Detection rules › By event

Microsoft-Windows-Sysmon event 22

44 detection rules reference this event. View event page.

Sigma (22)

AppX Package Installation Attempts Via AppInstaller.EXE severity medium T1105
Cloudflared Tunnels Related DNS Requests severity medium T1071.001, T1572
DNS HybridConnectionManager Service Bus severity high T1554
DNS Query by Finger Utility severity high T1059.003, T1071.004
DNS Query for Anonfiles.com Domain - Sysmon severity high T1567.002
DNS Query Request By QuickAssist.EXE severity low T1071.001, T1210
DNS Query Request By Regsvr32.EXE severity medium T1218.010, T1559.001
DNS Query Request To OneLaunch Update Service severity low T1056
DNS Query To AzureWebsites.NET By Non-Browser Process severity medium T1219.002
DNS Query To Common Malware Hosting and Shortener Services severity medium T1071.004
DNS Query To Devtunnels Domain severity medium T1071.001, T1572
DNS Query To MEGA Hosting Website severity medium T1567.002
DNS Query To Remote Access Software Domain From Non-Browser App severity medium T1219.002
DNS Query To Ufile.io severity low T1567.002
DNS Query To Visual Studio Code Tunnels Domain severity medium T1071.001
DNS Query Tor .Onion Address - Sysmon severity high T1090.003
DNS Server Discovery Via LDAP Query severity low T1482
Notepad++ Updater DNS Query to Uncommon Domains severity medium T1195.002, T1557
Suspicious Cobalt Strike DNS Beaconing - Sysmon severity critical T1071.004
Suspicious DNS Query for IP Lookup Service APIs severity medium T1590
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing severity high T1187, T1557.001
TeamViewer Domain Query By Non-TeamViewer Application severity medium T1219.002

Microsoft-Windows-Sysmon event 22

Sigma (22)

Splunk (22)

Keyboard Shortcuts