Detection rules › By event

Microsoft-Windows-Sysmon event 14

43 detection rules reference this event. View event page.

Sigma (42)

Atbroker Registry Change severity medium T1218, T1547
CMSTP Execution Registry Event severity high T1218.003
Creation of a Local Hidden User Account by Registry severity high T1136.001
Delete Defender Scan ShellEx Context Menu Registry Key severity medium
Disable Security Events Logging Adding Reg Key MiniNt severity high T1112, T1562.002
DLL Load via LSASS severity high T1547.008
Esentutl Volume Shadow Copy Service Keys severity high T1003.002
Folder Removed From Exploit Guard ProtectedFolders List - Registry severity high T1562.001
HybridConnectionManager Service Installation - Registry severity high T1608
Narrator's Feedback-Hub Persistence severity high T1547.001
NetNTLM Downgrade Attack - Registry severity high T1112, T1562.001
New DLL Added to AppCertDlls Registry Key severity medium T1546.009
New DLL Added to AppInit_DLLs Registry Key severity medium T1546.010
New PortProxy Registry Entry Added severity medium T1090
Office Application Startup - Office Test severity medium T1137.002
Path To Screensaver Binary Modified severity medium T1546.002
Potential Credential Dumping Via LSASS SilentProcessExit Technique severity critical T1003.001
Potential Qakbot Registry Activity severity high T1112
RedMimicry Winnti Playbook Registry Manipulation severity high T1112
Registry Entries For Azorult Malware severity critical T1112
Registry Persistence Mechanisms in Recycle Bin severity high T1547
Registry Tampering by Potentially Suspicious Processes severity medium T1059.005, T1112
Removal Of AMSI Provider Registry Keys severity high T1562.001
Removal Of Index Value to Hide Schedule Task - Registry severity medium T1562
Removal of Potential COM Hijacking Registry Keys severity medium T1112
Removal Of SD Value to Hide Schedule Task - Registry severity medium T1562
Run Once Task Configuration in Registry severity medium T1112
RunMRU Registry Key Deletion - Registry severity high T1070.003
Security Support Provider (SSP) Added to LSA Configuration severity high T1547.005
Shell Open Registry Keys Manipulation severity high T1546.001, T1548.002
Sticky Key Like Backdoor Usage - Registry severity critical T1546.008
Suspicious Camera and Microphone Access severity high T1123, T1125
Suspicious Run Key from Download severity high T1547.001
Terminal Server Client Connection History Cleared - Registry severity high T1070, T1112
UAC Bypass Via Wsreset severity high T1548.002
Wdigest CredGuard Registry Modification severity high T1112
Windows Credential Editor Registry severity critical T1003.001
Windows Credential Guard Related Registry Value Deleted - Registry severity high T1562.001
Windows Defender Threat Severity Default Action Modified severity high T1562.001
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted severity medium T1113
Windows Registry Trust Record Modification severity medium T1566.001
WINEKEY Registry Modification severity high T1547

Splunk (1)

Windows Modify Registry to Add or Modify Firewall Rule T1112