WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Execution
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Kubernetes Anomalous Outbound Network Activity from Process
User Execution
Kubernetes Anomalous Traffic on Network Edge
User Execution
Kubernetes newly seen UDP edge
User Execution
Kubernetes newly seen TCP edge
User Execution
Kubernetes Anomalous Inbound Network Activity from Process
User Execution
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Short Lived Scheduled Task
Scheduled Task
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Remote WMI Command Attempt
Windows Management Instrumentation
Windows WMI Process Call Create
Windows Management Instrumentation
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
User Execution
Kubernetes Anomalous Inbound Outbound Network IO
User Execution
Kubernetes Pod Created in Default Namespace
User Execution
Kubernetes Previously Unseen Container Image Name
User Execution
Kubernetes Shell Running on Worker Node
User Execution
Kubernetes Shell Running on Worker Node with CPU Activity
User Execution
Kubernetes Previously Unseen Process
User Execution
Kubernetes Process Running From New Path
User Execution
Kubernetes Process with Anomalous Resource Utilisation
User Execution
Kubernetes Process with Resource Ratio Anomalies
User Execution
Kubernetes Pod With Host Network Attachment
User Execution
Kubernetes DaemonSet Deployed
User Execution
Kubernetes Cron Job Creation
Container Orchestration Job
Kubernetes Create or Update Privileged Pod
User Execution
Kubernetes Node Port Creation
User Execution
Kubernetes Falco Shell Spawned
User Execution
Detect PowerShell Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Office Applications Spawning cmd exe
Command and Scripting Interpreter
Detect Prohibited Browsers Spawning cmd exe
Command and Scripting Interpreter
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Kubernetes Unauthorized Access
User Execution
Windows Defender ASR Audit Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Block Events
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link
Windows Defender ASR Rules Stacking
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Risk Rule for Dev Sec Ops by Repository
Malicious Image, User Execution
Windows Executable in Loaded Modules
Shared Modules
Juniper Networks Remote Code Execution Exploit Detection
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Detect Certify With PowerShell Script Block Logging
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Windows Suspect Process With Authentication Traffic
Account Discovery, Domain Account, User Execution, Malicious File
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
PowerShell Script Block With URL Chain
PowerShell, Ingress Tool Transfer
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PowerShell ScheduleTask
Scheduled Task, PowerShell, Command and Scripting Interpreter
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Service Create
Kernel Modules and Extensions, Service Execution
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Schtasks Run Task On Demand
Scheduled Task/Job
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Batch File Write to System32
User Execution, Malicious File
Batch File Write to System32
User Execution, Malicious File
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows PowerShell WMI Win32 ScheduledJob
PowerShell, Command and Scripting Interpreter
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
PowerShell Start or Stop Service
PowerShell
PowerShell Invoke CIMMethod CIMSession
Windows Management Instrumentation
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
PowerShell Enable PowerShell Remoting
PowerShell, Command and Scripting Interpreter
PowerShell Invoke WmiExec Usage
Windows Management Instrumentation
Clop Common Exec Parameter
User Execution
Windows Service Create SliverC2
System Services, Service Execution
Windows Service Create SliverC2
System Services, Service Execution
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Windows WMI Process And Service List
Windows Management Instrumentation
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Windows WMI Impersonate Token
Windows Management Instrumentation
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Detect Risky SPL using Pretrained ML Model
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Delete Usage
Command and Scripting Interpreter
Splunk Command and Scripting Interpreter Risky SPL MLTK
Command and Scripting Interpreter
Linux At Application Execution
At, Scheduled Task/Job
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Splunk Command and Scripting Interpreter Risky Commands
Command and Scripting Interpreter
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect Renamed PSExec
System Services, Service Execution
Detect Renamed PSExec
System Services, Service Execution
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
AWS Lambda UpdateFunctionCode
User Execution
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
Potentially malicious code on commandline
Windows Command Shell
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Detect Outbound LDAP Traffic
Exploit Public-Facing Application, Command and Scripting Interpreter
Suspicious Linux Discovery Commands
Unix Shell
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Drop IcedID License dat
User Execution, Malicious File
Drop IcedID License dat
User Execution, Malicious File
CHCP Command Execution
Command and Scripting Interpreter
Excessive Usage Of SC Service Utility
System Services, Service Execution
Excessive Usage Of SC Service Utility
System Services, Service Execution
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Malicious Powershell Executed As A Service
System Services, Service Execution
Malicious Powershell Executed As A Service
System Services, Service Execution
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious Powershell Command-Line Arguments
PowerShell
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
Single Letter Process On Endpoint
User Execution, Malicious File
Single Letter Process On Endpoint
User Execution, Malicious File
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Windows connhost exe started forcefully
Windows Command Shell
Detect Windows DNS SIGRed via Zeek
Exploitation for Client Execution
Detect Windows DNS SIGRed via Splunk Stream
Exploitation for Client Execution
Uncommon Processes On Endpoint
Malicious File
First time seen command line argument
PowerShell, Windows Command Shell
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
First Time Seen Running Windows Service
System Services, Service Execution
First Time Seen Running Windows Service
System Services, Service Execution
Detection of tools built by NirSoft
Software Deployment Tools
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation