Windows events can generate a potentially massive number of logs, not all are relevant for SIEM monitoring and analysis. If you enable all log auditing settings, the amount of information will be so great it could potentially impede your security efforts. Planning which logs you should monitor will help you maximize Logpoint Converged SIEM’s effectiveness to meet your security goals.
Logpoint collects (event) logs from Windows sources through event channels. These event channels may require you to install, configure and/or enable Windows-based settings in order to collect logs. To help you effectively plan and setup your Windows event log collection, it’s important to understand the event channels Logpoint uses, their details and what you need to do
Note
To take full advantage of Logpoint’s analytics you should use all event channels. You may need to enable or configure an event channel, depending on which channel it is. In addition to describing what you need to do for each channel, we are also listing the events according to their event ID, whose logs Logpoint monitors.
When you need to configure an event channel’s settings you use Windows Audit Policies. They provide granular control over which event logs Logpoint collects. Windows Audit Policies are implemented through Window’s Advanced Policy settings, not Basic Policy settings. It’s important that you plan and define your Audit Policies before you start using Logpoint Converged SIEM for Windows logs.
Note
The settings described here are general guidelines for Windows logs and Logpoint Converged SIEM. Your organization may have specific requirements not covered here. These settings are also not guidelines for purposes or platforms other than Logpoint.
If you need more information about Windows Audit Policies, go to the following resources.
ACSC - Windows Event Logging and Forwarding
NSA - Spotting the Adversary with Windows Event Log Monitoring
In addition to Event Channel management, you also need:
Windows installed and configured to facilitate log collection.
Sysmon configured. Sysmon ensures Logpoint alerts for Windows works correctly.
For more information on Sysmon, go to their documentation.
NxLog configured. NxLog generates logs in JSON format as Logpoint only supports JSON logs for Windows.
For more information on NxLog, go to their documentation.
Source |
Channel |
Event Log |
Actions |
|---|---|---|---|
Main Windows Admin |
Application |
All related to system applications management |
|
System |
Critical software and hardware events |
||
Security |
Successful login Failed Login Changes to System Files |
Configure Audit Policies Enable process creation with command line auditing |
|
Sysmon |
Sysmon/Operational |
Process creations, network connections, changes to file creation time |
Install & Configure |
Scheduled task |
Security |
Enable & Configure Audit Policy |
|
PowerShell |
Windows PowerShell Microsoft-Windows-PowerShell/Operational |
Enable |
|
Microsoft Defender |
Microsoft-Windows-Windows Defender/Operational |
Enabled by default |
|
Applocker |
Microsoft-Windows-AppLocker/MSI and Script, Microsoft-Windows-AppLocker/EXE and DLL, Microsoft-Windows-AppLocker/Packaged app-Deployment, Microsoft-Windows-AppLocker/Packaged app-Execution |
Enable |
The logs from Application Channel events depend on which specific applications are installed on your own environment.
Before you get started, Administration users need to enable SQL Server auditing.
If you are new or need more information specific to Windows Installer Event Logging, details are available here.
For information on Windows Installer including how to enable verbose logging on a user’s computer when troubleshooting deployment, go to Windows Installer Best Practices.
Event ID |
Provider |
Description |
|---|---|---|
1022 |
MsiInstaller |
Product update installed successfully. |
1033 |
MsiInstaller |
Windows Installer installed the product. |
1034 |
MsiInstaller |
Windows Installer removed the product. |
1040 |
MsiInstaller |
Beginning a Windows installer transaction. |
1042 |
MsiInstaller |
Ending a Windows installer transaction. |
11724 |
MsiInstaller |
An application has been successfully uninstalled. |
216 |
ESENT |
A database location change was detected. |
325 |
ESENT |
The database engine created a new database. |
326 |
ESENT |
The database engine attached a database. |
327 |
ESENT |
The database engine detached a database. |
524 |
Microsoft-Windows-Backup |
The System Catalog has been deleted. |
1 |
Microsoft-Windows-Audit-CVE |
An attempt to exploit a known vulnerability is detected. |
15457, 33205 |
MSSQLSERVER1 |
Microsoft SQL Server audit event. |
1000 |
Application Error |
An application has crashed. |
1001 |
Windows Error Reporting |
An application has crashed. |
1002 |
Application Hang |
An application is not responding. |
Collects system events including system startup, shutdown and security to help you troubleshoot and monitor Windows. Logs can be viewed using the Windows Event Viewer.
Note
Some event types require strict monitoring.
Event ID |
Provider |
Description |
|---|---|---|
104 |
Microsoft-Windows-Eventlog |
The System log file was cleared. |
7000 |
Service Control Manager |
The service failed to start due to the following error. |
7025 |
Service Control Manager |
At least one service or driver failed during system startup. |
7040 |
Service Control Manager |
The start type of a service was changed. |
7036 |
Service Control Manager |
The service entered the running/stopped state. |
7045 |
Service Control Manager |
A service was installed in the system. |
16 |
Microsoft-Windows-WindowsUpdateClient |
Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. |
20 |
Microsoft-Windows-WindowsUpdateClient |
Windows failed to install the update with error. |
24 |
Microsoft-Windows-WindowsUpdateClient |
Windows failed to uninstall the update with error. |
1000, 1001 |
Microsoft-Windows-WER-SystemErrorReporting |
Blue Screen of Death (BSOD). |
Collects security events including successful or failed user logons, changes to system files, privilege use and system access attempts. Logs can be viewed using the Windows Event Viewer. The log entries are organized by event type and include detailed information about the event, such as the time it occurred, the user account associated with the event, and whether the event was successful or failed.
The Security Channel is enabled by default. The log entries are organized by event type and include detailed information about the event, such as the time it occurred, the user account associated with the event and whether the event succeeded or failed.
Security Channel logs require Audit Policy setting configuration. Logpoint recommendations are detailed below or after the Event table.
Events
Event ID |
Description |
|---|---|
1102 |
The audit log was cleared. |
4624 |
An account was successfully logged on. |
4625 |
An account failed to log on. |
4634 |
An account was logged off. |
4647 |
User initiated logoff. |
4648 |
A logon was attempted using explicit credentials. |
4663 |
An attempt was made to access an object. |
4672 |
Special privileges assigned to new logon. |
4688 |
A new process has been created. |
4719 |
System audit policy was changed. |
4720 |
A user account was created. |
4722 |
A user account was enabled. |
4723 |
An attempt was made to change an account’s password. |
4724 |
An attempt was made to reset an accounts password. |
4725 |
A user account was disabled. |
4726 |
A user account was deleted. |
4728 |
A member was added to a security-enabled global group. |
4729 |
A member was removed from a security-enabled global group. |
4732 |
A member was added to a security-enabled local group. |
4733 |
A member was removed from a security-enabled local group. |
4735 |
A security-enabled local group was changed. |
4737 |
A security-enabled global group was changed. |
4755 |
A security-enabled universal group was changed. |
4756 |
A user was added to a privileged universal group |
4738 |
A user account was changed. |
4740 |
A user account was locked out. |
4741 |
A computer account was created. |
4742 |
A computer account was changed. |
4743 |
A computer account was deleted. |
4767 |
A user account was unlocked. |
4771 |
Kerberos pre-authentication failed. |
4768 |
A Kerberos authentication ticket (TGT) was requested. |
4769 |
A Kerberos service ticket was requested. |
4772 |
A Kerberos authentication ticket request failed. |
4777 |
The domain controller failed to validate the credentials of an account. |
4616 |
The system time was changed. |
4657 |
A registry value was modified. |
4697 |
A service was installed in the system. |
4946 |
A rule has been added to Windows Firewall exception list. |
4947 |
A rule has been changed in Windows Firewall exception list. |
4950 |
A Windows Firewall setting has changed. |
4954 |
Windows Firewall Group Policy settings has changed. |
4964 |
Special groups have been assigned to a new logon. |
5025 |
The Windows Firewall service has been stopped. |
5140 |
A network share object was accessed. |
5145 |
A network share object was checked to see whether client can be granted desired access. |
Remember, it’s important to plan which logs you want to monitor before you configure Audit Policies for the Security Channel.
For Windows 7 and later you can use Group Policy for Advanced Audit Policies. For more information see guide.
Categories and Subcategories
Categories are divided into subcategories. You don’t need to monitor all of a category’s subcategories. You can select only one, for example. Select only those subcategories events that are relevant for your security goals.
Category |
Subcategory |
Applicable to |
Recommended Option |
Event ID |
|---|---|---|---|---|
Account Logon |
Credential Validation |
Domain Controller, Member Server, Workstation |
Success, Failure |
4774, 4775, 4776, 4777 |
Account Logon |
Kerberos Authentication Service |
Domain Controller |
Success, Failure |
4768, 4771, 4772 |
Account Logon |
Kerberos Service Ticket Operations |
Domain Controller |
Success, Failure |
4769, 4770, 4773 |
Account Management |
Computer Account Management |
Domain Controller |
Success, Failure |
4741, 4742, 4743 |
Account Management |
Distribution Group Management |
Domain Controller |
Success, Failure |
4749, 4750, 4751, 4752, 4753 |
Account Management |
Other Account Management Events |
Domain Controller |
Success, Failure |
4782, 4793 |
Account Management |
Security Group Management |
Domain Controller, Member Server, Workstation |
Success, Failure |
4731, 4732, 4733, 4734, 4735, 4764, 4799 |
Account Management |
User Account Management |
Domain Controller, Member Server, Workstation |
Success, Failure |
4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 4798, 5376, 5377 |
Detailed Tracking |
DPAPI Activity |
Domain Controller, Member Server, Workstation |
Success, Failure |
4692, 4693, 4694, 4695 |
Detailed Tracking |
PNP Activity |
Domain Controller, Member Server, Workstation |
Success, Failure |
6416, 6419, 6420, 6421, 6422, 6423, 6424 |
Detailed Tracking |
Process Creation |
Domain Controller, Member Server, Workstation |
Success, Failure |
4688, 4696 |
Detailed Tracking |
Process Termination |
Domain Controller, Member Server, Workstation |
Success, Failure |
4689 |
DS Access |
Detailed Directory Service Replication |
Domain Controller |
Success, Failure |
4928, 4929, 4930, 4931, 4934, 4935, 4936, 4937 |
DS Access |
Directory Service Access |
Domain Controller |
Success, Failure |
4661, 4662 |
DS Access |
Directory Service Changes |
Domain Controller |
Success, Failure |
5136, 5137, 5138, 5139, 5141 |
DS Access |
Directory Service Replication |
Domain Controller |
Success, Failure |
4932, 4933 |
Logon/Logoff |
Account Lockout |
Domain Controller, Member Server, Workstation |
Failure |
4625 |
Logon/Logoff |
User/Device Claims |
Domain Controller, Member Server, Workstation |
Success, Failure |
4626 |
Logon/Logoff |
Group Membership |
Domain Controller, Member Server, Workstation |
Success, Failure |
4627 |
Logon/Logoff |
Logoff |
Domain Controller, Member Server, Workstation |
Success, Failure |
4634, 4647 |
Logon/Logoff |
Logon |
Domain Controller, Member Server, Workstation |
Success, Failure |
4624, 4625, 4648, 4675 |
Logon/Logoff |
Other Logon/Logoff Events |
Domain Controller, Member Server, Workstation |
Success, Failure |
4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633 |
Logon/Logoff |
Special Logon |
Domain Controller, Member Server, Workstation |
Success, Failure |
4964, 4672 |
Object Access |
Detailed File Share |
Domain Controller, Member Server, Workstation |
Success, Failure (for DC only) |
5145 |
Object Access |
File Share |
Domain Controller, Member Server, Workstation |
Success, Failure |
5140, 5142, 5143, 5144, 5168 |
Object Access |
File System |
Domain Controller, Member Server, Workstation |
Success, Failure |
4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670 |
Object Access |
Other Object Access Events |
Domain Controller, Member Server, Workstation |
Success, Failure |
4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890 |
Object Access |
Registry |
Domain Controller, Member Server, Workstation |
Success, Failure |
4663, 4656, 4658, 4660, 4657, 5039, 4670 |
Object Access |
Removable Storage |
Domain Controller, Member Server, Workstation |
Success, Failure |
4656, 4658, 4663 |
Policy Change |
Audit Policy Change |
Domain Controller, Member Server, Workstation |
Success, Failure |
4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905 |
Policy Change |
Authentication Policy Change |
Domain Controller, Member Server, Workstation |
Success, Failure |
4670, 4706, 4707, 4716, 4713, 4717, 4718, 4739, 4864, 4865, 4866, 4867 |
Policy Change |
MPSSVC Rule-Level Policy Change |
Domain Controller, Member Server, Workstation |
Success, Failure |
4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958 |
Policy Change |
Other Policy Change Events |
Domain Controller, Member Server, Workstation |
Success, Failure |
4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145 |
Privilege Use |
Non-Sensitive Privilege Use |
Domain Controller, Member Server |
Failure |
4673, 4674, 4985 |
Privilege Use |
Sensitive Privilege Use |
Domain Controller, Member Server, Workstation |
Success, Failure |
4673, 4674, 4985 |
System |
Other System Events |
Domain Controller, Member Server, Workstation |
Success, Failure |
5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409 |
System |
Security State Change |
Domain Controller, Member Server, Workstation |
Success, Failure |
4608, 4616, 4621 |
System |
Security System Extension |
Domain Controller, Member Server, Workstation |
Success, Failure |
4610, 4611, 4614, 4622, 4697 |
System |
System Integrity |
Domain Controller, Member Server, Workstation |
Success, Failure |
4612, 4615, 4618, 4816, 5038, 5056, 5062, 5057, 5060, 5061, 6281, 6410 |
Collects process creation, network connection, and changes to file creation time events. Its capabilities depend on correct proper installation and configuration.
Sysmon events are stored:
On Vista and higher: Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
Older versions: System event log
Note
Sysmon is a third-party app and does not provide analysis of the events it generates, nor does it attempt to protect or hide from attackers.
To configure Sysmon in Logpoint, go to Logpoint Documentation: Windows. An overview of using sysmon in a production environment to augment windows and EDR telemetry is available here.
Events
Event ID |
Event Type |
|---|---|
1 |
Process Create |
2 |
File creation time |
3 |
Network connection detected |
4 |
Sysmon service state change |
5 |
Process terminated |
6 |
Driver Loaded |
7 |
Image loaded |
8 |
CreateRemoteThread detected |
9 |
RawAccessRead detected |
10 |
Process accessed |
11 |
File created |
12 |
Registry object added or deleted |
13 |
Registry value set |
14 |
Registry object renamed |
15 |
File stream created |
16 |
Sysmon configuration change (cannot be filtered) |
17 |
Named pipe created |
18 |
Named pipe connected |
19 |
WMI filter |
20 |
WMI consumer |
21 |
WMI consumer filter |
22 |
DNS query |
Note
Scheduled task is important enough to cover separately even though it is part of the Security Channel.
Scheduled Task logs any data regarding a scheduled task in any of the local files, event logs, or remote servers.
It collects
time the event was generated
unique identifier for the event
event severity (error, warning, or informational)
event message
name of the computer where the event occurred
name of the file involved
name of the executed task
information about the process that executed the task
task start time
task stop time
task status including successful, and failed
user who triggered the task.
Additionally, the log may include information about the triggers that caused the task to start, such as a specific date and time or when a specific event occurs.
Note
We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Malware often uses Scheduled tasks to stay in a system after reboot for other malicious actions.
Monitoring new tasks is located in the Task Scheduler Library root node, where Task Name looks like ‘TASK_NAME’. Scheduled tasks created manually or by malware are often located in the Task Scheduler Library root node.
For a new task, if the Task Content: XML contains the <LogonType>Password</LogonType> value, it triggers an alert. The account password used to run the scheduled task is saved in Credential Manager in cleartext format and can be extracted by an Administrator user.
Events
Event ID |
Channel |
Description |
|---|---|---|
4698 |
Security |
A scheduled task was created. |
4699 |
Security |
A scheduled task was deleted. |
4700 |
Security |
A scheduled task was enabled. |
4701 |
Security |
A scheduled task was disabled. |
4702 |
Security |
A scheduled task was updated. |
Audit Policy |
Applicable to |
Recommended Option |
Details |
|---|---|---|---|
Domain Controller, Member Server, Workstation |
Success |
Audit Other Object Access Events allows monitoring operations with scheduled tasks, COM+ objects and indirect object access requests. We recommend Success auditing first of all because of scheduled tasks events for Windows. |
Collects detailed operation events including starting and stopping the PowerShell engine, provider, and script block.
When Script Block Logging and Module Logging are enabled, PowerShell logs events to the PowerShellCore/Operational log.
Note
If you enable PowerShell be aware it generates a high volume of event logs. Depending on the event ID, additional information is available. For example, when Script Block logging is enabled the entire command entered is part of the log .
Warning
Unlike Linux or macOS, PowerShell Core for Windows requires registering the event provider before events can be written to the event log.
Channels:
Microsoft-Windows-PowerShell/Operational
Windows Powershell
PowerShellCore/Operational1
or PowerShell Core (version 6 and above), the log channel is
`PowerShellCore/Operational.
Event ID |
Module / Event |
Description |
|---|---|---|
400 |
Windows PowerShell |
PowerShell command is executed, default logging |
500 |
Windows PowerShell |
PowerShell is initialized, default logging |
501 |
Windows PowerShell |
PowerShell command has finished executing, default logging |
800 |
Windows Powershell |
Pipeline Execution Details |
4103 |
Module Logging |
needs to be enabled |
4104 |
ScriptBlock Logging |
needs to be enabled |
AppLocker logs contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed information about:
Which file is affected and the path of that file
Which packaged app is affected and the package identifier of the app
Whether the file or packaged app is allowed or blocked
The rule type (path, file hash, or publisher)
The rule name
The security identifier (SID) for the user or group identified in the rule
A good resource on what application control is and why and how to configure it is provided by the Australian Cyber Security Center.
Channels:
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker/Packaged app-Deployment
Microsoft-Windows-AppLocker/Packaged app-Execution
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
Event ID |
Log Level |
Description |
|---|---|---|
8001 |
Information |
The AppLocker policy was applied successfully to this computer. |
8003 |
Warning |
*<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced. |
8004 |
Error |
*<File name> * was not allowed to run. |
8006 |
Warning |
*<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced. |
8007 |
Error |
*<File name> * was not allowed to run. |
8008 |
Error |
AppLocker disabled on the SKU. |
8022 |
Information |
Packaged app disabled. |
8025 |
Warning |
Packaged app installation disabled. |
8028 |
Warning |
application was allowed to run but would have been prevented if the Config CI policy was enforced. |
8029 |
Error |
application was prevented from running due to Config CI policy. |
Additional Information and complete Event ID list can be found at Using Event Viewer with AppLocker.
Microsoft Defender Antivirus records Event IDs in the Windows event log. Do not confuse it with the logs generated by “Microsoft Defender for Endpoint”, they are different. The main difference between them is the amount of data that’s collected. Microsoft Defender logs come from the built-in antivirus and malware protection program in Windows, while Microsoft Defender for Endpoint logs come from a dedicated enterprise-level security platform.
This event category will forward configuration changes, update issues, ASR signals, and malware detected by Microsoft Defender Antivirus. The defender’s event channel is enabled by default.
Channel:
Microsoft-Windows-Windows Defender/Operational
Event ID |
Message |
|---|---|
1005 |
An antimalware scan failed. |
1009 |
The antimalware platform restored an item from quarantine. |
1015 |
The antimalware platform detected suspicious behavior. |
1116 |
The antimalware platform detected malware or other potentially unwanted software. |
1117 |
The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. |
1118 |
The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. |
1119 |
The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message. |
1121 |
Event when ASR rule fires in Block-mode |
1122 |
Event when ASR rule fires in Audit-mode |
5007 |
Event when settings are changed |
5000 |
Real-time protection is enabled. |
5001 |
Real-time protection is disabled. |
5010 |
Scanning for malware and other potentially unwanted software is disabled. |
5012 |
Scanning for viruses is disabled. |
The complete list of Event IDs can be found at:
This is a shortlist of Windows alerts that use all the Windows event channels detailed above, their respective mappings to Mitre ATT&CK, event channels, and which event ID triggers them. You can use the information detailed in the following table to make sure your configurations are correct.
SN |
Alert Name |
Event Channel |
Event ID |
Attack Category |
Attack ID |
Attack Tag |
|---|---|---|---|---|---|---|
1 |
Service Execution Detected |
Sysmon |
1 |
Execution |
T1569.002, T1569 |
Service Execution,System Services, System Services,Service Execution |
2 |
Screensaver Activities Detected |
Sysmon |
13,12,14 |
Persistence |
T1546.002, T1546 |
Screensaver,Event Triggered Execution |
3 |
Execution of Microsoft Build Engine Using an Alternate Name |
Sysmon |
1 |
Defense Evasion |
T1036, T1036.003 |
Rename System Utilities,Masquerading |
4 |
Suspicious VMToolsd Child Process |
Security |
4688 |
Execution |
T1059 |
Command and Scripting Interpreter |
5 |
Generic Password Dumper Activity on LSASS Detected |
Security |
4656 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
6 |
File System Permissions Weakness |
Sysmon |
7 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.010 |
Hijack Execution Flow,Services File Permissions Weakness |
7 |
Sysmon Error Event Detected |
Sysmon |
255 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools, Disable or Modify Tools,Impair Defenses |
8 |
Windows Kernel and 3rd Party Drivers Exploits Token Stealing Detected |
Sysmon |
1 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
9 |
Egregor Payload Command Line Detected |
Sysmon |
1 |
Impact |
T1486 |
Data Encrypted for Impact |
10 |
AD Object WriteDAC Access Detected |
Sysmon |
4662 |
Defense Evasion |
T1222 |
File and Directory Permissions Modification |
11 |
Regsvcs-Regasm Detected |
Sysmon |
3 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution,Regsvcs/ Regasm |
12 |
Taskmgr as Parent Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
13 |
File and Directory Discovery Using PowerShell Detected |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Discovery |
T1083 |
File and Directory Discovery |
14 |
Suspicious TSCON Start |
Sysmon |
1 |
Command and Control |
T1219 |
Remote Access Software |
15 |
WMI - Network Connection |
Sysmon |
3 |
Execution |
T1047 |
Windows Management Instrumentation |
16 |
Call to a Privileged Service Failed |
Security |
4673 |
Lateral Movement, Privilege Escalation, Defense Evasion, Initial Access, Persistence |
T1078 |
Valid Accounts |
17 |
DTRACK Process Creation Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
18 |
DHCP Server Error Failed Loading the CallOut DLL |
Application |
103, 210, 311, 034 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,Hijack Execution Flow,DLL Side-Loading, DLL Side-Loading |
19 |
Certutil Encode Detected |
Sysmon |
1 |
Defense Evasion |
T1140 |
Deobfuscate/Decode Files or Information |
20 |
Copy from Admin Share Detected |
Sysmon |
1 |
Lateral Movement, Command and Control |
T1021, T1021.002, T1105 |
Ingress Tool Transfer,Remote Services,SMB/Windows Admin Shares |
21 |
Successful Overpass the Hash Attempt |
Security |
4624 |
Lateral Movement, Defense Evasion |
T1550.002, T1550 |
Pass the Hash,Use Alternate Authentication Material, Use Alternate Authentication Material,Pass the Hash |
22 |
Mitre Collection Attack using Automated Collection Detected |
Microsoft-Windows-PowerShell/ Operational |
4104 |
|||
23 |
Windows Removable Storage Disconnected |
Microsoft-Windows-DriverFrameworks-UserMode/ Operational |
2102 |
|||
24 |
LSASS Access Detected via Attack Surface Reduction |
Microsoft-Windows-Windows Defender/ Operational |
1121 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
25 |
Command Obfuscation via Environment Variable Concatenation Reassembly |
Sysmon |
1 |
Defense Evasion,Execution |
T1059, T1059.003 |
Command and Scripting Interpreter,Windows Command Shell |
26 |
Data Staging Process Detected in Windows |
Sysmon |
1 |
Collection |
T1074 |
Data Staged |
27 |
WMI - Active Script Event Consumer - Process Detected |
Sysmon |
1 |
Execution |
T1047 |
Windows Management Instrumentation |
28 |
Suspicious Scripting in a WMI Consumer |
Sysmon |
20 |
Execution |
T1059, T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
29 |
Suspicious WMIC Child Process |
Sysmon |
1 |
Execution |
T1047 |
Windows Management Instrumentation |
30 |
Elevated Command Prompt Activity by Non-Admin User Detected |
Security |
4688 |
Execution |
T1059 |
Command and Scripting Interpreter,Command-Line Interface |
31 |
Encoded IEX Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1140, T1059, T1059.001 |
PowerShell,Deobfu scate/Decode Files or Information,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
32 |
Lsass Memory Dump with MiniDumpWrite Dump API Detected |
Sysmon |
7 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
33 |
Mitre Persistence via Winlogon Helper DLL Detected |
Security |
4657 |
Privilege Escalation, Execution, Persistence |
T1547.004, T1547 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Winlogon Helper DLL, Winlogon Helper DLL |
34 |
RDP Login from Localhost Detected |
Security |
4624 |
Lateral Movement |
T1021,T1021.001 |
Remote Services,Remote Services, Remote Desktop Protocol,Remote Desktop Protocol |
35 |
Suspicious Shells Spawn by SQL Server |
Security |
4688 |
Execution,Initial Access |
T1190,T1059.001 |
Exploit Public-Facing Application,Command and Scripting Interpreter,PowerShell |
36 |
Microsoft Defender AMSI Trigger |
Microsoft-Windows-Windows Defender/ Operational |
1116 |
|||
37 |
Password Change on DSRM Account Detected |
Security |
4794 |
Privilege Escalation, Persistence |
T1098 |
Account Manipulation |
38 |
Windows Defender Stopped |
Microsoft-Windows-Windows Defender/ Operational |
5001 |
Defense Evasion |
T1562.001, T1562 |
Disable or Modify Tools,Impair Defenses |
39 |
Exploition of CVE-2019-1388 Detected |
Sysmon |
1 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
40 |
Possible Credential Dump-Tools Named Pipes Detected |
Sysmon |
17 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
41 |
PowerShell Version Downgrade Detected |
Windows PowerShell |
400 |
Execution |
T1059, T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
42 |
AppInit DLLs Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.010, T1546 |
AppInit DLLs,Event Triggered Execution,AppInit DLLs, Event Triggered Execution |
43 |
Possible Ransomware or Unauthorized MBR Modifications Detected |
Sysmon |
1 |
Defense Evasion, Persistence |
T1542, T1070, T1542.003 |
Indicator Removal on Host,Bootkit, Bootkit, Pre-OS Boot,Pre-OS Boot |
44 |
Ryuk Wake-On-LAN Activity |
Security |
4688 |
|||
45 |
Eventlog Cleared Detected |
System |
104 |
Defense Evasion |
T1070 |
Indicator Removal on Host |
46 |
Mitre Execution Attack via Suspicious Powershell Command Detected |
Security |
4688 |
Execution |
T1059, T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
47 |
Registry Persistence Mechanisms Detected |
Sysmon |
13 |
Privilege Escalation, Persistence |
T1546,T1546.012 |
Image File Execution Options Injection,Event Triggered Execution,Image File Execution Options Injection, Event Triggered Execution |
48 |
Tap Driver Installation Detected |
System, Sysmon, Security |
7045, 4697, 6 |
Exfiltration |
T1048 |
Exfiltration Over Alternative Protocol |
49 |
Unsigned Image Loaded Into LSASS Process |
Sysmon |
7 |
Credential Access |
T1003,T1003.001 |
OS Credential Dumping,LSASS Memory |
50 |
PowerShell Script Run in AppData Detected |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
51 |
Suspicious HWP Sub Processes Detected |
Sysmon |
1 |
Defense Evasion, Execution, Initial Access |
T1566.001, T1202, T1566, T1059 |
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Attachment, Phishing, Command-Line Interface, Indirect Command Execution |
52 |
Security Policy Extraction |
Security |
4688 |
|||
53 |
Default File Association Changed |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.001, T1546 |
Change Default File Association,Event Triggered Execution,Change Default File Association, Event Triggered Execution |
54 |
New Service Process Execution |
Sysmon |
1 |
Privilege Escalation,Persistence |
T1543 |
New Service,Create or Modify System Process |
55 |
Audio Capture via PowerShell Detected |
Sysmon |
1 |
Collection |
T1123 |
Audio Capture |
56 |
Mitre Execution Attack via Encoded Powershell Command Detected |
Security |
4688 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
57 |
Emissary Panda Malware SLLauncher Detected |
Sysmon |
1 |
Defense Evasion |
T1211 |
Exploitation for Defense Evasion |
58 |
Regsvr32 Anomaly Detected |
Sysmon |
1 |
Defense Evasion |
T1218.010,T1218 |
Signed Binary Proxy Execution,Regsvr32, Signed Binary Proxy Execution |
59 |
Regsvr32 - Network Detected |
Sysmon |
3 |
Defense Evasion,Execution |
T1218.010,T1218 |
Regsvr32,Signed Binary Proxy Execution,Regsvr32, Signed Binary Proxy Execution |
60 |
Windows Processes Suspicious Parent Directory Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
61 |
RDP Tunneling Detected Using Plink |
Sysmon |
1 |
Command And Control,Command and Control |
T1219 |
Remote Access Software,Remote Access Tools |
62 |
Exploit for CVE-2017-0261 Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
63 |
ZxShell Malware Detected |
Sysmon |
1 |
Defense Evasion, Execution |
T1218.011, T1059, T1218 |
Command and Scripting Interpreter,Signed Binary Proxy Execution,Command-Line Interface, Signed Binary Proxy Execution,Rundll32, Rundll32 |
64 |
LSASS Access from Non System Account Detected |
Security |
46,564,663 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
65 |
Suspicious Outbound Kerberos Connection |
Sysmon, Security |
35,156 |
Lateral Movement, Credential Access |
T1558, T1558.003 |
Steal or Forge Kerberos Tickets,Kerberoasting, Kerberoasting, Steal or Forge Kerberos Tickets |
66 |
AppCert DLLs Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.009, T1546 |
AppCert DLLs, AppCert DLLs,Event Triggered Execution, Event Triggered Execution |
67 |
Svchost DLL Search Order Hijack Detected |
Sysmon |
7 |
Privilege Escalation,Defense Evasion,Persistence |
T1574.001, T1574, T1574.002 |
Hijack Execution Flow,DLL Search Order Hijacking,DLL Side-Loading |
68 |
Possible CLR DLL Loaded Via Office Applications |
Sysmon |
7 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
69 |
Credentials Access in Files Detected |
Sysmon |
1 |
Credential Access |
T1552.001,T1552 |
Unsecured Credentials,Credentials In Files |
70 |
Windows Domain GPO Modification |
Security |
5136 |
Privilege Escalation, Privilege Escalation,Defense Evasion |
T1484 |
Group Policy Modification,Domain Policy Modification |
71 |
OceanLotus Registry Activity Detected |
Sysmon |
13 |
Defense Evasion,Persistence |
T1112 |
Modify Registry |
72 |
Screenshot Capture Detected |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Collection |
T1113 |
Screen Capture |
73 |
MsiExec Web Install Detected |
Sysmon |
1 |
Defense Evasion |
T1218.007,T1218 |
Msiexec,Signed Binary Proxy Execution |
74 |
Allowed NetLogon Connections via Group Policy - CVE-2020-1472 |
Security |
58,305,831 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
75 |
Windows Admin Shares - Process - Created |
Sysmon |
1 |
Lateral Movement |
T1021 |
Remote Services |
76 |
WMI command execution |
Sysmon |
20 |
Execution |
T1047 |
Windows Management Instrumentation |
77 |
Mimikatz Detection LSASS Access Detected |
Sysmon |
10 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
78 |
Control Panel Items - Process Detected |
Sysmon |
1 |
Defense Evasion |
T1218.002,T1218 |
Control Panel, Control Panel,Signed Binary Proxy Execution |
79 |
Rubeus Hack Tool Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping |
80 |
Password Dumper Remote Thread in LSASS |
Sysmon |
8 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
81 |
Ngrok RDP Tunnel Detected |
Security |
4779 |
Command and Control |
T1572 |
Protocol Tunneling |
82 |
Windows Excessive Amount of Files Copied to Removable Device |
Security |
4663 |
Exfiltration |
T1052.001,T1052 |
Exfiltration Over Physical Medium, Exfiltration over USB,Exfiltration over USB |
83 |
Potential RDP Exploit CVE-2019-0708 Detected |
System |
56,50 |
Lateral Movement,Initial Access |
T1190,T1210 |
Exploit Public-Facing Application,Exploitation of Remote Services |
84 |
CobaltStrike Named Pipes Detected |
Sysmon |
17 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
85 |
Suspicious Reconnaissance Activity Detected |
Sysmon |
1 |
Discovery |
T1087 |
Account Discovery |
86 |
Application Shimming - Process Detected |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546, T1546.011 |
Application Shimming, Application Shimming,Event Triggered Execution, Event Triggered Execution |
87 |
Possible Empire Monkey Detected |
Sysmon |
1 |
Execution |
T1059, T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
88 |
Suspicious WMPRVSE Child Process |
Sysmon |
1 |
Execution |
T1047 |
Windows Management Instrumentation |
89 |
Run Whoami as SYSTEM Detected |
Sysmon |
1 |
Privilege Escalation, Discovery |
T1033 |
System Owner/User Discovery |
90 |
Suspicious RASdial Activity Detected |
Sysmon |
1 |
Execution |
T1059 |
Command and Scripting Interpreter |
91 |
Curl Start Combination Detected |
Sysmon |
1 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
92 |
Suspicious SVCHOST Process Creation |
Sysmon |
1 |
Privilege Escalation, Defense Evasion |
T1055, T1036, T1036.005 |
Process Injection,Match Legitimate Name or Location,Masquerading |
93 |
Windows Command Line Execution with Suspicious URL and AppData Strings |
Sysmon |
1 |
Execution |
T1059 |
Command and Scripting Interpreter,Command-Line Interface |
94 |
Sofacy Trojan Loader Activity Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.011, T1059, T1218 |
Command and Scripting Interpreter,Signed Binary Proxy Execution,Command-Line Interface, Signed Binary Proxy Execution,Rundll32, Rundll32 |
95 |
Domain Administrator Login in Workstation |
Security |
4627 |
Privilege Escalation,Defense Evasion,Initial Access,Persistence |
T1078, T1078.002 |
Valid Accounts,Domain Accounts |
96 |
Dridex Process Pattern Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
97 |
Suspicious PowerShell Mailbox Export to Share |
Security |
4688 |
Collection |
T1114 |
Email Collection |
98 |
Suspicious Calculator Usage Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
99 |
Remotely Query Login Sessions - Network |
Sysmon |
3 |
Discovery |
T1082 |
System Information Discovery,Remote Query |
100 |
Active Directory DLLs Loaded By Office Applications |
Sysmon |
7 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
101 |
Possible Command Prompt Process Hollowing |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055,T1055.012 |
Process Injection,Process Hollowing |
102 |
Remote System Discovery - Network |
Sysmon |
3 |
Discovery |
T1018 |
Remote System Discovery |
103 |
Clear Command History |
Sysmon |
1 |
Defense Evasion |
T1070,T1070.003 |
Indicator Removal on Host, Indicator Removal on Host, Clear Command History,Clear Command History |
104 |
Ps.exe Renamed SysInternals Tool Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
105 |
Windows Data Copied to Removable Device |
Security |
4663 |
Exfiltration |
T1052.001,T1052 |
Exfiltration Over Physical Medium,Exfiltration over USB |
106 |
Masquerading File Location Detected |
Sysmon |
11 |
Defense Evasion |
T1036 |
Masquerading |
107 |
UltraVNC Execution via Command Line |
Security |
4688 |
Command and Control |
T1219 |
Remote Access Software |
108 |
Log Files Creation of Dot-Net-to-JS Detected |
Sysmon |
11 |
Execution |
T1059 |
Command and Scripting Interpreter |
109 |
CVE-2019-0708 RDP RCE Vulnerability Detected |
Security |
4625 |
Lateral Movement |
T1210 |
Exploitation of Remote Services |
110 |
PsExec Service Start Detected |
Sysmon |
1 |
Execution |
T1569.002,T1569 |
Service Execution,System Services, System Services,Service Execution |
111 |
New DLL Added to AppCertDlls Registry Key |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.009,T1546 |
AppCert DLLs, AppCert DLLs,Event Triggered Execution, Event Triggered Execution |
112 |
Suspicious Userinit Child Process |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
113 |
Execution of Renamed PaExec Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
114 |
Suspicious Double Extension Detected |
Sysmon |
1 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
115 |
Webshell Detection With Command Line Keywords |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1505,T1505.003 |
Server Software Component, Server Software Component,Web Shell, Web Shell |
116 |
Suspicious Execution from Outlook |
Sysmon |
1 |
Defense Evasion,Execution |
T1202,T1059 |
Indirect Command Execution,Command and Scripting Interpreter,Command-Line Interface |
117 |
Suspicious Microsoft Equation Editor Child Process |
Sysmon |
1 |
Execution |
T1203 |
Exploitation for Client Execution |
118 |
DLL Load via LSASS Detected |
Sysmon |
13,12 |
Privilege Escalation, Execution, Persistence |
T1547,T1547.008 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,LSASS Driver, LSASS Driver |
119 |
MSHTA - Process Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
120 |
WScript or CScript Dropper Detected |
Sysmon |
1 |
Execution |
T1059.007, T1059.005, T1059 |
JavaScript/JScript, Visual Basic, JavaScript, Command and Scripting Interpreter |
121 |
dotNET DLL Loaded Via Office Applications |
Sysmon |
7 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
122 |
Rundll32 Internet Connection Detected |
Sysmon |
3 |
Defense Evasion,Execution |
T1218.011,T1218 |
Rundll32, Rundll32,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
123 |
In-memory PowerShell Detected |
Sysmon |
7 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
124 |
Browser Bookmark Discovery |
Sysmon |
1 |
Discovery |
T1217 |
Browser Bookmark Discovery |
125 |
Process Discovery Detected |
Sysmon |
1 |
Lateral Movement, Defense Evasion |
T1550.002, T1550 |
Pass the Hash,Use Alternate Authentication Material, Use Alternate Authentication Material,Pass the Hash |
126 |
Microsoft Defender Disabling Attempt via PowerShell |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Defense Evasion,Execution |
T1562.001, T1562, T1059, T1059.001 |
Disable or Modify Tools,Command and Scripting Interpreter,PowerShell,Impair Defenses |
127 |
Windows Remote Management Detected |
Sysmon |
1 |
Lateral Movement,Execution |
T1021,T1021.006 |
Remote Services,Remote Services, Windows Remote Management,Windows Remote Management |
128 |
Windows Registry Value Change |
Security |
4657 |
Privilege Escalation, Defense Evasion, Credential Access |
T1112 |
Modify Registry |
129 |
RDP Connection Inititated from Domain Controller |
Microsoft-Windows-Terminal Services-Remote Connection Manager/ Operational |
1149 |
Lateral Movement |
T1021,T1021.001 |
Remote Services,Remote Desktop Protocol |
130 |
Petya Affected Hosts |
System |
106 |
Defense Evasion,Discovery |
T1046, T1518, T1518.001, T1211 |
Network Service Scanning,Security Software Discovery, Software Discovery,Software Discovery,Exploitation for Defense Evasion, Security Software Discovery |
131 |
QuarksPwDump Dump File Detected |
Sysmon |
11 |
Credential Access |
T1003,T1003.002 |
OS Credential Dumping,Security Account Manager |
132 |
Stealthy Scheduled Task Creation via VBA Macro Detected |
Sysmon |
7 |
Privilege Escalation, Execution, Persistence |
T1053.005, T1053 |
Scheduled Task,Scheduled Task/Job, Scheduled Task |
133 |
SAM Registry Hive Dump via Reg Utility |
Security |
4656 |
Discovery |
T1012 |
Query Registry |
134 |
Password Spraying Attack Detected |
Security |
4625 |
|||
135 |
Possible Malicious Payload Download via Office Binaries Detected |
Sysmon |
1 |
Command and Control |
T1105 |
Ingress Tool Transfer |
136 |
Hidden PowerShell Window Detected |
Security |
4688 |
Defense Evasion |
T1564,T1564.003 |
Hidden Window, Hidden Window, Hide Artifacts,Hide Artifacts |
137 |
Suspicious Control Panel DLL Load Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion,Persistence |
T1574, T1218.011 ,T1574.002, T1218 |
DLL Side-Loading, DLL Side-Loading, Hijack Execution Flow,Hijack Execution Flow,Signed Binary Proxy Execution, Signed Binary Proxy Execution,Rundll32, Rundll32 |
138 |
VBA DLL Loaded Via Microsoft Word |
Sysmon |
7 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
139 |
Printer Driver Addition Detected |
Microsoft-Windows-PrintService/ Operational |
316 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
140 |
DHCP Callout DLL Installation Detected |
Sysmon |
13 |
Privilege Escalation,Defense Evasion,Persistence |
T1574 ,T1574.002, T1112 |
Hijack Execution Flow,Hijack Execution Flow,Modify Registry,DLL Side-Loading, DLL Side-Loading |
141 |
Microsoft Binary Github Communication Detected |
Sysmon |
3 |
Command and Control |
T1105 |
Ingress Tool Transfer |
142 |
Control Panel Items Detected |
Sysmon |
1 |
Defense Evasion |
T1218.002,T1218 |
Control Panel, Control Panel,Signed Binary Proxy Execution |
143 |
Compiled HTML File Detected |
Sysmon |
1 |
Defense Evasion |
T1218.001,T1218 |
Compiled HTML File,Signed Binary Proxy Execution, Compiled HTML File, Signed Binary Proxy Execution |
144 |
Encoded PowerShell Command Detected |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
145 |
Application Whitelisting Bypass via DLL Loaded by odbcconf Detected |
Sysmon |
1 |
Defense Evasion |
T1218.008,T1218 |
Odbcconf,Signed Binary Proxy Execution |
146 |
Suspicious Process Start Locations Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
147 |
OpenWith Execution of Specified Binary Detected |
Sysmon |
1 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
148 |
Direct Autorun Keys Modification Detected |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1547, T1547.001 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Registry Run Keys / Startup Folder, Registry Run Keys / Startup Folder |
149 |
Fireball Archer Installation Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.011, T1059, T1218 |
Command and Scripting Interpreter,Signed Binary Proxy Execution,Command-Line Interface, Signed Binary Proxy Execution,Rundll32, Rundll32 |
150 |
NTFS Object Deleted |
Sysmon |
1 |
Defense Evasion |
T1564,T1564.004 |
NTFS File Attributes,NTFS File Attributes, Hide Artifacts,Hide Artifacts |
151 |
Possible Shim Database Persistence via sdbinst.exe |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546,T1546.011 |
Application Shimming, Application Shimming,Event Triggered Execution, Event Triggered Execution |
152 |
GALLIUM Artifacts Detected |
Sysmon, Microsoft-Windows-DNSServer/ Analytical |
1,257 |
Command and Control,Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
153 |
Malware Shellcode in Verclsid Target Process |
Sysmon |
10 |
Privilege Escalation,Defense Evasion |
T1055, T1218.012, T1218 |
Verclsid,Signed Binary Proxy Execution,Process Injection |
154 |
Unsigned Driver Loading Detected |
Sysmon |
6 |
|||
155 |
Executable Dropped in Suspicious Location |
Sysmon |
11 |
|||
156 |
Microsoft Build Engine started by Office |
Sysmon |
1 |
Defense Evasion |
T1127.001,T1127 |
Trusted Developer Utilities Proxy Execution,MSBuild |
157 |
Highly Relevant Renamed Binary Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
158 |
Disabling Security Tools - Service stopped |
Sysmon |
1 |
Defense Evasion |
T1562 |
Disabling Security Tools,Impair Defenses |
159 |
WMI Persistence - Command Line Event Consumer Detected |
Sysmon |
7 |
Privilege Escalation, Persistence |
T1546.003, T1546 |
Windows Management Instrumentation Event Subscription, Windows Management Instrumentation Event Subscription,Event Triggered Execution, Event Triggered Execution |
160 |
PowerShell ADRecon Execution |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
161 |
Windows Logon Rights Changes |
Security |
47,174,718 |
Privilege Escalation,Defense Evasion,Persistence |
T1098, T1484, T1484.001 |
Account Manipulation,Group Policy Modification,Domain Policy Modification |
162 |
Possible Metasploit Meterpreter Activity Detected |
Sysmon |
3 |
Command and Control |
T1571 |
Non-Standard Port |
163 |
Rundll32 Process Execution |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.011,T1218 |
Rundll32, Rundll32,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
164 |
AD Privileged Users or Groups Reconnaissance Detected |
Security |
4661 |
Discovery |
T1087.002, T1087.001, T1087 |
Domain Account,Local Account,Account Discovery,Domain Account |
165 |
Execution of System Shells via Services |
Sysmon |
1 |
Execution |
T1569.002,T1569 |
System Services,Service Execution |
166 |
MSHTA - Network Detected |
Sysmon |
3 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
167 |
Existing Service Modification Detected |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1543,T1543.003 |
Windows Service,Create or Modify System Process |
168 |
Change Default File Association |
Sysmon |
13,12,14 |
Persistence |
T1042 |
Change Default File Association |
169 |
Image File Execution Options Injection |
Sysmon |
13,12,14 |
Privilege Escalation, Defense Evasion, Persistence |
T1546,T1546.012 |
Image File Execution Options Injection,Event Triggered Execution,Image File Execution Options Injection, Event Triggered Execution |
170 |
Register new Logon Process by Rubeus |
Security |
4611 |
Lateral Movement, Privilege Escalation, Credential Access |
T1558,T1558.003 |
Steal or Forge Kerberos Tickets,Kerberoasting, Kerberoasting, Steal or Forge Kerberos Tickets |
171 |
Renamed Binary Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
172 |
Possible Exploitation for CVE-2015-1641 Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
173 |
Deobfuscation of Files Detected |
Sysmon |
1 |
Defense Evasion |
T1140 |
Deobfuscate/Decode Files or Information |
174 |
UAC Bypass via Event Viewer Detected |
Sysmon |
13 |
Privilege Escalation,Defense Evasion |
T1548,T1548.002 |
Bypass User Account Control,Abuse Elevation Control Mechanism |
175 |
Local Port Monitor |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1547,T1547.010 |
Port Monitors, Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Port Monitors |
176 |
Secure Deletion with SDelete |
Security |
465, 646, 584, 663 |
Defense Evasion |
T1070.004, T1070 |
Indicator Removal on Host,File Deletion |
177 |
Bypass User Access Control using Process |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1548,T1548.002 |
Bypass User Account Control,Abuse Elevation Control Mechanism |
178 |
Doman Trust Discovery via NetDom |
Sysmon |
1 |
Discovery |
T1482 |
Domain Trust Discovery |
179 |
Discovery via PowerSploit Recon Module Detected |
Microsoft-Windows-PowerShell/Operational |
4104 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
180 |
LSASS Memory Dump Detected |
Sysmon |
10 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
181 |
HermeticWiper Driver Load |
Sysmon |
6 |
|||
182 |
Protected Storage Service Access Detected |
Security |
5145 |
Lateral Movement |
T1021 |
Remote Services |
183 |
New Driver File Creation Detected |
Sysmon |
11 |
Execution |
T1129 |
Shared Modules |
184 |
DPAPI Domain Master Key Backup Attempt |
Security |
4692 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
185 |
WMI Modules Loaded by Suspicious Process |
Sysmon |
7 |
Execution |
T1047 |
Windows Management Instrumentation |
186 |
Execution via HTA using IE JavaScript Engine Detected |
Sysmon |
7 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
187 |
Mitre - Execution - Scheduled Job Operation |
System |
106,141 |
Execution |
Local Job Scheduling |
|
188 |
Windows Registry Persistence COM Key Linking Detected |
Sysmon |
12 |
Privilege Escalation, Persistence |
T1546.015, T1546 |
Component Object Model Hijacking,Component Object Model Hijacking,Event Triggered Execution |
189 |
Remote Registry Management Using Reg Utility |
Security |
5145 |
Defense Evasion,Discovery |
T1012,T1112 |
Modify Registry,Query Registry |
190 |
RDP Sensitive Settings Changed |
Sysmon |
13 |
|||
191 |
Mimikatz DC Sync Detected |
Security |
4662 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
192 |
BITS Jobs - Network Detected |
Sysmon |
3 |
Defense Evasion, Persistence |
T1197 |
BITS Jobs |
193 |
Registry Persistence via Explorer Run Key Detected |
Sysmon |
13 |
Privilege Escalation, Persistence |
T1547,T1547.001 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Registry Run Keys / Startup Folder, Registry Run Keys / Startup Folder |
194 |
Firewall Disabled via Netsh Detected |
Sysmon |
1 |
Privilege Escalation, Defense Evasion |
T1055 |
Process Injection |
195 |
Execution in Outlook Temp Folder Detected |
Sysmon |
1 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
196 |
Credential Access via LaZagne |
Sysmon |
10 |
Credential Access |
T1003,T1003.001 |
OS Credential Dumping,LSASS Memory |
197 |
USB Device Plugged |
Microsoft-Windows-Windows Defender/ Operational,Microsoft-Windows-DriverFrame works-UserMode/ Operational |
200, 321, 002, 102 |
Initial Access |
T1200 |
Hardware Additions |
198 |
Firewall Configuration Modification Detected |
Security |
4946 |
Defense Evasion |
T1562.004 |
Disable or Modify System Firewall |
199 |
Credential Access via Input Prompt Detected |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Credential Access,Collection |
T1056,T1056.002 |
GUI Input Capture,Input Capture |
200 |
Sysinternals Tool Usage |
Sysmon |
13 |
Lateral Movement, Execution |
T1570 |
Lateral Tool Transfer |
201 |
Credential Dumping - Registry |
Sysmon |
13,12,14 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
202 |
New Firewall Port Opening Detected |
Security |
4657 |
Command and Control |
T1571 |
Non-Standard Port |
203 |
Windows Admin Shares - Network |
Sysmon |
3 |
Lateral Movement |
T1021 |
Remote Services |
204 |
Detection of Possible Rotten Potato |
Sysmon |
1 |
Privilege Escalation, Defense Evasion |
T1134 |
Access Token Manipulation |
205 |
Possible Impacket Lateralization Detected |
Sysmon |
1 |
Lateral Movement, Execution |
T1047, T1021, T1559.001, T1559.001, T1559, T1559, T1021.003, T1021.003 |
Windows Management Instrumentation, Component Object Model and Distributed COM,Component Object Model,Distributed Component Object Model,Inter-Process Communication,Remote Services, Inter-Process Communication |
206 |
Windows Webshell Creation Detected |
Sysmon |
11 |
Persistence |
T1505,T1505.003 |
Server Software Component, Server Software Component,Web Shell, Web Shell |
207 |
Network Share Discovery |
Sysmon |
1 |
Discovery |
T1135 |
Network Share Discovery |
208 |
Office Security Settings Changed |
Sysmon |
13 |
Defense Evasion |
T1112 |
Modify Registry |
209 |
Windows Defender Exclusion Set Detected |
Microsoft-Windows-Windows Defender/ Operational |
5007 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools,Impair Defenses |
210 |
Allowed NetLogon Connections - CVE-2020-1472 |
Security |
5829 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
211 |
Java Running with Remote Debugging |
Sysmon |
1 |
Discovery |
T1046 |
Network Service Scanning |
212 |
DPAPI Domain Backup Key Extraction Detected |
Security |
4662 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
213 |
File Creation by PowerShell Detected |
Sysmon |
11 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
214 |
Firewall Addition via Netsh Detected |
Sysmon |
1 |
Defense Evasion |
T1562.004,T1562 |
Impair Defenses,Disable or Modify System Firewall |
215 |
Hacktool Ruler Detected |
Security |
477, 646, 244, 625 |
|||
216 |
Suspicious WMIC XSL Script Execution |
Sysmon |
1,7 |
Defense Evasion,Execution |
T1220, T1059.005, T1059 |
Visual Basic,Command and Scripting Interpreter,XSL Script Processing |
217 |
Indicator Blocking - Driver unloaded |
Sysmon |
1 |
Defense Evasion |
T1562.006,T1562 |
Impair Defenses,Indicator Blocking,Impair Defenses, Indicator Blocking |
218 |
Registry Run Key Pointing to a Suspicious Folder |
Sysmon |
13 |
Privilege Escalation, Persistence |
T1547,T1547.001 |
Boot or Logon Autostart Execution,Registry Run Keys / Startup Folder |
219 |
Equation Group DLL_U Load Detected |
Sysmon |
1 |
Defense Evasion, Execution |
T1218.011, T1059, T1218 |
Command and Scripting Interpreter,Signed Binary Proxy Execution,Command-Line Interface, Signed Binary Proxy Execution,Rundll32, Rundll32 |
220 |
SAM Registry Hive Handle Request Detected |
Security |
4656 |
Discovery |
T1012 |
Query Registry |
221 |
StoneDrill Service Install Detected |
System |
7045 |
Privilege Escalation, Persistence |
T1543 |
New Service,Create or Modify System Process |
222 |
QBot Process Creation Detected |
Sysmon |
1 |
Execution |
T1059.005,T1059 |
Visual Basic,Command and Scripting Interpreter |
223 |
Exploit for CVE-2017-8759 Detected |
Sysmon |
1 |
Execution |
T1203 |
Exploitation for Client Execution |
224 |
Sysinterals Tool Usage |
Sysmon |
13 |
Lateral Movement, Execution |
T1570 |
Lateral Tool Transfer |
225 |
Suspect Svchost Memory Access |
Sysmon |
10 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools,Impair Defenses |
226 |
Invocation of Active Directory Diagnostic Tool Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
227 |
Wmiprvse Spawning Process |
Sysmon, Security |
14,688 |
Execution |
T1047 |
Windows Management Instrumentation |
228 |
Execution in Webserver Root Folder Detected |
Sysmon |
1 |
Persistence |
T1505,T1505.003 |
Server Software Component, Server Software Component,Web Shell, Web Shell |
229 |
Koadic Execution Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
230 |
Droppers Exploiting CVE-2017-11882 Detected |
Sysmon |
1 |
Defense Evasion |
T1211 |
Exploitation for Defense Evasion |
231 |
Powershell AMSI Bypass via dotNET Reflection |
Sysmon |
1 |
Defense Evasion,Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
232 |
XOR Encoded PowerShell Command |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
233 |
Possible Privilege Escalation via Weak Service Permissions |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1134 |
Access Token Manipulation |
234 |
CrackMapExecWin Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
235 |
Query Registry Detected |
Sysmon |
1 |
Discovery |
T1012,T1007 |
System Service Discovery,Query Registry |
236 |
Formbook Process Creation Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
237 |
PowerShell Network Connection Detected |
Sysmon |
3 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
238 |
Empire PowerShell Launch Parameters |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
239 |
Process Hollowing Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055,T1055.012 |
Process Hollowing,Process Injection, Process Injection,Process Hollowing |
240 |
Suspicious DLL or VBS Files being created in ProgramData |
Sysmon |
11 |
Execution |
T1204.002 |
Malicious File |
241 |
BlueMashroom DLL Load Detected |
Sysmon |
1 |
Defense Evasion |
T1218.010,T1218 |
Regsvr32,Signed Binary Proxy Execution,Regsvr32, Signed Binary Proxy Execution |
242 |
Persistence and Execution at Scale via GPO Scheduled Task |
Security |
5145 |
Lateral Movement, Privilege Escalation, Execution, Privilege Escalation, Persistence |
T1053.005,T1053 |
Scheduled Task,Scheduled Task/Job, Scheduled Task |
243 |
Netsh Helper DLL - Registry Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.007,T1546 |
Netsh Helper DLL,Event Triggered Execution, Netsh Helper DLL, Event Triggered Execution |
244 |
Trickbot Malware Recon Activity Detected |
Sysmon |
1 |
Discovery |
T1482 |
Domain Trust Discovery |
245 |
Event Instrumentation Manifest Uninstall |
Sysmon |
1 |
Defense Evasion |
T1562.006,T1562 |
Indicator Blocking,Impair Defenses |
246 |
Weak Encryption Enabled for User |
Security |
4738 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools, Disable or Modify Tools,Impair Defenses |
247 |
Creation of Encrypted Winrar archive via CLI |
Sysmon |
1 |
Defense Evasion,Collection |
T1560.001, T1027.002, T1560, T1027 |
Software Packing,Obfuscated Files or Information,Archive via Utility,Archive Collected Data |
248 |
WMI Backdoor Exchange Transport Agent |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546.003,T1546 |
Windows Management Instrumentation Event Subscription, Windows Management Instrumentation Event Subscription,Event Triggered Execution, Event Triggered Execution |
249 |
PowerShell Rundll32 Remote Thread Creation Detected |
Sysmon |
8 |
Defense Evasion,Execution |
T1218.011, T1059, T1059.001, T1218 |
Command and Scripting Interpreter, Command and Scripting Interpreter,Signed Binary Proxy Execution, Signed Binary Proxy Execution,Rundll32, Rundll32, PowerShell,PowerShell |
250 |
System Time Discovery |
Sysmon |
1 |
Discovery |
T1124 |
System Time Discovery |
251 |
Shells Spawned by Web Servers |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1505,T1505.003 |
Server Software Component, Server Software Component,Web Shell, Web Shell |
252 |
Successful Lateral Movement to Administrator via Pass the Hash using Mimikatz Detected |
Security |
46,244,672 |
Lateral Movement, Defense Evasion |
T1550.002,T1550 |
Pass the Hash,Use Alternate Authentication Material, Use Alternate Authentication Material,Pass the Hash |
253 |
Suspicious RUN Key from Download Detected |
Sysmon |
13 |
Privilege Escalation, Persistence |
T1547,T1547.001 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Registry Run Keys / Startup Folder, Registry Run Keys / Startup Folder |
254 |
Data Compression Detected in Windows |
Sysmon |
1 |
Collection |
T1560 |
Archive Collected Data |
255 |
Process Injection Detected |
Sysmon |
1 |
Privilege Escalation, Defense Evasion |
T1055 |
Process Injection |
256 |
Command-Line Interface Execution |
Sysmon |
1 |
Execution |
T1059 |
Command and Scripting Interpreter |
257 |
System Information Discovery |
Sysmon |
1 |
Discovery |
T1082 |
System Information Discovery |
258 |
Discovery via File and Directory Discovery Using Command Prompt |
Security |
4688 |
Discovery |
T1083 |
File and Directory Discovery |
259 |
FromBase64String Command Line Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1059.001, T1059.003, T1140, T1027 |
Deobfuscate/Decode Files or Information, Obfuscated Files or Information, PowerShell, Windows Command Shell |
260 |
BITS Jobs - Process Detected |
Sysmon |
1 |
Defense Evasion,Persistence |
T1197 |
BITS Jobs |
261 |
Mustang Panda Dropper Detected |
Sysmon |
1 |
Defense Evasion |
T1211 |
Exploitation for Defense Evasion |
262 |
Possible Hijack of Legit RDP Session to Move Laterally |
Sysmon |
11 |
Lateral Movement,Privilege Escalation,Persistence |
T1547, T1563.002, T1563, T1547.001 |
Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution,Remote Service Session Hijacking,RDP Hijacking |
263 |
PowerShell PSAttack Detected |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
264 |
System File Execution Location Anomaly Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
265 |
System Network Connections Discovery |
Sysmon |
1 |
Discovery |
T1049 |
System Network Connections Discovery |
266 |
PsExec Tool Execution Detected |
System, Sysmon |
170, 457, 036 |
Execution |
T1569.002,T1569 |
Service Execution,System Services, System Services,Service Execution |
267 |
Possible Bitsadmin Download Detected |
Sysmon |
1 |
Defense Evasion, Persistence |
T1197 |
BITS Jobs |
268 |
CMSTP Execution Detected |
Sysmon |
1,10,13,12 |
Defense Evasion,Execution |
T1218.003,T1218 |
Signed Binary Proxy Execution, CMSTP,CMSTP, Signed Binary Proxy Execution |
269 |
File Creation by Command Prompt |
Sysmon |
11 |
Execution |
T1059,T1059.003 |
Command and Scripting Interpreter,Windows Command Shell |
270 |
Meterpreter or Cobalt Strike Getsystem Service Start Detected |
Sysmon |
1 |
Privilege Escalation, Defense Evasion |
T1134 |
Access Token Manipulation |
271 |
Suspicious Kerberos RC4 Ticket Encryption |
Security |
4769 |
Credential Access |
T1558,T1558.003 |
Steal or Forge Kerberos Tickets,Kerberoasting, Kerberoasting, Steal or Forge Kerberos Tickets |
272 |
Bypassing Application Whitelisting with Regsvr32 |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.010,T1218 |
Regsvr32,Signed Binary Proxy Execution,Regsvr32, Signed Binary Proxy Execution |
273 |
Suspicious File or Directory Permission Modification |
Security |
4688 |
Defense Evasion |
T1222.001 |
Windows File and Directory Permissions Modification,File and Directory Permissions Modification |
274 |
Possible App Whitelisting Bypass via WinDbg CDB as a Shellcode Runner |
Sysmon |
1 |
Defense Evasion,Execution |
T1218 |
Signed Binary Proxy Execution |
275 |
DHCP Server Loaded the CallOut DLL |
Application |
1033 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,Hijack Execution Flow,DLL Side-Loading, DLL Side-Loading |
276 |
SoftPerfect Network Scanner Execution |
Sysmon |
1 |
Discovery |
T1046 |
Network Service Scanning |
277 |
EXE or DLL Dropped in Perflogs Folder |
Sysmon |
11 |
|||
278 |
Windows Crash Dump Disabled |
Sysmon |
13 |
Defense Evasion |
T1112 |
Modify Registry |
279 |
Reconnaissance Activity with Net Command |
Sysmon |
1 |
Reconnaissance, Discovery |
T1082, T1592, T1087, T1589 |
Gather Victim Host Information,System Information Discovery,Account Discovery,Gather Victim Identity Information |
280 |
S3 Browser Execution |
Sysmon |
1 |
Exfiltration |
T1567,T1567.002 |
Exfiltration to Cloud Storage,Exfiltration Over Web Service |
281 |
CACTUSTORCH Remote Thread Creation Detected |
Sysmon |
8 |
Privilege Escalation,Defense Evasion,Execution |
T1055,T1059 |
Command and Scripting Interpreter,Process Injection |
282 |
Ping Hex IP Detected |
Sysmon |
1 |
|||
283 |
HH Execution Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.001,T1218 |
Compiled HTML File,Signed Binary Proxy Execution, Compiled HTML File, Signed Binary Proxy Execution |
284 |
Suspicious Outbound RDP Connections Detected |
Sysmon |
3 |
Lateral Movement |
T1210 |
Exploitation of Remote Services |
285 |
PowerShell Base64 Encoded Shellcode Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
286 |
Suspicious Debugger Registration Cmdline |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546.008,T1546 |
Accessibility Features,Accessibility Features,Event Triggered Execution, Event Triggered Execution |
287 |
Sysmon Manifest Tampering |
Sysmon |
1 |
Defense Evasion |
T1562.006,T1562 |
Indicator Blocking,Impair Defenses |
288 |
Grabbing Sensitive Hives via Reg Utility |
Sysmon |
1 |
Credential Access |
T1552.002,T1552 |
Unsecured Credentials,Credentials in Registry |
289 |
SCM Database Handle Failure Detected |
Security |
4656 |
Impact |
T1499 |
Endpoint Denial of Service |
290 |
Active Directory Replication from Non Machine Account |
Security |
4662 |
Credential Access |
T1003,T1003.006 |
DCSync,OS Credential Dumping |
291 |
User Group Enumeration by Non-Administrator Detected |
Security |
4798 |
Discovery |
T1087 |
Account Discovery |
292 |
Suspicious Driver Load from Temp |
Sysmon |
6 |
Privilege Escalation, Persistence |
T1543 |
New Service,Create or Modify System Process |
293 |
Signature Revoked Driver Loading Detected |
Sysmon |
6 |
Execution |
T1129 |
Execution through Module Load,Shared Modules |
294 |
TrickBot - Disabling of Windows Defender Real Time Monitoring Detected |
Microsoft-Windows-Windows Defender/ Operational |
5001 |
Defense Evasion |
T1027 |
Obfuscated Files or Information |
295 |
Stealthy VSTO Persistence |
Sysmon |
13 |
Persistence |
T1137.006 |
Add-ins |
296 |
Credentials Dumping Tools Accessing LSASS Memory |
Sysmon |
10 |
Credential Access |
T1003,T1003.001 |
OS Credential Dumping,LSASS Memory |
297 |
Command Obfuscation via Character Insertion |
Sysmon |
1 |
Defense Evasion,Execution |
T1059,T1059.003 |
Command and Scripting Interpreter,Windows Command Shell |
298 |
PowerView PowerShell Commandlets |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Execution |
T1059,T1059.001 |
Command and Scripting Interpreter,PowerShell |
299 |
Suspicious Keyboard Layout Load Detected |
Sysmon |
13 |
|||
300 |
WMI - Network |
Sysmon |
3 |
Execution |
T1047 |
Windows Management Instrumentation |
301 |
Possible Executable Used by PlugX in Uncommon Location |
Sysmon |
1 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,Hijack Execution Flow,DLL Side-Loading, DLL Side-Loading |
302 |
Bypass User Access Control using Registry |
Sysmon |
13,12,14 |
Privilege Escalation,Defense Evasion |
T1548 |
Bypass User Access Control,Abuse Elevation Control Mechanism |
303 |
Sysmon Driver Unload Detected |
Sysmon |
255 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools,Impair Defenses |
304 |
WMI Modules Loaded |
Sysmon |
7 |
Execution |
T1047 |
Windows Management Instrumentation |
305 |
Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
Sysmon |
7 |
Execution |
T1047 |
Windows Management Instrumentation |
306 |
Component Object Model Hijacking Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.015,T1546 |
Component Object Model Hijacking,Event Triggered Execution |
307 |
Sysprep on AppData Folder Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
308 |
Possible Process Hollowing Image Loading |
Sysmon |
7 |
Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence |
T1055, T1574, T1055.012, T1574.002 |
Process Injection,Process Injection,DLL Side-Loading, DLL Side-Loading,Hijack Execution Flow,Process Hollowing |
309 |
Possible GootKit WScript Execution |
Security |
4688 |
|||
310 |
PowerShell Network Connections Detected |
Sysmon |
3 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
311 |
Wsreset UAC Bypass Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1548,T1548.002 |
Bypass User Access Control,Bypass User Account Control,Abuse Elevation Control Mechanism |
312 |
Adwind RAT JRAT Detected |
Sysmon |
1,11,13 |
Execution |
T1059.007, T1059.005, T1059, T1059.003, T1059.001 |
Visual Basic, JavaScript, Command and Scripting Interpreter, PowerShell, Windows Command Shell |
313 |
Rare Service Installs Detected |
System |
7045 |
Privilege Escalation, Persistence |
T1543 |
Create or Modify System Process |
314 |
MavInject Process Injection Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055,T1218 |
Signed Binary Proxy Execution,Process Injection |
315 |
Credential Dumping with ImageLoad Detected |
Sysmon |
7 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
316 |
MMC20 Lateral Movement Detected |
Sysmon |
1 |
Execution |
T1559.001,T1559 |
Inter-Process Communication, Component Object Model |
317 |
Clearing of PowerShell Logs Detected |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Defense Evasion |
T1070 |
Indicator Removal on Host |
318 |
Mitre - Initial Access - Hardware Addition - Removable Storage Connected |
Microsoft-Windows-Windows Defender/ Operational |
2003 |
Initial Access |
T1200 |
Hardware Additions |
319 |
Reconnaissance Activity Detected |
Security |
4661 |
Discovery |
T1087,T1069 |
Permission Groups Discovery,Account Discovery |
320 |
Interactive AT Job Detected |
Sysmon |
1 |
Privilege Escalation, Execution, Persistence |
T1053.005,T1053 |
Scheduled Task,Scheduled Task/Job, Scheduled Task |
321 |
Named Pipe added to Null Session Detected |
Sysmon |
13 |
Lateral Movement |
T1021 |
Remote Services |
322 |
Suspicious Commandline Escape Detected |
Sysmon |
1 |
Defense Evasion |
T1140 |
Deobfuscate/Decode Files or Information |
323 |
RDP Over Reverse SSH Tunnel Detected |
Sysmon |
3 |
Lateral Movement |
T1021,T1021.001 |
Remote Services,Remote Services, Remote Desktop Protocol,Remote Desktop Protocol |
324 |
Sysinternals Tool Usage - PsExec |
Sysmon |
13 |
Lateral Movement |
T1570 |
Lateral Tool Transfer |
325 |
Possible DNS Rebinding Detected |
Sysmon |
22 |
|||
326 |
Logon Scripts Detected |
Sysmon |
1, 11, 13, 12, 14 |
Lateral Movement, Privilege Escalation, Persistence |
T1037 |
Logon Scripts,Boot or Logon Initialization Scripts |
327 |
Network Share Connection Removed |
Sysmon |
1 |
Defense Evasion |
T1070.005,T1070 |
Network Share Connection Removal,Indicator Removal on Host, Indicator Removal on Host,Network Share Connection Removal |
328 |
Default Audit Policy Changed |
Security |
4715, 4817, 4905, 4902, 4912, 4719, 4907, 4906, 4904 |
|||
329 |
UAC Bypass via SDCLT |
Sysmon |
1 |
Privilege Escalation |
T1548,T1548.002 |
Bypass User Account Control,Abuse Elevation Control Mechanism |
330 |
RDP over Reverse SSH Tunnel WFP |
Security |
5156 |
Command and Control,Lateral Movement |
T1021, T1021.001, T1090 |
Remote Desktop Protocol, Remote Services,Remote Services, Remote Desktop Protocol,Proxy |
331 |
Application Shimming - File Access Detected |
Sysmon |
11, 1, 13, 12, 14 |
Privilege Escalation, Persistence |
T1546,T1546.011 |
Application Shimming,Event Triggered Execution |
332 |
Microsoft Build Engine Loading Credential Libraries |
Sysmon |
7 |
Credential Access |
T1003,T1003.002 |
OS Credential Dumping,Security Account Manager |
333 |
DNS Exfiltration Tools Execution Detected |
Sysmon |
1 |
Exfiltration |
T1048 |
Exfiltration Over Alternative Protocol |
334 |
Execution in Non-Executable Folder Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
335 |
DNS ServerLevelPlugin Dll Install |
Sysmon |
1,13 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,Hijack Execution Flow,DLL Side-Loading, DLL Side-Loading |
336 |
WMIExec VBS Script Detected |
Sysmon |
1 |
Execution |
T1059.005,T1059 |
Visual Basic,Command and Scripting Interpreter |
337 |
Possible APT29 Activity Detected |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
338 |
Suspicious MsiExec Directory Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
339 |
Credential Access via Pypykatz |
Sysmon |
10 |
Credential Access |
T1003.001 |
LSASS Memory |
340 |
Narrators Feedback-Hub Persistence Detected |
Sysmon |
13,12 |
Privilege Escalation, Persistence |
T1547,T1547.001 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Registry Run Keys / Startup Folder, Registry Run Keys / Startup Folder |
341 |
QuarksPwDump Clearing Access History Detected |
Sysmon |
16 |
Privilege Escalation,Credential Access,Initial Access,Defense Evasion,Persistence |
T1003, T1078, T1003.003, T1078.003 |
OS Credential Dumping,Valid Accounts,NTDS,Local Accounts |
342 |
Kerberoasting via PowerShell Detected |
Microsoft-Windows-PowerShell/Operational |
4103 |
Credential Access |
T1558,T1558.003 |
Steal or Forge Kerberos Tickets,Kerberoasting, Kerberoasting, Steal or Forge Kerberos Tickets |
343 |
Suspicious Call by Ordinal Detected |
Security |
4688 |
Defense Evasion,Execution |
T1218.011,T1218 |
Rundll32, Rundll32,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
344 |
Bypass UAC via WSReset Detected |
Sysmon |
1 |
Privilege Escalation, Privilege Escalation,Defense Evasion |
T1548,T1548.002 |
Bypass User Access Control,Bypass User Account Control,Abuse Elevation Control Mechanism |
345 |
Netsh Helper DLL - Process Detected |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546.007, T1546 |
Netsh Helper DLL,Event Triggered Execution, Netsh Helper DLL, Event Triggered Execution |
346 |
Encoded FromBase64String Detected |
Sysmon |
1 |
Defense Evasion, Execution |
T1140, T1059, T1059.001 |
PowerShell,Deobfuscate/ Decode Files or Information,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
347 |
Forced Authentication Detected |
Sysmon |
11 |
Credential Access |
T1187 |
Forced Authentication |
348 |
Local Accounts Discovery Detected |
Sysmon |
1 |
Discovery |
T1033,T1087 |
System Owner/User Discovery,Account Discovery |
349 |
Run PowerShell Script from ADS Detected |
Sysmon |
1 |
Defense Evasion |
T1564,T1564.004 |
NTFS File Attributes,NTFS File Attributes, Hide Artifacts,Hide Artifacts |
350 |
Enabled User Right in AD to Control User Objects |
Security |
4704 |
Privilege Escalation,Defense Evasion,Initial Access,Persistence |
T1078 |
Valid Accounts |
351 |
Powerview Add-DomainObjectAcl DCSync AD Extend Right |
Security |
5136 |
Privilege Escalation, Persistence |
T1098 |
Account Manipulation |
352 |
Non Interactive PowerShell Execution |
Sysmon |
1 |
Execution |
T1059 |
Command and Scripting Interpreter,Powershell |
353 |
Net exe Execution Detected |
Sysmon |
1 |
Lateral Movement, Defense Evasion, Discovery |
T1021, T1049, T1135, T1027 |
Obfuscated Files or Information,System Network Connections Discovery,Remote Services,Network Share Discovery |
354 |
Possible Pass the Hash Activity Detected |
Security |
4624 |
Lateral Movement, Defense Evasion |
T1550.002,T1550 |
Pass the Hash,Use Alternate Authentication Material, Use Alternate Authentication Material,Pass the Hash |
355 |
Audio Capture via SoundRecorder |
Sysmon |
1 |
Collection |
T1123 |
Audio Capture |
356 |
Windows Admin Shares - Process |
Sysmon |
1 |
Lateral Movement |
T1021,T1021.002 |
Remote Services,SMB/Windows Admin Shares |
357 |
Iranian APT Lateral Movement using Pass the Hash |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Lateral Movement, Defense Evasion |
T1550.002,T1550 |
Pass the Hash,Use Alternate Authentication Material, Use Alternate Authentication Material,Pass the Hash |
358 |
Turla Group Named Pipes Detected |
Sysmon |
18,17 |
Privilege Escalation, Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
359 |
Suspicious Svchost Process Detected |
Sysmon |
1 |
Defense Evasion |
T1036,T1036.005 |
Match Legitimate Name or Location,Masquerading |
360 |
Password Dumper Activity on LSASS |
Security |
4656 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
361 |
Masquerading Extension Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
362 |
Possible SPN Enumeration Detected |
Sysmon |
1 |
Credential Access |
T1558,T1558.003 |
Steal or Forge Kerberos Tickets,Kerberoasting, Kerberoasting, Steal or Forge Kerberos Tickets |
363 |
Suspicious Program Location Process Starts Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
364 |
Credential Dumping - Process Access |
Sysmon |
10 |
Credential Access |
T1003 |
OS Credential Dumping |
365 |
Suspicious CSharp or FSharp Interactive Console Execution |
Sysmon |
1 |
Defense Evasion |
T1127 |
Trusted Developer Utilities Proxy Execution,Trusted Developer Utilities |
366 |
Network Sniffing Detected |
Sysmon |
1 |
Credential Access,Discovery |
T1040 |
Network Sniffing |
367 |
Suspicious Code Page Switch Detected |
Sysmon |
1 |
Defense Evasion |
T1140 |
Deobfuscate/Decode Files or Information |
368 |
Execution via Squiblydoo Technique Detected |
Sysmon |
7 |
Defense Evasion,Execution |
T1218.010,T1218 |
Regsvr32,Signed Binary Proxy Execution,Regsvr32, Signed Binary Proxy Execution |
369 |
Possible Impacket SecretDump Remote Activity |
Security |
5145 |
Credential Access |
T1003 |
OS Credential Dumping |
370 |
WannaCry Ransomware Detected |
Sysmon |
1 |
Credential Access, Execution, Defense Evasion |
T1003, T1218.011, T1070, T1218 |
Indicator Removal on Host,Credential Dumping,Signed Binary Proxy Execution, Signed Binary Proxy Execution,Rundll32, Rundll32,OS Credential Dumping |
371 |
Login with WMI Detected |
Security |
4624 |
Execution |
T1047 |
Windows Management Instrumentation |
372 |
Suspicious Bitsadmin Job via PowerShell |
Sysmon |
1 |
Defense Evasion,Persistence |
T1197 |
BITS Jobs |
373 |
Devtoolslauncher Executes Specified Binary |
Sysmon |
1 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
374 |
MMC Spawning Windows Shell Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1202,T1059 |
Indirect Command Execution,Command and Scripting Interpreter |
375 |
Execution via Control Panel Items |
Sysmon |
1 |
Defense Evasion |
T1218.002,T1218 |
Control Panel, Control Panel,Signed Binary Proxy Execution |
376 |
Application Whitelisting Bypass via Bginfo Detected |
Sysmon |
1 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
377 |
Hidden Files and Directories Detected |
Sysmon |
1 |
Defense Evasion,Persistence |
T1564,T1564.001 |
Hidden Files and Directories, Hidden Files and Directories, Hide Artifacts,Hide Artifacts |
378 |
NotPetya Ransomware Activity Detected |
Sysmon |
1 |
Defense Evasion |
T1218.011, T1070, T1218 |
Indicator Removal on Host,Rundll32,Signed Binary Proxy Execution |
379 |
SecurityXploded Tool Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping |
380 |
Obfuscated Files Detected |
Sysmon |
1 |
Defense Evasion |
T1027 |
Obfuscated Files or Information |
381 |
BCDEdit Safe Mode Command Execution |
Sysmon |
1 |
Impact |
T1490 |
Inhibit System Recovery |
382 |
Emotet Process Creation Detected |
Sysmon |
1 |
Privilege Escalation, Defense Evasion |
T1055 |
Process Injection |
383 |
NoPowerShell Tool Activity Detected |
Sysmon |
11 |
Execution |
T1129 |
Shared Modules |
384 |
Suspicious Encoded PowerShell Command Line |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
385 |
Default PowerSploit and Empire Schtasks Persistence |
Sysmon |
1 |
Privilege Escalation, Execution, Persistence |
T1053.005, T1059, T1053, T1059.001 |
Command and Scripting Interpreter, Command and Scripting Interpreter, Scheduled Task, Scheduled Task, PowerShell, PowerShell, Scheduled Task/Job |
386 |
Active Directory Module Load in PowerShell |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Execution |
T1059,T1059.001 |
Command and Scripting Interpreter,PowerShell |
387 |
XSL Script Processing Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1220 |
XSL Script Processing |
388 |
Netsh Port Forwarding Detected |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546.007,T1546 |
Netsh Helper DLL,Event Triggered Execution |
389 |
Impair Defenses - Disable or Modify Tools - Service stopped |
Sysmon |
1 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools, Disable or Modify Tools,Impair Defenses |
390 |
Remote Connection Established via Msbuild |
Sysmon |
3 |
Defense Evasion |
T1127.001 |
MSBuild |
391 |
Application Whitelisting Bypass via Dxcap Detected |
Sysmon |
1 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
392 |
Ursnif Detected |
Sysmon |
13 |
Defense Evasion,Execution |
T1112 |
Modify Registry |
393 |
New DLL Added to AppInit_DLLs Registry Key Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546.010,T1546 |
AppInit DLLs,Event Triggered Execution,AppInit DLLs, Event Triggered Execution |
394 |
WMI Persistence - Script Event Consumer Detected |
Sysmon |
1 |
Privilege Escalation, Persistence |
T1546.003,T1546 |
Windows Management Instrumentation Event Subscription, Windows Management Instrumentation Event Subscription,Event Triggered Execution |
395 |
Query Registry Network |
Sysmon |
3 |
Discovery |
T1012 |
Query Registry |
396 |
Disable of ETW Trace Detected |
Sysmon |
1 |
Defense Evasion |
T1562.006,T1562 |
Indicator Blocking,Impair Defenses |
397 |
Suspicious Windows ANONYMOUS LOGON Local Account Creation |
Security |
4720 |
Persistence |
T1136 |
Create Account |
398 |
Possible Applocker Bypass Detected |
Sysmon |
1 |
Defense Evasion |
T1218.009, T1127, T1218.005, T1218.004, T1218 |
Trusted Developer Utilities, Regsvcs/ Regasm,Trusted Developer Utilities Proxy Execution, Signed Binary Proxy Execution, InstallUtil, Mshta |
399 |
Bypass UAC via CMSTP Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion,Execution |
T1218.003, T1548, T1548.002, T1218 |
Bypass User Access Control, Abuse Elevation Control Mechanism, Signed Binary Proxy Execution, CMSTP, CMSTP, Signed Binary Proxy Execution, Bypass User Account Control |
400 |
RClone Utility Execution |
Sysmon |
1 |
Exfiltration |
T1567,T1567.002 |
Exfiltration to Cloud Storage,Exfiltration Over Web Service |
401 |
Winnti Malware HK University Campaign |
Sysmon |
1 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,Hijack Execution Flow,DLL Side-Loading, DLL Side-Loading |
402 |
WMI Persistence - Script Event Consumer File Write |
Sysmon |
11 |
Privilege Escalation, Persistence |
T1546.003,T1546 |
Windows Management Instrumentation Event Subscription, Windows Management Instrumentation Event Subscription,Event Triggered Execution, Event Triggered Execution |
403 |
Bypass User Account Control using Registry |
Sysmon |
13,12 |
Privilege Escalation,Defense Evasion |
T1548,T1548.002 |
Bypass User Account Control,Abuse Elevation Control Mechanism |
404 |
Windows User Account Created via Command Line |
Sysmon |
1 |
Persistence |
T1136 |
Create Account |
405 |
Renamed jusched Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1036 |
Masquerading |
406 |
Alternate PowerShell Hosts Pipe Detected |
Sysmon |
17 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
407 |
Suspicious XOR Encoded PowerShell Command Line |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
408 |
Remote Task Creation via ATSVC Named Pipe |
Security |
5145 |
Lateral Movement, Privilege Escalation, Execution, Persistence |
T1053.005,T1053 |
Scheduled Task,Scheduled Task/Job, Scheduled Task |
409 |
Trusted Developer Utilities Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1127 |
Trusted Developer Utilities Proxy Execution,Trusted Developer Utilities |
410 |
MSTSC Shadowing Detected |
Sysmon |
1 |
Lateral Movement |
T1563.002,T1563 |
Remote Service Session Hijacking,RDP Hijacking |
411 |
Netsh RDP Port Forwarding Detected |
Sysmon |
1 |
Lateral Movement |
T1021 |
Remote Services |
412 |
Suspicious Access to Sensitive File Extensions |
Security |
5145 |
Collection |
T1074 |
Data Staged |
413 |
SolarWinds Supply Chain Compromise Suspicious File Drop |
Sysmon |
11 |
Initial Access |
T1195,T1195.002 |
Supply Chain Compromise, Compromise Software Supply Chain |
414 |
Suspicious PsExec Execution Detected |
Security |
5145 |
Lateral Movement |
T1570 |
Lateral Tool Transfer |
415 |
Empire PowerShell UAC Bypass Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1548 |
Bypass User Access Control,Abuse Elevation Control Mechanism |
416 |
Possible Detection of SafetyKatz |
Sysmon |
11 |
Credential Access |
T1003,T1003.001 |
OS Credential Dumping,LSASS Memory |
417 |
Turla Service Install Detected |
System |
7045 |
Privilege Escalation, Persistence |
T1543, T1543.003 |
Windows Service,Create or Modify System Process |
418 |
Hiding Files with Attrib Detected |
Sysmon |
1 |
Defense Evasion,Persistence |
T1564,T1564.001 |
Hidden Files and Directories, Hidden Files and Directories, Hide Artifacts,Hide Artifacts |
419 |
Enabling of RDP Service |
Sysmon |
13 |
Defense Evasion |
T1112 |
Modify Registry |
420 |
HandleKatz Duplicating LSASS Handle |
Sysmon |
10 |
Credential Access |
T1003, T1003.001, T1003.006 |
LSASS Memory |
421 |
Unidentified Attacker November 2018 Detected |
Sysmon |
1,11 |
Defense Evasion,Execution |
T1218.011,T1218 |
Rundll32, Rundll32,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
422 |
PowerShell Download from URL Detected |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
423 |
Scheduled Task Deletion |
Sysmon |
1 |
Privilege Escalation, Execution, Persistence |
T1053.005,T1053 |
Scheduled Task,Scheduled Task/Job |
424 |
Suspicious PowerShell Command Detected |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
425 |
Tasks Folder Evasion Detected |
Security |
4688 |
Privilege Escalation, Privilege Escalation,Defense Evasion, Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,DLL Side-Loading |
426 |
Disable Security Events Logging Adding Reg Key MiniNt |
Sysmon |
12 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools, Disable or Modify Tools,Impair Defenses |
427 |
Mitre Execution Attack using Install Util |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.004,T1218 |
Install Util,Signed Binary Proxy Execution,InstallUtil |
428 |
PowerShell Profile Modification |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Privilege Escalation, Execution, Persistence |
T1059.001, T1059, T1546, T1546.013 |
Command and Scripting Interpreter,PowerShell Profile,Event Triggered Execution,PowerShell |
429 |
Application Whitelisting Bypass via Dnx Detected |
Sysmon |
1 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
430 |
Operation Wocao Activity Detected |
Sysmon, Security |
14,799 |
Privilege Escalation, Privilege Escalation, Persistence, Defense Evasion, Execution, Persistence, Discovery |
T1053.005, T1053, T1012, T1036, T1036.004, T1211 |
Query Registry, Masquerading, Scheduled Task, Masquerade Task or Service, Exploitation for Defense Evasion, Scheduled Task/Job |
431 |
Time Providers Access Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1547,T1547.003 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution, Time Providers,Time Providers |
432 |
Windows Registry Trust Record Modification Detected |
Sysmon |
12 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
433 |
Exploiting SetupComplete CVE-2019-1378 Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
434 |
WMI Process Execution |
Sysmon |
1 |
Execution |
T1047 |
Windows Management Instrumentation |
435 |
Install Root Certificate |
Sysmon |
13,12,14 |
Defense Evasion |
T1553.004,T1553 |
Install Root Certificate,Install Root Certificate, Subvert Trust Controls,Subvert Trust Controls |
436 |
Windows Shell Spawning Suspicious Program |
Sysmon |
1 |
Execution |
||
437 |
Possible DC Sync Detected |
Security |
4742 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
438 |
Microsoft Binary Suspicious Communication Endpoint Detected |
Sysmon |
3 |
Lateral Movement, Command and Control |
T1105 |
Remote File Copy,Ingress Tool Transfer |
439 |
Batch Scripting Detected |
Sysmon |
11 |
Execution |
T1059 |
Command and Scripting Interpreter |
440 |
SCM Database Privileged Operation Detected |
Security |
4674 |
Privilege Escalation, Defense Evasion |
T1548,T1548.002 |
Bypass User Account Control,Bypass User Account Control,Abuse Elevation Control Mechanism |
441 |
CreateRemoteThread API and LoadLibrary |
Sysmon |
8 |
Privilege Escalation, Defense Evasion |
T1055 |
Process Injection |
442 |
Possible SquiblyTwo Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1047 |
Windows Management Instrumentation |
443 |
Suspicious Filename Detected |
Sysmon |
1 |
Defense Evasion |
T1027 |
Obfuscated Files or Information |
444 |
Powershell AMSI Bypass via .NET Reflection |
Sysmon |
1 |
Defense Evasion,Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
445 |
TimeStomping via PowerShell Detected |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Defense Evasion |
T1070.006,T1070 |
Timestomp,Indicator Removal on Host, Indicator Removal on Host,Timestomp |
446 |
Signed Binary Proxy Execution - Network Detected |
Sysmon |
3 |
Defense Evasion |
T1218 |
Signed Binary Proxy Execution |
447 |
Suspicious Remote Thread Created |
Sysmon |
8 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
448 |
Possible Privilege Escalation via Service Permissions Weakness |
Sysmon |
13 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.011 |
Services Registry Permissions Weakness,Hijack Execution Flow,Service Registry Permissions Weakness |
449 |
DLL Loader Component Write Detected |
Sysmon |
11 |
|||
450 |
Domain Trust Discovery Detected |
Sysmon |
1 |
Discovery |
T1482 |
Domain Trust Discovery |
451 |
MSHTA Spwaned by SVCHOST Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
452 |
Windows AD Account Information Collection |
Security |
4688 |
Collection |
||
453 |
Accessibility Features - Registry |
Sysmon |
13,12,14 |
Privilege Escalation,Persistence |
T1546.008,T1546 |
Accessibility Features,Accessibility Features,Event Triggered Execution, Event Triggered Execution |
454 |
REvil Kaseya Incident Process Execution |
Security |
4688 |
Execution |
Sodinokibi,threat_actor: REvil |
|
455 |
Psexec Renamed SysInternals Tool Detected |
Sysmon |
1 |
Defense Evasion |
T1036,T1036.003 |
Rename System Utilities,Masquerading |
456 |
Windows Credential Editor Detected |
Sysmon |
1,13 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
457 |
Windows Persistence Using Scheduled Task via Telemetry |
Security |
4657 |
Privilege Escalation, Execution, Persistence |
T1053.005, T1053 |
Scheduled Task,Scheduled Task/Job |
458 |
Possible Access to ADMIN Share |
Security |
5140 |
Lateral Movement |
T1021,T1021.002 |
Remote Services,SMB/Windows Admin Shares |
459 |
Suspicious RDP Redirect Using TSCON Detected |
Sysmon |
1 |
Lateral Movement, Privilege Escalation |
T1021,T1021.001 |
Remote Services,Remote Services, Remote Desktop Protocol,Remote Desktop Protocol |
460 |
Time-Stomping of Users Directory Files Detected |
Sysmon |
2 |
Defense Evasion |
T1070.006,T1070 |
Timestomp,Indicator Removal on Host, Indicator Removal on Host,Timestomp |
461 |
Suspicious In-Memory Module Execution Detected |
Sysmon |
10 |
Privilege Escalation, Defense Evasion |
T1055 |
Process Injection |
462 |
Mitre Lateral Movement Using Remote Services Detected |
System |
7045 |
Lateral Movement |
T1210 |
Exploitation of Remote Services |
463 |
Advanced IP Scanner Execution |
Sysmon |
1 |
Discovery |
T1046 |
Network Service Scanning |
464 |
Suspicious Compression Tool Parameters |
Sysmon |
1 |
Exfiltration, Collection |
T1020,T1560 |
Automated Exfiltration, Archive Collected Data,Archive Collected Data, Data Compressed |
465 |
DCSync detected |
Security |
47,424,662 |
Credential Access |
T1003,T1003.006 |
DCSync,OS Credential Dumping |
466 |
SolarWinds Supply Chain Compromise Suspicious Process Creations |
Sysmon |
1 |
Initial Access |
T1195,T1195.002 |
Supply Chain Compromise, Compromise Software Supply Chain |
467 |
First Time Seen Remote Named Pipe |
Security |
5145 |
Lateral Movement |
T1021 |
Remote Services |
468 |
Fsutil Suspicious Invocation Detected |
Sysmon |
1 |
Defense Evasion |
T1070 |
Indicator Removal on Host |
469 |
Windows 10 Scheduled Task SandboxEscaper 0 day Detected |
Sysmon |
1 |
Privilege Escalation, Execution, Persistence |
T1053.005,T1053 |
Scheduled Task,Scheduled Task/Job, Scheduled Task |
470 |
Hidden Files and Directories - VSS Detected |
Sysmon |
1 |
Defense Evasion,Persistence |
T1564,T1564.001 |
Hidden Files and Directories, Hidden Files and Directories, Hide Artifacts,Hide Artifacts |
471 |
Printer Plugin Load Failed |
Microsoft-Windows-PrintService/ Operational |
808 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
472 |
Possible Kerberoasting via Rubeus |
Sysmon |
7 |
Credential Access |
T1558,T1558.003 |
Steal or Forge Kerberos Tickets,Kerberoasting |
473 |
Terminal Service Process Spawn Detected |
Sysmon |
1 |
Lateral Movement |
T1210 |
Exploitation of Remote Services |
474 |
Net exe User Account Creation |
Sysmon |
1 |
Credential Access,Persistence |
T1136 |
Create Account |
475 |
MSHTA Spawning Windows Shell Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
476 |
Remote File Execution via MSIEXEC |
Sysmon |
1 |
Defense Evasion |
T1218.007,T1218 |
Msiexec,Signed Binary Proxy Execution |
477 |
System Service Discovery |
Sysmon |
1 |
Discovery |
T1007 |
System Service Discovery |
478 |
WCE wceaux dll Access Detected |
Security |
4656, 4660, 4658, 4660 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
479 |
Macro file Creation Detected |
Sysmon |
11 |
Execution |
T1059 |
Command and Scripting Interpreter |
480 |
Regsvr32 Network Activity |
Sysmon |
3,22 |
Defense Evasion |
T1218.010,T1218 |
Signed Binary Proxy Execution,Regsvr32 |
481 |
RDP Connection Inititated from Suspicious Country |
Microsoft-Windows-Terminal Services-Remote Connection Manager/ Operational |
1149 |
Privilege Escalation,Defense Evasion,Initial Access,Persistence |
T1078,T1078.002 |
Valid Accounts,Domain Accounts |
482 |
MS Office Product Spawning Exe in User Dir |
Sysmon |
1 |
Defense Evasion,Execution |
T1202,T1059 |
Indirect Command Execution,Command and Scripting Interpreter,Command-Line Interface |
483 |
PowerShell Downloads Process Executed |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
484 |
CobaltStrike Process Injection Detected |
Sysmon |
8 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
485 |
Malicious Named Pipe Detected |
Sysmon |
18,17 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
486 |
Execution of File Written or Modified by Microsoft Office |
Sysmon |
11,1 |
Initial Access |
T1566,T1566.001 |
Phishing,Spearphishing Attachment |
487 |
Windows Network Enumeration Detected |
Sysmon |
1 |
Discovery |
T1018 |
Remote System Discovery |
488 |
Password Policy Discovery |
Sysmon |
1 |
Discovery |
T1201 |
Password Policy Discovery |
489 |
Sticky Key Like Backdoor Usage Detected |
Sysmon |
1,13 |
Privilege Escalation, Persistence |
T1546.008,T1546 |
Accessibility Features,Accessibility Features,Event Triggered Execution, Event Triggered Execution |
490 |
SysKey Registry Keys Access |
Security |
46,564,663 |
Discovery |
T1012 |
Query Registry |
491 |
Weak Encryption Enabled and Kerberoast |
Security |
4738 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools, Disable or Modify Tools,Impair Defenses |
492 |
VBA DLL Loaded by Office |
Sysmon |
7 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
493 |
WMI DLL Loaded by Office |
Sysmon |
7 |
Execution |
T1204.002,T1204 |
Malicious File,User Execution |
494 |
Safe DLL Search Mode Disabled |
Sysmon |
13 |
Defense Evasion |
T1562.001,T1562 |
Disable or Modify Tools,Indicator Blocking,Impair Defenses |
495 |
Discovery using Bloodhound Detected |
Sysmon |
3 |
Discovery |
T1033 |
System Owner/User Discovery |
496 |
Impacket PsExec Execution |
Security |
5145 |
Lateral Movement |
T1570 |
Lateral Tool Transfer |
497 |
Possible Taskmgr run as LOCAL_SYSTEM Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
498 |
Windows Sysmon User Account Created |
Sysmon |
1 |
Persistence |
T1136 |
Create Account |
499 |
Indicator Blocking - Sysmon Registry Edited |
Sysmon |
13,12,14 |
Defense Evasion |
T1562.006,T1562 |
Impair Defenses,Indicator Blocking,Impair Defenses, Indicator Blocking |
500 |
Printer Driver Additon Detected |
Microsoft-Windows-PrintService/ Operational |
316 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
501 |
Suspicious Service Path Modification Detected |
Sysmon |
1 |
Persistence |
Modify Existing Service |
|
502 |
Malicious PowerShell Commandlet Names Detected |
Sysmon |
11 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
503 |
Mitre Collection Attack Using Automated Collection Detected |
Microsoft-Windows-PowerShell/ Operational |
4104 |
T1119 |
Automated Collection |
|
504 |
Suspicious GUP Usage Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion,Persistence |
T1574,T1574.002 |
Hijack Execution Flow,Hijack Execution Flow,DLL Side-Loading, DLL Side-Loading |
505 |
Discovery of a System Time Detected |
Sysmon |
1 |
Discovery |
T1124 |
System Time Discovery |
506 |
Iranian APT Execution using Powershell |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
507 |
PowerShell Execution |
Sysmon |
1,17,7 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
508 |
SILENTTRINITY Stager Execution Detected |
Sysmon |
7 |
Execution |
T1569.002,T1569 |
Service Execution,System Services, System Services,Service Execution |
509 |
Windows User Local Group Enumeration |
Security |
4798 |
Discovery |
T1087.001,T1087 |
Local Account,Account Discovery |
510 |
NetNTLM Downgrade Attack Detected |
Sysmon, Security |
134,657 |
Defense Evasion |
T1562.001, T1112, T1562 |
Disable or Modify Tools,Modify Registry,Impair Defenses |
511 |
Indirect Command Execution Detected |
Sysmon |
1 |
Defense Evasion |
T1202 |
Indirect Command Execution |
512 |
Credential Dump Tools Dropped Files Detected |
Sysmon |
11 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
513 |
Mitre Credential Access Attack via Credential Dumping using Mimikatz |
Sysmon |
10 |
Credential Access,Persistence |
T1098 |
Account Manipulation |
514 |
Mimikatz through Windows Remote Management Detected |
Sysmon |
10 |
Lateral Movement, Credential Access, Execution |
T1021.006, T1003, T1021 |
Remote Services,Credential Dumping,Remote Services, Windows Remote Management,OS Credential Dumping,Windows Remote Management |
515 |
Psr Capture Screenshots Detected |
Sysmon |
1 |
Collection |
T1113 |
Screen Capture |
516 |
Possible Active Directory Enumeration via AD Module |
Microsoft-Windows-PowerShell/ Operational |
4103 |
Execution, Discovery |
T1018, T1059, T1059.001 |
Command and Scripting Interpreter,Remote System Discovery,PowerShell |
517 |
Proxy Execution of Payloads via Microsoft Signed Script |
Microsoft-Windows-PowerShell/ Operational |
4104 |
|||
518 |
Automated Collection Detected |
Microsoft-Windows-PowerShell/ Operational |
4104 |
Collection |
T1119 |
Automated Collection |
519 |
Malicious File Execution Detected |
Sysmon |
1 |
Execution |
T1059 |
Command and Scripting Interpreter |
520 |
Windows User Rights Changes |
Security |
47,054,704 |
|||
521 |
Judgement Panda Exfil Activity |
Sysmon |
1 |
Credential Access |
T1003, T1552.001, T1552 |
OS Credential Dumping,Credential Dumping,Credentials In Files,Unsecured Credentials,Credentials in Files |
522 |
Chafer Activity Detected |
System, Sysmon, Security |
7045, 4698, 13 |
Privilege Escalation, Execution, Persistence |
T1053.005, T1053 |
Scheduled Task,Scheduled Task/Job |
523 |
Suspicious Named Pipes Detected |
Sysmon |
18,17 |
Privilege Escalation, Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
524 |
Squirrel Lolbin Detected |
Sysmon |
1 |
Execution |
T1569.002,T1569 |
Service Execution,System Services, System Services,Service Execution |
525 |
Remotely Query Login Sessions - Process |
Sysmon |
1 |
Discovery |
T1082 |
System Information Discovery,Remote Query |
526 |
Remote PowerShell Session |
Sysmon, Microsoft-Windows-PowerShell/ Operational, Windows PowerShell |
14,103,400 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
527 |
Active Directory Replication User Backdoor |
Security |
5136 |
Defense Evasion |
T1222,T1222.001 |
Windows File and Directory Permissions Modification,File and Directory Permissions Modification |
528 |
Application Shimming - Registry Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1546,T1546.011 |
Application Shimming, Application Shimming,Event Triggered Execution, Event Triggered Execution |
529 |
Process Execution from Suspicious Location |
Security |
4688 |
|||
530 |
Suspicious SYSVOL Domain Group Policy Access |
Sysmon |
1 |
Credential Access |
T1552.006,T1552 |
Group Policy Preferences,Unsecured Credentials |
531 |
Suspicious Computer Account Rename followed by TGT Request |
Security |
4768 |
Privilege Escalation |
T1134,T1134.003 |
Access Token Manipulation,Make and Impersonate Token |
532 |
Denied NetLogon Connections - CVE-2020-1472 |
Security |
58,285,827 |
Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
533 |
Security Support Provider (SSP) Added to LSA Configuration |
Sysmon |
13 |
Exfiltration, Persistence |
T1011 |
Exfiltration Over Other Network Medium |
534 |
Audio Capture Detected |
Sysmon |
1 |
Collection |
T1123 |
Audio Capture |
535 |
Possible Data Exfiltration via FTP |
Sysmon |
3 |
Command and Control |
T1071.002 |
File Transfer Protocols |
536 |
CreateMiniDump Hacktool Detected |
Sysmon |
1,11 |
Credential Access |
T1003,T1003.001 |
OS Credential Dumping,LSASS Memory |
537 |
Credential Dumping using Mimikatz Detected |
Sysmon |
10 |
Credential Access |
T1003,T1003.001 |
OS Credential Dumping,LSASS Memory |
538 |
Alternate PowerShell Hosts Detected |
Sysmon, Microsoft-Windows-PowerShell/ Operational, Windows PowerShell |
4103, 17, 7, 400 |
Execution |
T1059,T1059.001 |
Command and Scripting Interpreter,PowerShell |
539 |
Transfering Files with Credential Data via Network Shares |
Security |
5145 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
540 |
smbexec Service Installation Detected |
System |
7045 |
Lateral Movement, Execution |
T1021, T1569.002, T1569 |
System Services,Remote Services,Service Execution |
541 |
IIS Native-Code Module Command Line Installation |
Sysmon |
1 |
Persistence |
T1505, T1505.003 |
Server Software Component, Server Software Component,Web Shell, Web Shell |
542 |
MSHTA - File Access Detected |
Sysmon |
11,15 |
Defense Evasion,Execution |
T1218.005,T1218 |
Mshta, Mshta,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
543 |
Suspicious Kerberos S4U2self Request |
Security |
4769 |
Privilege Escalation |
T1134,T1134.003 |
Access Token Manipulation,Make and Impersonate Token |
544 |
Detection of PowerShell Execution via DLL |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
545 |
Defrag Deactivation Detected |
Sysmon, Security |
1, 4701 |
Privilege Escalation,Execution,Persistence |
T1053.005,T1053 |
Scheduled Task,Scheduled Task/Job, Scheduled Task |
546 |
ZOHO Dctask64 Process Injection Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
547 |
Command Obfuscation in Command Prompt |
Sysmon |
1 |
Execution |
T1059,T1059.003 |
Command and Scripting Interpreter,Windows Command Shell |
548 |
File or Folder Permissions Modifications |
Sysmon |
1 |
Defense Evasion |
T1222 |
File and Directory Permissions Modification |
549 |
LSASS Memory Dump File Creation |
Sysmon |
11 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
550 |
Tap Installer Execution Detected |
Sysmon |
1 |
Exfiltration |
T1048 |
Exfiltration Over Alternative Protocol |
551 |
Addition of SID History to Active Directory Object |
Security |
473, 847, 654, 766 |
Privilege Escalation,Defense Evasion,Persistence |
T1134,T1134.005 |
Access Token Manipulation, Access Token Manipulation, SID-History Injection,SID-History Injection |
552 |
External Disk Drive or USB Storage Device Detected |
Security |
6416 |
Lateral Movement,Initial Access |
T1091,T1200 |
Replication Through Removable Media,Hardware Additions |
553 |
Windows Error Process Masquerading |
Sysmon |
1,3 |
Defense Evasion |
T1055 |
Process Injection |
554 |
Remote PowerShell Session Detected |
Sysmon |
1 |
Execution |
T1059,T1059.001 |
PowerShell,Command and Scripting Interpreter,PowerShell, Command and Scripting Interpreter |
555 |
Shadow Copies Access via Symlink Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
556 |
Suspicious Scheduled Task Creation via Masqueraded XML File |
Sysmon |
1 |
Defense Evasion, Execution, Persistence |
T1053.005, T1053, T1036 |
,Masquerading, Scheduled Task, Scheduled Task/Job, Scheduled Task |
557 |
Suspicious Program Location with Network Connections |
Sysmon |
3 |
Defense Evasion |
T1036 |
Masquerading |
558 |
GAC DLL Loaded Via Office Applications Detected |
Sysmon |
7 |
Initial Access |
T1566,T1566.001 |
Phishing, Phishing,Spearphishing Attachment, Spearphishing Attachment |
559 |
Remotely Query Login Sessions |
Sysmon |
1,3 |
Discovery |
T1082 |
System Information Discovery |
560 |
Hooking Activities Detected |
Sysmon |
1 |
Credential Access,Collection |
T1056.004,T1056 |
Credential API Hooking,Input Capture |
561 |
Whoami Execution Detected |
Sysmon |
1 |
Discovery |
T1033 |
System Owner/User Discovery |
562 |
Permission Groups Discovery - Process |
Sysmon |
1 |
Discovery |
T1069 |
Permission Groups Discovery |
563 |
TropicTrooper Campaign November 2018 Detected |
Sysmon |
1 |
Defense Evasion,Execution |
T1218.011,T1218 |
Rundll32, Rundll32,Signed Binary Proxy Execution, Signed Binary Proxy Execution |
564 |
PowerShell Module Logging Setting Discovery |
Sysmon |
13 |
Discovery |
T1012 |
Query Registry |
565 |
Control Panel Items - Registry Detected |
Sysmon |
13,12,14 |
Defense Evasion |
T1218.002,T1218 |
Control Panel, Control Panel,Signed Binary Proxy Execution |
566 |
Windows Registry Created |
Security |
4657 |
|||
567 |
Elise Backdoor Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1548 |
Bypass User Access Control,Abuse Elevation Control Mechanism |
568 |
User Added to Local Administrators Detected |
Security |
4732 |
Privilege Escalation,Defense Evasion,Initial Access,Persistence |
T1078 |
Valid Accounts |
569 |
RouterScan Execution |
Sysmon |
1 |
Discovery |
T1046 |
Network Service Scanning |
570 |
Remote Desktop Protocol - Process |
Sysmon |
13,12,14 |
Lateral Movement |
T1021,T1021.001 |
Remote Services,Remote Services, Remote Desktop Protocol,Remote Desktop Protocol |
571 |
Pandemic Registry Key Detected |
Sysmon |
1,13 |
Lateral Movement, Command and Control |
T1105 |
Remote File Copy,Ingress Tool Transfer |
572 |
InstallUtil Detected |
Sysmon |
3 |
Defense Evasion,Execution |
T1218.004,T1218 |
InstallUtil,Signed Binary Proxy Execution,InstallUtil, Signed Binary Proxy Execution |
573 |
Capture a Network Trace with netsh |
Sysmon |
1 |
Credential Access, Discovery |
T1040 |
Network Sniffing |
574 |
Suspicious Parent of Csc Detected |
Sysmon |
1 |
Defense Evasion |
T1036 |
Masquerading |
575 |
Credentials in Registry Detected |
Sysmon |
1 |
Credential Access |
T1552.002,T1552 |
Credentials in Registry,Unsecured Credentials, Unsecured Credentials,Credentials in Registry |
576 |
Suspicious Command Chain in Command Prompt |
Sysmon |
1 |
Defense Evasion,Execution |
T1059,T1059.003 |
Command and Scripting Interpreter,Windows Command Shell |
577 |
Exfiltration and Tunneling Tools Execution |
Sysmon |
1 |
Exfiltration |
T1020 |
Automated Exfiltration |
578 |
Authentication Package Detected |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1547.002, T1547.005, T1547 |
Boot or Logon Autostart Execution, Authentication Package, Security Support Provider |
579 |
Execution via Windows Scripting Host Component Detected |
Sysmon |
7 |
Execution |
T1059 |
Command and Scripting Interpreter |
580 |
Possible Baby Shark Activity Detected |
Sysmon |
1 |
Defense Evasion, Execution, Discovery |
T1218.005, T1012, T1059, T1218, T1059.001 |
Signed Binary Proxy Execution, Mshta, Command and Scripting Interpreter, PowerShell, Query Registry |
581 |
Renamed ZOHO Dctask64 Detected |
Sysmon |
1 |
Privilege Escalation,Defense Evasion |
T1055 |
Process Injection |
582 |
Remote Service Activity via SVCCTL Named Pipe |
Security |
5145 |
Lateral Movement, Privilege Escalation, Execution, Persistence |
T1053.005, T1053 |
Scheduled Task,Scheduled Task/Job |
583 |
Winlogon Helper DLL |
Sysmon |
13,12,14 |
Privilege Escalation, Persistence |
T1547.004, T1547 |
Boot or Logon Autostart Execution,Boot or Logon Autostart Execution,Winlogon Helper DLL, Winlogon Helper DLL |
584 |
UAC Bypass Attempt via Windows Directory Masquerading |
Sysmon |
1 |
Privilege Escalation |
T1548, T1548.002 |
Bypass User Account Control,Abuse Elevation Control Mechanism |
585 |
Mimikatz Command Line Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
586 |
CMSTP UAC Bypass via COM Object Access |
Sysmon |
1 |
Privilege Escalation,Defense Evasion,Execution |
T1218.003, T1548, T1218 |
Bypass User Access Control,Abuse Elevation Control Mechanism,Signed Binary Proxy Execution, CMSTP,CMSTP, Signed Binary Proxy Execution |
587 |
Possible Ursnif Registry Activity |
Sysmon |
13 |
Defense Evasion,Execution |
T1112 |
Modify Registry |
588 |
LSASS Memory Dumping Detected |
Sysmon |
1 |
Credential Access |
T1003 |
OS Credential Dumping,Credential Dumping |
589 |
Alternate PowerShell Hosts Module Load Detected |
Sysmon |
7 |
Execution |
T1059, T1059.001 |
PowerShell, Command and Scripting Interpreter, PowerShell, Command and Scripting Interpreter |