NON-MITRE ATT&CK Analytics

Trigger condition: A user attempts to log in using a disabled account.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows
Query:

norm_id=WinServer* label=User label=Login label=Fail sub_status_code= "0xC0000072" -target_user=*−user = ∗-user IN EXCLUDED_USERS | rename user as target_user, domain as target_domain,reason as failure_reason

LP_VMware Link Up

Trigger condition: VMware connection is up.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: VMware
Query:

norm_id=VmwareESX label = Link label=Up | chart count() by log_ts, host, switch, port_group, network_adapter

LP_VMware Link Down

Trigger condition: VMmware’s connection is down.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: VMware
Query:

norm_id=VmwareESX label = Link label=Down | chart count() by log_ts, host, switch, port_group, network_adapter

LP_LogPoint License Expiry Status

Trigger condition: Logpoint license is about to expire.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Logpoint
Query:

norm_id=LogPoint label=Audit object='License checker' days_remaining=*

LP_Mitre Initial Access Using Spearphishing link Detected

Trigger condition: Malicious URL is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Mimecast
Query:

norm_id=Mimecast label=Detect label=Malicious label=URL | process eval("attack_class='Initial Access'")| process eval("technique='Spearphishing Link'")

LP_Mitre Command and Control Using Standard Application Layer Protocol Detected

Trigger condition: Command and control activity using standard application layer protocol is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Proxy server
Query:

norm_id=*proxy source_address=* destination_address=* destination_port IN STANDARD_APPLICATION_PORTS | process ti(destination_address)| rename et_category as ti_category | process eval("attack_class='Command and Control'")| process eval("technique='Standard Application Layer Protocol'") |  search ti_category="*Command and Control*"

LP_Endpoint Protect Threat Content Detected

Trigger condition: Threat content is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Endpoint Protector
Query:

norm_id=EndPointProtector label=Threat label=Content (label=Detect OR label=Block) file=* user=*

LP_Endpoint Protect Device Disconnect

Trigger condition: A USB device is disconnected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Endpoint Protector
Query:

norm_id = EndPointProtector label=disconnect user=* device_type="USB Storage Device"

LP_Endpoint Protect File Delete

Trigger condition: A file is deleted.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Endpoint Protector
Query:

norm_id=EndPointProtector label=File label=Delete file=* user=*

LP_Endpoint Protect File Copied To USB Device

Trigger condition: A file is copied to external USB drive.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Endpoint Protector
Query:

norm_id=EndPointProtector label=File label=Copy device_type="USB Storage Device" file=* user=*

LP_System Owner or User Discovery Process Detected

Trigger condition: An attack Discovery is performed using the attack technique System Owner or User Discovery.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows
Query:

norm_id=WinServer label="Process" label=Create (commandline="*whoami*" OR commandline="*quser*" OR commandline="*wmic.exe*useraccount get*" OR command="*whoami*" OR command="*quser*" OR command="*wmic.exe*useraccount get*") -user IN EXCLUDED_USERS | rename commandline as command

LP_System Services Discovery Detected

Trigger condition: An attack Discovery is performed using the attack technique System Service Discovery.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Windows
Query:

norm_id=WinServer label="Process" label=Create (commandline="*net.exe*start*" OR commandline="*tasklist.exe*" OR command="*net.exe*start*" OR command="*tasklist.exe*" ) -user IN EXCLUDED_USERS | rename commandline as command

LP_SolarisLDAP Password Spraying Attack Detected

Trigger condition: Password spraying attack is detected.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Solaris LDAP
Query:

norm_id=SolarisLDAP label=User (label=Login OR label=Authentication) label=Fail | chart distinct_count(user) as UserCount, distinct_list(user) as Users | search UserCount > 5

LP_Microsoft Defender AMSI Trigger

Trigger Condition: Logpoint detects Microsoft Defender with AMSI as the detection source.
ATT&CK Category: -
ATT&CK Tag: -
Minimum Log Source Requirement: Windows
Query:

norm_id=WinServer event_id=1116 source_name=AMSI event_source="Microsoft-Windows-Windows Defender"

Trigger Condition: Events related to Petitpotam are logged.
Minimum Log Source Requirement: Windows
Query:

[event_id=4624 package="NTLM*" (user="ANONYMOUS LOGON" or -workstation=*)] as stream1 join [event_id=5145 share_name=IPC$ access="*ReadData (or ListDirectory) WriteData (or AddFile)*" relative_target IN ["lsarpc", "efsrpc", "lsass", "samr", "netlogon"]] as stream2 on stream1.source_address = stream2.source_address and stream1.host = stream2.host | rename stream1.user as user, stream1.host as host, stream1.domain as domain, stream2.source_address as source_address, stream2.share_name as share_name, stream2.access as access, stream2.log_ts as log_ts

RDP Sensitive Settings Changed

Trigger Condition: Changes to RDP terminal service sensitive settings are detected.
Minimum Log Source Requirement: Windows
Query:

norm_id=WindowsSysmon event_id=13 target_object IN ["*\services\TermService\Parameters\ServiceDll*", "*\Control\Terminal Server\fSingleSessionPerUser*", "*\Control\Terminal Server\fDenyTSConnections*"] -user IN EXCLUDED_USERS

LP_Secure Deletion with SDelete

Trigger Condition: Renamed a file while deleting it with the SDelete tool. Adversaries use various tools to clean traces left after their intrusion activity.
Minimum Log Source Requirement: Windows
Query:

norm_id=WinServer event_id IN ["4656", "4663", "4658"] object_name IN ["*.AAA", "*.ZZZ"] -user IN EXCLUDED_USERS

LP_Suspicious Keyboard Layout Load Detected

Trigger Condition: The keyboard preload installation with a suspicious keyboard layout, for example, Chinese, Iranian, or Vietnamese layout, loads in user sessions on systems that is maintained by US staff only.
Minimum Log Source Requirement: Windows Sysmon
Query:

norm_id=WindowsSysmon event_id=13 target_object IN ["*\Keyboard Layout\Preload\*", "*\Keyboard Layout\Substitutes\*"] detail IN ["00000804", "00000c04", "00000404", "00001004", "00001404", "00000429", "00050429", "0000042a", "00000401", "00010401", "00020401"] -user IN EXCLUDED_USERS

LP_Remote Code Execution using WMI Win32_Process Class over WinRM

Trigger Condition: When an attempt to execute code or create a service on a remote host via winrm.vbs is detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create
command="*winrm*"  command="*invoke Create wmicimv2/Win32_*" command="*-r:http*"

Remote Code Execution using WMI Win32_Service Class over WinRM

Trigger Condition: Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique is attempted using winrm.vbs.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label=Create label="Process" command="*winrm*" command IN ['*format:pretty*', '*format:"pretty"*', '*format:"text"*', '*format:text*']  -(image IN ["C:\Windows\System32\*", "C:\Windows\SysWOW64\*"])

LP_Suspicious Microsoft SQL Server PowerShell Module Use Detected

Trigger Condition: The execution of a PowerShell code by the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server is detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label=Create label="Process" ("process"="*\sqlps.exe" OR parent_process="*\sqlps.exe" OR file="*\sqlps.exe" ) -(parent_process="*\sqlagent.exe")

LP_Shadow Copy Deletion Using OS Utilities Detected

Trigger Condition: When shadow copies are deleted using operating systems utilities. Shadow copy is a Microsoft technology that can create backup copies or snapshots of computer files or volumes.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label="Create" ("process" IN ["*\powershell.exe", "*\wmic.exe", "*\vssadmin.exe", "*\diskshadow.exe"] command="* shadow*" command="*delete*") OR ("process"= "*\wbadmin.exe" command="*delete*" command="*catalog*" command="*quiet*")  OR ("process"="*\vssadmin.exe" command="*resize*" command="*shadowstorage*" command="*unbounded*")

LP_Child Process Spawned via Diskshadow Detected

Trigger Condition: When child processes are created using the diskshadow binary. DiskShadow.exe is a Windows internal binary that exposes the functionality offered by the Volume Shadow Copy Service.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "parent_process"="*\diskshadow.exe" -command="*conhost.exe*"

LP_Code Execution Via Diskshadow Detected

Trigger Condition: When diskshadow binary is used to execute code from a file. DiskShadow.exe is Windows internal binary that exposes the functionality offered by the Volume Shadow Copy Service.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "process"="*\diskshadow.exe" command IN ["*/s *", "*-s *"]

LP_Process Pattern Match For CVE-2021-40444 Exploitation

Trigger Condition: The process pattern for CVE-2021-40444 is detected. CVE-22021-4044 is a remote code execution vulnerability in MSHTML, which is Microsoft’s proprietary browser engine for Internet Explorer.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create
"process"="*\control.exe" parent_process IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe"] -command="*\control.exe input.dll"

Suspicious Extexport Execution Detected

Trigger Condition: When a service is created by loading a DLL using the ExtExport service in IE. ExtExport is a module that serves to import/export data from other programs, for example, favorites or bookmarks from other browsers. Attackers can use Extexport.exe to load any DLL using the built-in tool ExtExport.exe which can be found inside the Internet Explorer directory.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label=Create label="Process" command IN ["*ExtExport*", "extexport"]

LP_Proxy Execution via Workfolders

Trigger Condition: This alert is triggered whenever it detects the usage of workfolders binary to execute other process.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "parent_process"="*\workfolders.exe" "process"="*\control.exe" "process"="C:\Windows\System32\control.exe"

Proxy Execution via Windows Update Client

Trigger Condition: When wuauclt.exe is used to proxy execute codes.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label="Create" ("process"="*\wuauclt.exe" OR file="wuauclt.exe")
(command="*UpdateDeploymentProvider*" command="*.dll*" command="*RunHandlerComServer*")
-(command IN ["* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *", "* wuaueng.dll *"])

Suspicious DLL Execution Using Windows Address Book

Trigger Condition: When a suspicious DLL is executed using wab.exe.
ATT&CK Category: Defense Evasion
ATT&CK Tag: T1564.004 - NTFS File Attributes
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="registry" label="set" target_object="*\Software\Microsoft\WAB\DLLPath*" - detail="%CommonProgramFiles%\System\wab32.dll"

LP_Suspicious Use of Dotnet Detected

Trigger Condition: This alert is triggered when execution of either suspicious DLL or unsigned code using dotnet.exe is detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create command IN ["*.dll", "*.csproj"] "process"="*\dotnet.exe"

Execution of Arbitrary Executable Using Stordiag

Trigger Condition: When a renamed arbitrary executable is executed using stordiag.exe. stordiag.exe collects storage and file system diagnostic logs and outputs to a folder.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Create" label="Process" parent_process="*\stordiag.exe" "process" IN ["*\schtasks.exe", "*\systeminfo.exe", "*\fltmc.exe"] - parent_process IN ["C:\windows\system32\*", "C:\windows\syswow64\*"]

Process Creation via Time Travel Tracer

Trigger Condition: When a new child process is spawned via tttracer.exe.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="process" label=create "parent_process"="*\tttracer.exe"

LP_Time Travel Debugging Utility DLL Loaded

Trigger Condition: This alert is triggered whenever time travel debugging utility DLLs are loaded. Ttdrecord.dll, ttdwriter.dll and ttdloader.dll are part of time travel debugging utility.
Minimum Log Source Requirement: Windows Sysmon
Query:

label=Image label=Load image IN ["*\ttdrecord.dll","*\ttdwriter.dll","*\ttdloader.dll"]

File Execution via Msdeploy

Trigger Condition: This alert is triggered whenever Msdeploy is used to execute files. Microsoft deploy (Msdeploy) is a binary that allows user to deploy Web Apllications.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "process"="*\msdeploy.exe" command="*verb:sync*" command="*-source:RunCommand*" command="*-dest:runCommand*"

CVE-2022-40684 Exploitation Detected

Trigger Condition: When an exploitation attempt of CVE-2022-40684 is detected. CVE-2022-40684 is an authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Minimum Log Source Requirement: Firewall, Proxy Server, Web Server
Query:

(url="*/api/v2/cmdb/system/admin/*" OR resource="*/api/v2/cmdb/system/admin/*") user_agent IN ["report runner","Node.js"]

Possible Proxy Execution of Malicious Code

Trigger Condition: When the possible use of TE.exe for proxy execution of malicious scripts is detected. TE.exe is a testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:

label="process" label="create" "process"="*\te.exe" OR parent_process="*\te.exe" OR file="\te.exe"

LP_Suspicious Usage of BitLocker Management Script

Trigger Condition: This alert is triggered whenever proxy execution of malicious payloads via Manage-bde.wsf is detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label="Create" (("process"="*\wscript.exe" OR file="wscript.exe") command="*manage-bde.wsf*")
OR ( parent_process IN ["*\cscript.exe", "*\wscript.exe"] command="*manage-bde.wsf*" -"process"="*\cmd.exe")

Proxy Execution of Payloads via Microsoft Signed Script

Trigger Condition: This alert rule is triggered when it detects proxy execution of PowerShell code via Microsoft signed script “CL_Mutexverifiers.ps1”.
Minimum Log Source Requirement: Windows
Query:

norm_id="WinServer" event_id=4104 script_block IN ["*\CL_Mutexverifiers.ps1*", "*runAfterCancelProcess *"]

Execution of Windows Defender Offline Shell from Suspicious Folder

Trigger Condition: When OfflineScannerShell.exe is executed from a folder other than the default.
Minimum Log Source Requirement: Windows, Windows Sysmon
Query:

label="Create" label="Process" ("process"="*\OfflineScannerShell.exe"  -((path="C:\Program Files\Windows Defender\Offline\") OR (-path=*)))

DLL Loaded Via AccCheckConsole

Trigger Condition: When DLL loading through AccCheckConsole binary is detected. AccCheckConsole is a command-line tool for verifying the accessibility implementation of your application’s UI. Adversaries can use this technique to load their malicious DLL.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "process"="*\AccCheckConsole.exe" command="*-window*" command="*.dll*"

LP_Proxy Execution via Appvlp

Trigger Condition: When proxy execution of binaries via appvlp.exe is detected. Appvlp, also known as Application Virtualization Utility, is included with Microsoft Office 2016, which makes applications available to end-user computers without having to install applications directly on those computers. Adversaries can use this technique to bypass process or signature-based defenses by proxying the execution of malicious content with signed or otherwise trusted binaries.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="process" label=create "process"="*\appvlp.exe"  command IN ["*cmd.exe*","*powershell.exe*"] command IN ["*.sh*","*.exe*","*.dll*","*.bin*","*.bat*","*.cmd*","*.js*","*.msh*","*.reg*","*.scr*","*.ps*","*.vb*","*.jar*","*.pl*","*.inf*"]

LP_Proxy DLL Execution via UtilityFunctions

Trigger Condition: When the use of UtilityFunctions script to execute a managed DLL is detected. UtilityFunctions is one of several powershell scripts from Microsoft for diagnostic and maintenance work. Adversaries can use this technique to proxy execute malicious files.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create command IN ["*UtilityFunctions.ps1*", "*RegSnapin*"]

Suspicious Usage of Squirrel Binary

Trigger Condition: When squirrel.exe is run via using arguments download, update and updateRoolback arguments.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="process" label="create" "process"="*\Squirrel.exe" command IN ["*download*","*update*"]

Trigger Condition: This alert is triggered whenever it detects execution of binaries from suspicious folder.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "process"="*\net.exe" command="* share *grant:*FULL*"

LP_Legitimate Application Dropping Script File

Trigger Condition: When the creation of a new script file by those applications which should not create one such as office applications, Wordpad. Script files contain a set of instructions or commands and are executed by a script interpreter or runtime environment. Adversaries can use this technique to drop their payload in the system and execute it.
Minimum Log Source Requirement: Windows Sysmon
Query:

norm_id=WindowsSysmon event_id=11 file IN ["*.ps1","*.bat","*.vbs","*.scf","*.wsf","*.wsh"] "process" IN ["*\onenote.exe","*\winword.exe","*\excel.exe","*\powerpnt.exe","*\msaccess.exe","*\mspub.exe","*\eqnedt32.exe","*\visio.exe","*\wordpad.exe","*\wordview.exe","*\certutil.exe","*\certoc.exe","*\CertReq.exe","*\Desktopimgdownldr.exe","*\esentutl.exe","*\finger.exe","*\AcroRd32.exe","*\RdrCEF.exe","*\mshta.exe","*\hh.exe"]

LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected

Trigger Condition: This alert is triggered whenever inbound connection is seen into secure devices over non-compliant ports as specified by PCI compliance practices. NON_PCI_COMPLIANT_PORT list needs to be updated for this query to work properly.
ATT&CK Category: N/A
ATT&CK Tag: N/A
ATT&CK ID: N/A
Minimum Log Source Requirement: Firewall, IDS, IPS
Query:

label=Inbound label=Connection destination_port IN NON_PCI_COMPLIANT_PORT -source_address IN HOMENET

LP_High Severity EPP Alert

Trigger Condition: This alert is triggered whenever a high or critical severity alert is generated by any Endpoint Protection Platform (EPP).
Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision
Query:

norm_id=* device_category=EPP risk_level IN [ "High", "Critical"]

LP_Medium Severity EPP Alert

Trigger Condition: This alert is triggered whenever a medium severity alert is generated by any Endpoint Protection Platform (EPP).
Minimum Log Source Requirement: CrowdStrikeEPO, Microsoft Defender ATP, Trend Vision
Query:

norm_id=* device_category="EPP" risk_level="Medium"

LP_Proxy Execution via Appvlp

Trigger Condition: This alert is triggered whenever proxy execution of binaries via appvlp.exe is detected.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "process"="*\appvlp.exe"  command IN ["*cmd.exe*","*powershell.exe*"] command IN ["*.sh*","*.exe*","*.dll*","*.bin*","*.bat*","*.cmd*","*.js*","*.msh*","*.reg*","*.scr*","*.ps*","*.vb*","*.jar*","*.pl*","*.inf*"]

LP_Suspicious Extexport Execution Detected

Trigger Condition: This alert is triggered when a service is created by loading a DLL using the ExtExport service in IE.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create command IN ["*ExtExport*", "extexport"]

LP_Suspicious Usage of Squirrel Binary

Trigger Condition: This alert is triggered whenever squirrel.exe is run via using arguments download, update, and updateRoolback arguments.
Minimum Log Source Requirement: Windows Sysmon, Windows
Query:

label="Process" label=Create "process"="*\Squirrel.exe" command IN ["*download*","*update*"]

LP_Threat Intel Connections with Suspicious Domains

Trigger Condition: This alert is triggered when a connection is established with suspicious domain.
Minimum Log Source Requirement: IDS, Firewall, IPS
Query:

label=Connection (url=* OR domain=*)| process domain(url) as domain | process ti(domain) | rename et_category as Category, cs_category as Category, rf_category as Category,et_score as Score,cs_score as Score,rf_score as Score ,rf_domain as Domain, et_domain as Domain,cs_domain as Domain

Last updated 5 days ago

Was this helpful?

Good night

hashtagLP_Windows Login Attempt on Disabled Account

hashtagLP_VMware Link Up

hashtagLP_VMware Link Down

hashtagLP_LogPoint License Expiry Status

hashtagLP_Mitre Initial Access Using Spearphishing link Detected

hashtagLP_Mitre Command and Control Using Standard Application Layer Protocol Detected

hashtagLP_Endpoint Protect Threat Content Detected

hashtagLP_Endpoint Protect Device Disconnect

hashtagLP_Endpoint Protect File Delete

hashtagLP_Endpoint Protect File Copied To USB Device

hashtagLP_System Owner or User Discovery Process Detected

hashtagLP_System Services Discovery Detected

hashtagLP_SolarisLDAP Password Spraying Attack Detected

hashtagLP_Microsoft Defender AMSI Trigger

hashtagLP_Petitpotam - Anonymous RPC and File Share

hashtagRDP Sensitive Settings Changed

hashtagLP_Secure Deletion with SDelete

hashtagLP_Suspicious Keyboard Layout Load Detected

hashtagLP_Remote Code Execution using WMI Win32_Process Class over WinRM

hashtagRemote Code Execution using WMI Win32_Service Class over WinRM

hashtagLP_Suspicious Microsoft SQL Server PowerShell Module Use Detected

hashtagLP_Shadow Copy Deletion Using OS Utilities Detected

hashtagLP_Child Process Spawned via Diskshadow Detected

hashtagLP_Code Execution Via Diskshadow Detected

hashtagLP_Process Pattern Match For CVE-2021-40444 Exploitation

hashtagSuspicious Extexport Execution Detected

hashtagLP_Proxy Execution via Workfolders

hashtagProxy Execution via Windows Update Client

hashtagSuspicious DLL Execution Using Windows Address Book

hashtagLP_Suspicious Use of Dotnet Detected

hashtagExecution of Arbitrary Executable Using Stordiag

hashtagProcess Creation via Time Travel Tracer

hashtagLP_Time Travel Debugging Utility DLL Loaded

hashtagFile Execution via Msdeploy

hashtagCVE-2022-40684 Exploitation Detected

hashtagPossible Proxy Execution of Malicious Code

hashtagLP_Suspicious Usage of BitLocker Management Script

hashtagProxy Execution of Payloads via Microsoft Signed Script

hashtagExecution of Windows Defender Offline Shell from Suspicious Folder

hashtagDLL Loaded Via AccCheckConsole

hashtagLP_Proxy Execution via Appvlp

hashtagLP_Proxy DLL Execution via UtilityFunctions

hashtagSuspicious Usage of Squirrel Binary

hashtagLP_Suspicious File Share Permission

hashtagLP_Legitimate Application Dropping Script File

hashtagLP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected

hashtagLP_High Severity EPP Alert

hashtagLP_Medium Severity EPP Alert

hashtagLP_Proxy Execution via Appvlp

hashtagLP_Suspicious Extexport Execution Detected

hashtagLP_Suspicious Usage of Squirrel Binary

hashtagLP_Threat Intel Connections with Suspicious Domains

LP_Windows Login Attempt on Disabled Account

LP_VMware Link Up

LP_VMware Link Down

LP_LogPoint License Expiry Status

LP_Mitre Initial Access Using Spearphishing link Detected

LP_Mitre Command and Control Using Standard Application Layer Protocol Detected

LP_Endpoint Protect Threat Content Detected

LP_Endpoint Protect Device Disconnect

LP_Endpoint Protect File Delete

LP_Endpoint Protect File Copied To USB Device

LP_System Owner or User Discovery Process Detected

LP_System Services Discovery Detected

LP_SolarisLDAP Password Spraying Attack Detected

LP_Microsoft Defender AMSI Trigger

LP_Petitpotam - Anonymous RPC and File Share

RDP Sensitive Settings Changed

LP_Secure Deletion with SDelete

LP_Suspicious Keyboard Layout Load Detected

LP_Remote Code Execution using WMI Win32_Process Class over WinRM

Remote Code Execution using WMI Win32_Service Class over WinRM

LP_Suspicious Microsoft SQL Server PowerShell Module Use Detected

LP_Shadow Copy Deletion Using OS Utilities Detected

LP_Child Process Spawned via Diskshadow Detected

LP_Code Execution Via Diskshadow Detected

LP_Process Pattern Match For CVE-2021-40444 Exploitation

Suspicious Extexport Execution Detected

LP_Proxy Execution via Workfolders

Proxy Execution via Windows Update Client

Suspicious DLL Execution Using Windows Address Book

LP_Suspicious Use of Dotnet Detected

Execution of Arbitrary Executable Using Stordiag

Process Creation via Time Travel Tracer

LP_Time Travel Debugging Utility DLL Loaded

File Execution via Msdeploy

CVE-2022-40684 Exploitation Detected

Possible Proxy Execution of Malicious Code

LP_Suspicious Usage of BitLocker Management Script

Proxy Execution of Payloads via Microsoft Signed Script

Execution of Windows Defender Offline Shell from Suspicious Folder

DLL Loaded Via AccCheckConsole

LP_Proxy Execution via Appvlp

LP_Proxy DLL Execution via UtilityFunctions

Suspicious Usage of Squirrel Binary

LP_Suspicious File Share Permission

LP_Legitimate Application Dropping Script File

LP_Default Possible Non-PCI Compliant Inbound Network Traffic Detected

LP_High Severity EPP Alert

LP_Medium Severity EPP Alert

LP_Proxy Execution via Appvlp

LP_Suspicious Extexport Execution Detected

LP_Suspicious Usage of Squirrel Binary

LP_Threat Intel Connections with Suspicious Domains