Windows Detections

Name Data Source Technique Type Analytic Story Date
Detect Password Spray Attempts Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Compromised User Account 2024-10-17
Email files written outside of the Outlook directory Sysmon EventID 11 Email Collection Local Email Collection TTP Collection and Staging 2024-10-17
No Windows Updates in a time frame N/A Hunting Monitor for Updates 2024-10-17
Splunk Enterprise Windows Deserialization File Partition Splunk Exploit Public-Facing Application TTP Splunk Vulnerabilities 2024-10-16
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Web Servers Executing Suspicious Processes Sysmon EventID 1 System Information Discovery TTP Apache Struts Vulnerability 2024-10-17
Windows AD add Self to Group Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Group Modification Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Self DACL Assignment Domain or Tenant Policy Modification Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows Event Log Security 4720 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Detect Activity Related to Pass the Hash Attacks Windows Event Log Security 4624 Use Alternate Authentication Material Pass the Hash Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Detect Mimikatz Using Loaded Images Sysmon EventID 7 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools 2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP Cloud Federated Credential Abuse 2024-10-17
Dump LSASS via procdump Rename Sysmon EventID 1 LSASS Memory Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-10-17
Execution of File With Spaces Before Extension Sysmon EventID 1 Rename System Utilities TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-10-17
First time seen command line argument Sysmon EventID 1 PowerShell Windows Command Shell Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-10-17
Processes created by netsh Sysmon EventID 1 Disable or Modify System Firewall TTP Netsh Abuse 2024-10-17
Prohibited Software On Endpoint Sysmon EventID 1 N/A Hunting Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware 2024-10-17
Reg exe used to hide files directories via registry keys Sysmon EventID 1 Hidden Files and Directories TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Remote Registry Key modifications Sysmon EventID 13 N/A TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Scheduled tasks used in BadRabbit ransomware Sysmon EventID 1 Scheduled Task TTP Ransomware 2024-10-17
Suspicious Changes to File Associations Sysmon EventID 1 Change Default File Association TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Suspicious File Write Sysmon EventID 11 N/A Hunting Hidden Cobra Malware 2024-10-17
Suspicious Powershell Command-Line Arguments Sysmon EventID 1 PowerShell TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-10-17
Suspicious Rundll32 Rename Sysmon EventID 1 System Binary Proxy Execution Masquerading Rundll32 Rename System Utilities Hunting Masquerading - Rename System Utilities, Suspicious Rundll32 Activity 2024-10-17
Suspicious writes to System Volume Information Sysmon EventID 1 Masquerading Hunting Collection and Staging 2024-10-17
Uncommon Processes On Endpoint Sysmon EventID 1 Malicious File Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-10-17
Unsigned Image Loaded by LSASS Sysmon EventID 7 LSASS Memory TTP Credential Dumping 2024-10-17
Windows connhost exe started forcefully Sysmon EventID 1 Windows Command Shell TTP Ryuk Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Windows hosts file modification Sysmon EventID 11 N/A TTP Host Redirection 2024-10-17
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 Compromise Software Supply Chain TTP 3CX Supply Chain Attack 2024-10-17
7zip CommandLine To SMB Share Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting Ransomware 2024-10-17
Access LSASS Memory for Dump Creation Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA23-347A, Credential Dumping 2024-09-30
Account Discovery With Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP IcedID, Trickbot 2024-09-30
Active Setup Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Active Setup Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
Add DefaultUser And Password In Registry Sysmon EventID 13 Credentials in Registry Unsecured Credentials Anomaly BlackMatter Ransomware 2024-09-30
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP AgentTesla, CISA AA22-320A, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics 2024-09-30
AdsiSearcher Account Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2 2024-09-30
Allow File And Printing Sharing In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Cloud Firewall Impair Defenses TTP BlackByte Ransomware, Ransomware 2024-09-30
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services TTP Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-09-30
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 Remote Desktop Protocol Remote Services TTP Prohibited Traffic Allowed or Protocol Mismatch 2024-09-30
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Cloud Firewall Impair Defenses TTP BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware 2024-09-30
Allow Operation with Consent Admin Sysmon EventID 12, Sysmon EventID 13 Abuse Elevation Control Mechanism TTP Azorult, MoonPeak, Ransomware, Windows Registry Abuse 2024-09-30
Anomalous usage of 7zip CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Anomaly BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group 2024-09-30
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer 2024-09-30
Any Powershell DownloadString CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-09-30
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Match Legitimate Name or Location Masquerading OS Credential Dumping Active Scanning TTP CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-09-30
Attempt To Add Certificate To Untrusted Store CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Install Root Certificate Subvert Trust Controls TTP Disabling Security Tools 2024-09-30
Attempt To Stop Security Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate 2024-09-30
Attempted Credential Dump From Registry via Reg exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse 2024-09-30
Auto Admin Logon Registry Entry Sysmon EventID 12, Sysmon EventID 13 Credentials in Registry Unsecured Credentials TTP BlackMatter Ransomware, Windows Registry Abuse 2024-09-30
Batch File Write to System32 Sysmon EventID 1, Sysmon EventID 11 User Execution Malicious File TTP SamSam Ransomware 2024-09-30
Bcdedit Command Back To Normal Mode Boot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackMatter Ransomware 2024-09-30
BCDEdit Failure Recovery Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Ransomware, Ryuk Ransomware 2024-09-30
BITS Job Persistence CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Living Off The Land 2024-09-30
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs Ingress Tool Transfer TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-09-30
CertUtil Download With URLCache and Split Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell 2024-09-30
CertUtil Download With VerifyCtl and Split Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land 2024-09-30
Certutil exe certificate extraction CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 N/A TTP Cloud Federated Credential Abuse, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques 2024-09-30
CertUtil With Decode Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Deobfuscate/Decode Files or Information TTP APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land 2024-09-30
Change Default File Association Sysmon EventID 12, Sysmon EventID 13 Change Default File Association Event Triggered Execution TTP Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Change To Safe Mode With Network Config CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackMatter Ransomware 2024-09-30
CHCP Command Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Azorult, Forest Blizzard, IcedID 2024-09-30
Check Elevated CMD using whoami CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery TTP FIN7 2024-09-30
Child Processes of Spoolsv exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File Deletion Indicator Removal TTP Ransomware 2024-09-30
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Clop Ransomware 2024-09-30
Clop Ransomware Known Service Name Windows Event Log System 7045 Create or Modify System Process TTP Clop Ransomware 2024-09-30
CMD Carry Out String Command Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Command and Scripting Interpreter Hunting AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern 2024-10-17
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Windows Service Create or Modify System Process TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Cmdline Tool Not Executed In CMD Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter JavaScript TTP CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon 2024-09-30
CMLUA Or CMSTPLUA UAC Bypass Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT 2024-09-30
Cobalt Strike Named Pipes Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot 2024-09-30
Common Ransomware Extensions Sysmon EventID 11 Data Destruction Hunting Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Common Ransomware Notes Sysmon EventID 11 Data Destruction Hunting Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
ConnectWise ScreenConnect Path Traversal Sysmon EventID 11 Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
ConnectWise ScreenConnect Path Traversal Windows SACL Windows Event Log Security 4663 Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
Conti Common Exec parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Ransomware 2024-09-30
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Control Panel TTP Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444 2024-09-30
Create local admin accounts using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Local Account Create Account TTP Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware 2024-09-30
Create or delete windows shares using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Network Share Connection Removal TTP CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Create Remote Thread In Shell Application Sysmon EventID 8 Process Injection TTP IcedID, Qakbot, Warzone RAT 2024-09-30
Create Remote Thread into LSASS Sysmon EventID 8 LSASS Memory OS Credential Dumping TTP BlackSuit Ransomware, Credential Dumping 2024-09-30
Creation of lsass Dump with Taskmgr Sysmon EventID 11 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, Credential Dumping 2024-09-30
Creation of Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Credential Dumping, Volt Typhoon 2024-09-30
Creation of Shadow Copy with wmic and powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Credential Dumping, Living Off The Land, Volt Typhoon 2024-09-30
Credential Dumping via Copy Command from Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Credential Dumping 2024-09-30
Credential Dumping via Symlink to Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Credential Dumping 2024-09-30
CSC Net On The Fly Compilation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compile After Delivery Obfuscated Files or Information Hunting Windows Defense Evasion Tactics 2024-10-17
Curl Download and Bash Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2024-09-30
Delete ShadowCopy With PowerShell Powershell Script Block Logging 4104 Inhibit System Recovery TTP DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware 2024-09-30
Deleting Of Net Users CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal TTP DarkGate Malware, Graceful Wipe Out Attack, XMRig 2024-09-30
Deleting Shadow Copies CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation 2024-09-30
Detect AzureHound Command-Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Windows Discovery Techniques 2024-09-30
Detect AzureHound File Modifications Sysmon EventID 11 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Windows Discovery Techniques 2024-09-30
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Ingress Tool Transfer TTP Ingress Tool Transfer, Windows Certificate Services 2024-09-30
Detect Certify With PowerShell Script Block Logging Powershell Script Block Logging 4104 Steal or Forge Authentication Certificates Command and Scripting Interpreter PowerShell TTP Malicious PowerShell, Windows Certificate Services 2024-09-30
Detect Certipy File Modifications Sysmon EventID 1, Sysmon EventID 11 Steal or Forge Authentication Certificates Archive Collected Data TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2024-09-30
Detect Computer Changed with Anonymous Account Windows Event Log Security 4624, Windows Event Log Security 4742 Exploitation of Remote Services Hunting Detect Zerologon Attack 2024-10-17
Detect Copy of ShadowCopy with Script Block Logging Powershell Script Block Logging 4104 Security Account Manager OS Credential Dumping TTP Credential Dumping 2024-09-30
Detect Credential Dumping through LSASS access Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack 2024-09-30
Detect Critical Alerts from Security Tools MS365 Defender Incident Alerts, Windows Defender Alerts N/A TTP Critical Alerts 2024-10-09
Detect Empire with PowerShell Script Block Logging Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Detect Exchange Web Shell Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell 2024-09-30
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File Hunting Living Off The Land, Suspicious Compiled HTML Activity 2024-10-17
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity 2024-09-30
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP Living Off The Land, Suspicious Compiled HTML Activity 2024-09-30
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP Living Off The Land, Suspicious Compiled HTML Activity 2024-09-30
Detect Mimikatz With PowerShell Script Block Logging Powershell Script Block Logging 4104 OS Credential Dumping PowerShell TTP CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools 2024-09-30
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Gozi Malware, Living Off The Land, Suspicious MSHTA Activity 2024-09-30
Detect mshta renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta Hunting Living Off The Land, Suspicious MSHTA Activity 2024-10-17
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, Suspicious MSHTA Activity 2024-09-30
Detect New Local Admin account Windows Event Log Security 4720, Windows Event Log Security 4732 Local Account Create Account TTP CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group 2024-09-30
Detect Outlook exe writing a zip file Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Attachment TTP Amadey, Remcos, Spearphishing Attachments 2024-10-17
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Path Interception by Unquoted Path Hijack Execution Flow TTP Windows Persistence Techniques 2024-09-30
Detect processes used for System Network Configuration Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery TTP Unusual Processes 2024-09-30
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Hunting NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2024-10-17
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares TTP Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon 2024-09-30
Detect Rare Executables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution Anomaly Rhysida Ransomware, Unusual Processes 2024-09-30
Detect RClone Command-Line Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Automated Exfiltration TTP DarkSide Ransomware, Ransomware 2024-09-30
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regasm with Network Connection Sysmon EventID 3 System Binary Proxy Execution Regsvcs/Regasm TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regasm with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs with Network Connection Sysmon EventID 3 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs with No Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity 2024-09-30
Detect Remote Access Software Usage File Sysmon EventID 11 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage FileInfo CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Anomaly Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Renamed 7-Zip CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting Collection and Staging 2024-10-17
Detect Renamed PSExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Services Service Execution Hunting Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools 2024-10-17
Detect Renamed RClone CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Automated Exfiltration Hunting DarkSide Ransomware, Ransomware 2024-10-17
Detect Renamed WinRAR CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting CISA AA22-277A, Collection and Staging 2024-10-17
Detect RTLO In File Name Sysmon EventID 11 Right-to-Left Override Masquerading TTP Spearphishing Attachments 2024-09-30
Detect RTLO In Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Right-to-Left Override Masquerading TTP Spearphishing Attachments 2024-09-30
Detect Rundll32 Application Control Bypass - advpack CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Living Off The Land, Suspicious Rundll32 Activity 2024-09-30
Detect Rundll32 Application Control Bypass - setupapi CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Living Off The Land, Suspicious Rundll32 Activity 2024-09-30
Detect Rundll32 Application Control Bypass - syssetup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Living Off The Land, Suspicious Rundll32 Activity 2024-09-30
Detect Rundll32 Inline HTA Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity 2024-09-30
Detect SharpHound Command-Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound File Modifications Sysmon EventID 11 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Ransomware, Windows Discovery Techniques 2024-09-30
Detect suspicious processnames using pretrained model in DSDL Sysmon EventID 1 Command and Scripting Interpreter Anomaly Suspicious Command-Line Executions 2024-10-17
Detect Use of cmd exe to Launch Script Interpreters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell TTP Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions 2024-09-30
Detect Webshell Exploit Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component Web Shell TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities 2024-09-30
Detect WMI Event Subscription Persistence Sysmon EventID 20 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Software Deployment Tools TTP Emotet Malware DHS Report TA18-201A 2024-10-17
Disable AMSI Through Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-09-30
Disable Defender AntiVirus Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA24-241A, IcedID, Windows Registry Abuse 2024-09-30
Disable Defender BlockAtFirstSeen Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-09-30
Disable Defender Enhanced Notification Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-09-30
Disable Defender MpEngine Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP IcedID, Windows Registry Abuse 2024-09-30
Disable Defender Spynet Reporting Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse 2024-09-30
Disable Defender Submit Samples Consent Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-09-30
Disable ETW Through Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-09-30
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Clear Windows Event Logs TTP CISA AA23-347A, Ransomware, Rhysida Ransomware 2024-09-30
Disable Registry Tool Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disable Schedule Task CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP IcedID, Living Off The Land 2024-09-30
Disable Security Logs Using MiniNt Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disable Show Hidden Files Sysmon EventID 12, Sysmon EventID 13 Hidden Files and Directories Disable or Modify Tools Hide Artifacts Impair Defenses Modify Registry Anomaly Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disable UAC Remote Restriction Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disable Windows App Hotkeys Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Registry Abuse, XMRig 2024-09-30
Disable Windows Behavior Monitoring Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disable Windows SmartScreen Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Windows Defense Evasion Tactics,