Detection rules › By event
Microsoft-Windows-Sysmon event 3
Sigma (51)
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To Ngrok Tunneling Service Initiated
- Communication To Uncommon Destination Ports
- Local Network Connection Initiated By Script Interpreter
- Microsoft Sync Center Suspicious Network Connections
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- Network Communication Initiated To Portmap.IO Domain
- Network Communication With Crypto Mining Pool
- Network Connection Initiated By AddinUtil.EXE
- Network Connection Initiated By Eqnedt32.EXE
- Network Connection Initiated By IMEWDBLD.EXE
- Network Connection Initiated By Regsvr32.EXE
- Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
- Network Connection Initiated To BTunnels Domains
- Network Connection Initiated To Cloudflared Tunnels Domains
- Network Connection Initiated To DevTunnels Domain
- Network Connection Initiated To Mega.nz
- Network Connection Initiated To Visual Studio Code Tunnels Domain
- Network Connection Initiated via Finger.EXE
- Network Connection Initiated Via Notepad.EXE
- New Connection Initiated To Potential Dead Drop Resolver Domain
- Office Application Initiated Network Connection Over Uncommon Ports
- Office Application Initiated Network Connection To Non-Local IP
- Outbound Network Connection Initiated By Cmstp.EXE
- Outbound Network Connection Initiated By Microsoft Dialer
- Outbound Network Connection Initiated By Script Interpreter
- Outbound Network Connection To Public IP Via Winlogon
- Outbound RDP Connections Over Non-Standard Tools
- Potential Remote PowerShell Session Initiated
- Potentially Suspicious Malware Callback Communication
- Potentially Suspicious Network Connection To Notion API
- Potentially Suspicious Wuauclt Network Connection
- Process Initiated Network Connection To Ngrok Domain
- Python Initiated Connection
- RDP Over Reverse SSH Tunnel
- RDP to HTTP or HTTPS Target Ports
- RegAsm.EXE Initiating Network Connection To Public IP
- Remote Access Tool - AnyDesk Incoming Connection
- Rundll32 Internet Connection
- Silenttrinity Stager Msbuild Activity
- Suspicious Dropbox API Usage
- Suspicious Network Connection Binary No CommandLine
- Suspicious Network Connection to IP Lookup Service APIs
- Suspicious Non-Browser Network Communication With Google API
- Suspicious Non-Browser Network Communication With Telegram API
- Suspicious Outbound SMTP Connections
- Suspicious Wordpad Outbound Connections
- Uncommon Connection to Active Directory Web Services
- Uncommon Network Connection Initiated By Certutil.EXE
- Uncommon Outbound Kerberos Connection
Splunk (17)
- Detect Regasm with Network Connection
- Detect Regsvcs with Network Connection
- DLLHost with no Command Line Arguments with Network
- GPUpdate with no Command Line Arguments with Network
- LOLBAS With Network Traffic
- Network Traffic to Active Directory Web Services Protocol
- Outbound Network Connection from Java Using Default Ports
- Rundll32 with no Command Line Arguments with Network
- SearchProtocolHost with no Command Line with Network
- Unknown Process Using The Kerberos Protocol
- Windows Detect Network Scanner Behavior
- Windows File Transfer Protocol In Non-Common Process Path
- Windows Mail Protocol In Non-Common Process Path
- Windows Remote Desktop Network Bruteforce Attempt
- Windows Rundll32 WebDav With Network Connection
- Windows Suspect Process With Authentication Traffic
- Windows WinLogon with Public Network Connection