificate to Store severity medium T1490
New RUN Key Pointing to Suspicious Folder severity high T1547.001
New TimeProviders Registered With Uncommon DLL Name severity high T1547.003
Office Application Startup - Office Test severity medium T1137.002
Office Autorun Keys Modification severity medium T1547.001
Office Macros Warning Disabled severity high T1112
Old TLS1.0/TLS1.1 Protocol Version Enabled severity medium
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry severity high T1112
Outlook Macro Execution Without Warning Setting Enabled severity high T1008, T1137, T1546
Outlook Security Settings Updated - Registry severity medium T1137
Path To Screensaver Binary Modified severity medium T1546.002
Periodic Backup For System Registry Hives Enabled severity medium T1113
Persistence Via Disk Cleanup Handler - Autorun severity medium
Persistence Via Hhctrl.ocx severity high
Persistence Via New SIP Provider severity medium T1553.003
Potential AMSI COM Server Hijacking severity high T1562.001
Potential Attachment Manager Settings Associations Tamper severity high
Potential Attachment Manager Settings Attachments Tamper severity high
Potential AutoLogger Sessions Tampering severity high
Potential ClickFix Execution Pattern - Registry severity high T1204.001
Potential CobaltStrike Service Installations - Registry severity high T1021.002, T1543.003, T1569.002
Potential COM Object Hijacking Via TreatAs Subkey - Registry severity medium T1546.015
Potential Credential Dumping Attempt Using New NetworkProvider - REG severity medium T1003
Potential Credential Dumping Via LSASS SilentProcessExit Technique severity critical T1003.001
Potential EventLog File Location Tampering severity high T1562.002
Potential PendingFileRenameOperations Tampering severity medium T1036.003
Potential Persistence Using DebugPath severity medium T1546.015
Potential Persistence Via App Paths Default Property severity high T1546.012
Potential Persistence Via AppCompat RegisterAppRestart Layer severity medium T1546.011
Potential Persistence Via AutodialDLL severity high
Potential Persistence Via CHM Helper DLL severity high
Potential Persistence Via Custom Protocol Handler severity medium T1112
Potential Persistence Via DLLPathOverride severity high
Potential Persistence Via Event Viewer Events.asp severity medium T1112
Potential Persistence Via Excel Add-in - Registry severity high T1137.006
Potential Persistence Via GlobalFlags severity high T1546.012
Potential Persistence Via Logon Scripts - Registry severity medium T1037.001
Potential Persistence Via LSA Extensions severity high
Potential Persistence Via Mpnotify severity high
Potential Persistence Via MyComputer Registry Keys severity high
Potential Persistence Via Netsh Helper DLL - Registry severity medium T1546.007
Potential Persistence Via New AMSI Providers - Registry severity medium
Potential Persistence Via Outlook Home Page severity high T1112
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting severity high T1008, T1137, T1546
Potential Persistence Via Outlook Today Page severity high T1112
Potential Persistence Via Scrobj.dll COM Hijacking severity medium T1546.015
Potential Persistence Via Shim Database In Uncommon Location severity high T1546.011
Potential Persistence Via Shim Database Modification severity medium T1546.011
Potential Persistence Via TypedPaths severity high
Potential Persistence Via Visual Studio Tools for Office severity medium T1137.006
Potential PowerShell Execution Policy Tampering severity medium
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG severity high T1218
Potential PSFactoryBuffer COM Hijacking severity high T1546.015
Potential Qakbot Registry Activity severity high T1112
Potential Ransomware Activity Using LegalNotice Message severity high T1491.001
Potential Registry Persistence Attempt Via DbgManagedDebugger severity medium T1574
Potential Registry Persistence Attempt Via Windows Telemetry severity high T1053.005
Potential SentinelOne Shell Context Menu Scan Command Tampering severity medium
Potential Signing Bypass Via Windows Developer Features - Registry severity high
Potential WerFault ReflectDebugger Registry Value Abuse severity high T1036.003
Potentially Suspicious Command Executed Via Run Dialog Box - Registry severity high T1059.001
Potentially Suspicious Desktop Background Change Via Registry severity medium T1112, T1491.001
Potentially Suspicious ODBC Driver Registered severity high T1003
PowerShell as a Service in Registry severity high T1569.002
PowerShell Logging Disabled Via Registry Key Tampering severity high T1112, T1564.001
PowerShell Script Execution Policy Enabled severity low
PUA - Sysinternal Tool Execution - Registry severity low T1588.002
PUA - Sysinternals Tools Execution - Registry severity medium T1588.002
Python Function Execution Security Warning Disabled In Excel - Registry severity high T1562.001
RDP Sensitive Settings Changed severity high T1112
RDP Sensitive Settings Changed to Zero severity medium T1112
RedMimicry Winnti Playbook Registry Manipulation severity high T1112
Register New IFiltre For Persistence severity medium
Registry Disable System Restore severity high T1490
Registry Entries For Azorult Malware severity critical T1112
Registry Explorer Policy Modification severity medium T1112
Registry Hide Function from User severity medium T1112
Registry Modification for OCI DLL Redirection severity high T1112, T1574.001
Registry Modification to Hidden File Extension severity medium T1137
Registry Persistence Mechanisms in Recycle Bin severity high T1547
Registry Persistence via Explorer Run Key severity high T1547.001
Registry Persistence via Service in Safe Mode severity high T1564.001
Registry Tampering by Potentially Suspicious Processes severity medium T1059.005, T1112
RestrictedAdminMode Registry Value Tampering severity high T1112
Run Once Task Configuration in Registry severity medium T1112
Running Chrome VPN Extensions via the Registry 2 VPN Extension severity high T1133
Scheduled TaskCache Change by Uncommon Program severity high T1053, T1053.005
ScreenSaver Registry Key Set severity medium T1218.011
Scripted Diagnostics Turn Off Check Enabled - Registry severity medium T1562.001
Security Event Logging Disabled via MiniNt Registry Key - Registry Set severity high T1112, T1562.002
Security Support Provider (SSP) Added to LSA Configuration severity high T1547.005
Service Binary in Suspicious Folder severity high T1112
ServiceDll Hijack severity medium T1543.003
Session Manager Autorun Keys Modification severity medium T1546.009, T1547.001
Shell Open Registry Keys Manipulation severity high T1546.001, T1548.002
Sticky Key Like Backdoor Usage - Registry severity critical T1546.008
Suspicious Application Allowed Through Exploit Guard severity high T1562.001
Suspicious Camera and Microphone Access severity high T1123, T1125
Suspicious Environment Variable Has Been Registered severity high
Suspicious Execution Of Renamed Sysinternals Tools - Registry severity high T1588.002
Suspicious Keyboard Layout Load severity medium T1588.002
Suspicious Path In Keyboard Layout IME File Registry Value severity high T1562.001
Suspicious PowerShell In Registry Run Keys severity medium T1547.001
Suspicious Printer Driver Empty Manufacturer severity high T1574
Suspicious Run Key from Download severity high T1547.001
Suspicious Service Installed severity medium T1562.001
Suspicious Shell Open Command Registry Modification severity medium T1546.001, T1548.002
Suspicious Shim Database Patching Activity severity high T1546.011
Suspicious Space Characters in RunMRU Registry Path - ClickFix severity high T1027.010, T1204.004
Suspicious Space Characters in TypedPaths Registry Path - FileFix severity high T1027.010, T1204.004
Sysmon Driver Altitude Change severity high T1562.001
System Scripts Autorun Keys Modification severity medium T1547.001
Tamper With Sophos AV Registry Keys severity high T1562.001
Trust Access Disable For VBApplications severity high T1112
UAC Bypass Abusing Winsat Path Parsing - Registry severity high T1548.002
UAC Bypass Using Windows Media Player - Registry severity high T1548.002
UAC Bypass via Event Viewer severity high T1548.002
UAC Bypass via Sdclt severity high T1548.002
UAC Bypass Via Wsreset severity high T1548.002
UAC Disabled severity medium T1548.002
UAC Notification Disabled severity medium T1548.002
UAC Secure Desktop Prompt Disabled severity medium T1548.002
Uncommon Extension In Keyboard Layout IME File Registry Value severity high T1562.001
Uncommon Microsoft Office Trusted Location Added severity high T1112
Usage of Renamed Sysinternals Tools - RegistrySet severity high T1588.002
VBScript Payload Stored in Registry severity high T1547.001
Wdigest CredGuard Registry Modification severity high T1112
Wdigest Enable UseLogonCredential severity high T1112
WFP Filter Added via Registry severity medium T1562, T1569.002
Windows Credential Editor Registry severity critical T1003.001
Windows Credential Guard Disabled - Registry severity high T1562.001
Windows Defender Exclusions Added - Registry severity medium T1562.001
Windows Defender Service Disabled - Registry severity high T1562.001
Windows Defender Threat Severity Default Action Modified severity high T1562.001
Windows Event Log Access Tampering Via Registry severity high T1112, T1547.001
Windows Hypervisor Enforced Code Integrity Disabled severity high T1562.001
Windows Recall Feature Enabled - Registry severity medium T1113
Windows Registry Trust Record Modification severity medium T1566.001
Windows Vulnerable Driver Blocklist Disabled severity high T1562.001
WINEKEY Registry Modification severity high T1547
Winget Admin Settings Modification severity low
Winlogon AllowMultipleTSSessions Enable severity medium T1112
Winlogon Notify Key Logon Persistence severity high T1547.004
WinSock2 Autorun Keys Modification severity medium T1547.001
Wow6432Node Classes Autorun Keys Modification severity medium T1547.001
Wow6432Node CurrentVersion Autorun Keys Modification severity medium T1547.001
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification severity medium T1547.001

Microsoft-Windows-Sysmon event 13

Sigma (236)

Splunk (172)

Keyboard Shortcuts